Zeroize memory in SHA3 implementation (#2171 )

* Add OQS_MEM_aligned_secure_free convenience fn Signed-off-by: Aiden Fox Ivey <aiden@aidenfoxivey.com> * Rewrite SHA3 aligned frees to zeroize Signed-off-by: Aiden Fox Ivey <aiden@aidenfoxivey.com> --------- Signed-off-by: Aiden Fox Ivey <aiden@aidenfoxivey.com>
Add AVX512VL-Optimized SHA3/SHAKE Implementations (#2167 )
2025-06-23 00:01:22 -04:00 · 2025-06-20 14:12:12 -04:00 · 2025-06-20 13:37:32 -04:00 · 2025-06-19 14:45:44 -04:00 · 2025-06-18 11:38:44 -04:00 · 2025-06-16 10:50:07 -04:00
4243 changed files with 606064 additions and 141100 deletions
--- a/.CMake/alg_support.cmake
+++ b/.CMake/alg_support.cmake
@ -31,6 +31,7 @@ function(filter_algs alglist)
          string(REPLACE "_aesni" "" _var_base ${_var})
          string(REPLACE "_avx2" "" _var_base ${_var_base})
          string(REPLACE "_avx" "" _var_base ${_var_base})
          string(REPLACE "_x86_64" "" _var_base ${_var_base})
          string(REPLACE "_aarch64" "" _var_base ${_var_base})
 	  foreach (_alg ${ARGV0})
            if(${_var}_AVAILABLE)
@ -77,6 +78,13 @@ if(OQS_DIST_X86_64_BUILD OR OQS_USE_AVX2_INSTRUCTIONS)
 endif()
 endif()
 # SHA3 AVX512VL only supported on Linux x86_64
 if(CMAKE_SYSTEM_NAME STREQUAL "Linux" AND (OQS_DIST_X86_64_BUILD OR OQS_USE_AVX512_INSTRUCTIONS))
    cmake_dependent_option(OQS_USE_SHA3_AVX512VL "Enable SHA3 AVX512VL usage" ON "NOT OQS_USE_SHA3_OPENSSL" OFF)
 else()
    option(OQS_USE_SHA3_AVX512VL "Enable SHA3 AVX512VL usage" OFF)
 endif()
 # BIKE is not supported on Windows, 32-bit ARM, X86, S390X (big endian) and PPC64 (big endian)
 cmake_dependent_option(OQS_ENABLE_KEM_BIKE "Enable BIKE algorithm family" ON "NOT WIN32; NOT ARCH_ARM32v7; NOT ARCH_X86; NOT ARCH_S390X; NOT ARCH_PPC64" OFF)
 # BIKE doesn't work on any 32-bit platform
@ -116,7 +124,7 @@ cmake_dependent_option(OQS_ENABLE_KEM_classic_mceliece_6960119f "" ON "OQS_ENABL
 cmake_dependent_option(OQS_ENABLE_KEM_classic_mceliece_8192128 "" ON "OQS_ENABLE_KEM_CLASSIC_MCELIECE" OFF)
 cmake_dependent_option(OQS_ENABLE_KEM_classic_mceliece_8192128f "" ON "OQS_ENABLE_KEM_CLASSIC_MCELIECE" OFF)
-option(OQS_ENABLE_KEM_HQC "Enable hqc algorithm family" ON)
+option(OQS_ENABLE_KEM_HQC "Enable hqc algorithm family" OFF)
 cmake_dependent_option(OQS_ENABLE_KEM_hqc_128 "" ON "OQS_ENABLE_KEM_HQC" OFF)
 cmake_dependent_option(OQS_ENABLE_KEM_hqc_192 "" ON "OQS_ENABLE_KEM_HQC" OFF)
 cmake_dependent_option(OQS_ENABLE_KEM_hqc_256 "" ON "OQS_ENABLE_KEM_HQC" OFF)
@ -137,11 +145,8 @@ cmake_dependent_option(OQS_ENABLE_SIG_dilithium_3 "" ON "OQS_ENABLE_SIG_DILITHIU
 cmake_dependent_option(OQS_ENABLE_SIG_dilithium_5 "" ON "OQS_ENABLE_SIG_DILITHIUM" OFF)
 option(OQS_ENABLE_SIG_ML_DSA "Enable ml_dsa algorithm family" ON)
 cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_44_ipd "" ON "OQS_ENABLE_SIG_ML_DSA" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_44 "" ON "OQS_ENABLE_SIG_ML_DSA" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_65_ipd "" ON "OQS_ENABLE_SIG_ML_DSA" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_65 "" ON "OQS_ENABLE_SIG_ML_DSA" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_87_ipd "" ON "OQS_ENABLE_SIG_ML_DSA" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_87 "" ON "OQS_ENABLE_SIG_ML_DSA" OFF)
 option(OQS_ENABLE_SIG_FALCON "Enable falcon algorithm family" ON)
@ -189,6 +194,34 @@ cmake_dependent_option(OQS_ENABLE_SIG_cross_rsdpg_192_small "" ON "OQS_ENABLE_SI
 cmake_dependent_option(OQS_ENABLE_SIG_cross_rsdpg_256_balanced "" ON "OQS_ENABLE_SIG_CROSS" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_cross_rsdpg_256_fast "" ON "OQS_ENABLE_SIG_CROSS" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_cross_rsdpg_256_small "" ON "OQS_ENABLE_SIG_CROSS" OFF)
 option(OQS_ENABLE_SIG_UOV "Enable uov algorithm family" ON)
 cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_Is "" ON "OQS_ENABLE_SIG_UOV" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_Ip "" ON "OQS_ENABLE_SIG_UOV" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_III "" ON "OQS_ENABLE_SIG_UOV" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_V "" ON "OQS_ENABLE_SIG_UOV" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_Is_pkc "" ON "OQS_ENABLE_SIG_UOV" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_Ip_pkc "" ON "OQS_ENABLE_SIG_UOV" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_III_pkc "" ON "OQS_ENABLE_SIG_UOV" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_V_pkc "" ON "OQS_ENABLE_SIG_UOV" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_Is_pkc_skc "" ON "OQS_ENABLE_SIG_UOV" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_Ip_pkc_skc "" ON "OQS_ENABLE_SIG_UOV" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_III_pkc_skc "" ON "OQS_ENABLE_SIG_UOV" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_V_pkc_skc "" ON "OQS_ENABLE_SIG_UOV" OFF)
 option(OQS_ENABLE_SIG_SNOVA "Enable snova algorithm family" ON)
 cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_24_5_4 "" ON "OQS_ENABLE_SIG_SNOVA" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_24_5_4_SHAKE "" ON "OQS_ENABLE_SIG_SNOVA" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_24_5_4_esk "" ON "OQS_ENABLE_SIG_SNOVA" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_24_5_4_SHAKE_esk "" ON "OQS_ENABLE_SIG_SNOVA" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_37_17_2 "" ON "OQS_ENABLE_SIG_SNOVA" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_25_8_3 "" ON "OQS_ENABLE_SIG_SNOVA" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_56_25_2 "" ON "OQS_ENABLE_SIG_SNOVA" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_49_11_3 "" ON "OQS_ENABLE_SIG_SNOVA" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_37_8_4 "" ON "OQS_ENABLE_SIG_SNOVA" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_24_5_5 "" ON "OQS_ENABLE_SIG_SNOVA" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_60_10_4 "" ON "OQS_ENABLE_SIG_SNOVA" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_29_6_5 "" ON "OQS_ENABLE_SIG_SNOVA" OFF)
 ##### OQS_COPY_FROM_UPSTREAM_FRAGMENT_ADD_ENABLE_BY_ALG_END
 ##### OQS_COPY_FROM_LIBJADE_FRAGMENT_ADD_ENABLE_BY_ALG_START
@ -217,7 +250,7 @@ elseif (${OQS_ALGS_ENABLED} STREQUAL "STD")
 elseif(${OQS_ALGS_ENABLED} STREQUAL "NIST_R4")
 	filter_algs("KEM_classic_mceliece_348864;KEM_classic_mceliece_348864f;KEM_classic_mceliece_460896;KEM_classic_mceliece_460896f;KEM_classic_mceliece_6688128;KEM_classic_mceliece_6688128f;KEM_classic_mceliece_6960119;KEM_classic_mceliece_6960119f;KEM_classic_mceliece_8192128;KEM_classic_mceliece_8192128f;KEM_hqc_128;KEM_hqc_192;KEM_hqc_256;KEM_bike_l1;KEM_bike_l3;KEM_bike_l5")
 elseif(${OQS_ALGS_ENABLED} STREQUAL "NIST_SIG_ONRAMP")
-	filter_algs("SIG_mayo_1;SIG_mayo_2;SIG_mayo_3;SIG_mayo_5;SIG_cross_rsdp_128_balanced;SIG_cross_rsdp_128_fast;SIG_cross_rsdp_128_small;SIG_cross_rsdp_192_balanced;SIG_cross_rsdp_192_fast;SIG_cross_rsdp_192_small;SIG_cross_rsdp_256_balanced;SIG_cross_rsdp_256_fast;SIG_cross_rsdp_256_small;SIG_cross_rsdpg_128_balanced;SIG_cross_rsdpg_128_fast;SIG_cross_rsdpg_128_small;SIG_cross_rsdpg_192_balanced;SIG_cross_rsdpg_192_fast;SIG_cross_rsdpg_192_small;SIG_cross_rsdpg_256_balanced;SIG_cross_rsdpg_256_fast;SIG_cross_rsdpg_256_small")
+	filter_algs("SIG_mayo_1;SIG_mayo_2;SIG_mayo_3;SIG_mayo_5;SIG_cross_rsdp_128_balanced;SIG_cross_rsdp_128_fast;SIG_cross_rsdp_128_small;SIG_cross_rsdp_192_balanced;SIG_cross_rsdp_192_fast;SIG_cross_rsdp_192_small;SIG_cross_rsdp_256_balanced;SIG_cross_rsdp_256_fast;SIG_cross_rsdp_256_small;SIG_cross_rsdpg_128_balanced;SIG_cross_rsdpg_128_fast;SIG_cross_rsdpg_128_small;SIG_cross_rsdpg_192_balanced;SIG_cross_rsdpg_192_fast;SIG_cross_rsdpg_192_small;SIG_cross_rsdpg_256_balanced;SIG_cross_rsdpg_256_fast;SIG_cross_rsdpg_256_small;SIG_uov_ov_Ip;SIG_uov_ov_Is;SIG_uov_ov_III;SIG_uov_ov_V;SIG_uov_ov_Ip_pkc;SIG_uov_ov_Is_pkc;SIG_uov_ov_III_pkc;SIG_uov_ov_V_pkc;SIG_uov_ov_Ip_pkc_skc;SIG_uov_ov_Is_pkc_skc;SIG_uov_ov_III_pkc_skc;SIG_uov_ov_V_pkc_skc;SNOVA_24_5_4;SNOVA_24_5_4_SHAKE;SNOVA_24_5_4_esk;SNOVA_24_5_4_SHAKE_esk;SNOVA_37_17_2;SNOVA_25_8_3;SNOVA_56_25_2;SNOVA_49_11_3;SNOVA_37_8_4;SNOVA_24_5_5;SNOVA_60_10_4;SNOVA_29_6_5")
 else()
 	message(STATUS "Alg enablement unchanged")
 endif()
@ -337,19 +370,61 @@ endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_BMI2_INSTRUCTIONS AND OQS_USE_POPCNT_INSTRUCTIONS))
-    cmake_dependent_option(OQS_ENABLE_KEM_ml_kem_512_avx2 "" ON "OQS_ENABLE_KEM_ml_kem_512" OFF)
+    cmake_dependent_option(OQS_ENABLE_KEM_ml_kem_512_x86_64 "" ON "OQS_ENABLE_KEM_ml_kem_512" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if((OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS)))
    cmake_dependent_option(OQS_ENABLE_KEM_ml_kem_512_aarch64 "" ON "OQS_ENABLE_KEM_ml_kem_512" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_USE_CUPQC)
    cmake_dependent_option(OQS_ENABLE_KEM_ml_kem_512_cuda "" ON "OQS_ENABLE_KEM_ml_kem_512" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_BMI2_INSTRUCTIONS AND OQS_USE_POPCNT_INSTRUCTIONS))
-    cmake_dependent_option(OQS_ENABLE_KEM_ml_kem_768_avx2 "" ON "OQS_ENABLE_KEM_ml_kem_768" OFF)
+    cmake_dependent_option(OQS_ENABLE_KEM_ml_kem_768_x86_64 "" ON "OQS_ENABLE_KEM_ml_kem_768" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if((OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS)))
    cmake_dependent_option(OQS_ENABLE_KEM_ml_kem_768_aarch64 "" ON "OQS_ENABLE_KEM_ml_kem_768" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_USE_CUPQC)
    cmake_dependent_option(OQS_ENABLE_KEM_ml_kem_768_cuda "" ON "OQS_ENABLE_KEM_ml_kem_768" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_BMI2_INSTRUCTIONS AND OQS_USE_POPCNT_INSTRUCTIONS))
-    cmake_dependent_option(OQS_ENABLE_KEM_ml_kem_1024_avx2 "" ON "OQS_ENABLE_KEM_ml_kem_1024" OFF)
+    cmake_dependent_option(OQS_ENABLE_KEM_ml_kem_1024_x86_64 "" ON "OQS_ENABLE_KEM_ml_kem_1024" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if((OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS)))
    cmake_dependent_option(OQS_ENABLE_KEM_ml_kem_1024_aarch64 "" ON "OQS_ENABLE_KEM_ml_kem_1024" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_USE_CUPQC)
    cmake_dependent_option(OQS_ENABLE_KEM_ml_kem_1024_cuda "" ON "OQS_ENABLE_KEM_ml_kem_1024" OFF)
 endif()
 endif()
@ -393,21 +468,18 @@ endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_POPCNT_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_44_ipd_avx2 "" ON "OQS_ENABLE_SIG_ml_dsa_44_ipd" OFF)
    cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_44_avx2 "" ON "OQS_ENABLE_SIG_ml_dsa_44" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_POPCNT_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_65_ipd_avx2 "" ON "OQS_ENABLE_SIG_ml_dsa_65_ipd" OFF)
    cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_65_avx2 "" ON "OQS_ENABLE_SIG_ml_dsa_65" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_POPCNT_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_87_ipd_avx2 "" ON "OQS_ENABLE_SIG_ml_dsa_87_ipd" OFF)
    cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_87_avx2 "" ON "OQS_ENABLE_SIG_ml_dsa_87" OFF)
 endif()
 endif()
@ -533,24 +605,48 @@ if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS))
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
 if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_mayo_1_neon "" ON "OQS_ENABLE_SIG_mayo_1" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_mayo_2_avx2 "" ON "OQS_ENABLE_SIG_mayo_2" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
 if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_mayo_2_neon "" ON "OQS_ENABLE_SIG_mayo_2" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_mayo_3_avx2 "" ON "OQS_ENABLE_SIG_mayo_3" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
 if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_mayo_3_neon "" ON "OQS_ENABLE_SIG_mayo_3" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_mayo_5_avx2 "" ON "OQS_ENABLE_SIG_mayo_5" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
 if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_mayo_5_neon "" ON "OQS_ENABLE_SIG_mayo_5" OFF)
 endif()
 endif()
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_cross_rsdp_128_balanced_avx2 "" ON "OQS_ENABLE_SIG_cross_rsdp_128_balanced" OFF)
@ -624,6 +720,296 @@ if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_cross_rsdpg_256_small_avx2 "" ON "OQS_ENABLE_SIG_cross_rsdpg_256_small" OFF)
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_Is_neon "" ON "OQS_ENABLE_SIG_uov_ov_Is" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_Is_avx2 "" ON "OQS_ENABLE_SIG_uov_ov_Is" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_Ip_neon "" ON "OQS_ENABLE_SIG_uov_ov_Ip" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_Ip_avx2 "" ON "OQS_ENABLE_SIG_uov_ov_Ip" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_III_neon "" ON "OQS_ENABLE_SIG_uov_ov_III" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_III_avx2 "" ON "OQS_ENABLE_SIG_uov_ov_III" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_V_neon "" ON "OQS_ENABLE_SIG_uov_ov_V" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_V_avx2 "" ON "OQS_ENABLE_SIG_uov_ov_V" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_Is_pkc_neon "" ON "OQS_ENABLE_SIG_uov_ov_Is_pkc" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_Is_pkc_avx2 "" ON "OQS_ENABLE_SIG_uov_ov_Is_pkc" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_Ip_pkc_neon "" ON "OQS_ENABLE_SIG_uov_ov_Ip_pkc" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_Ip_pkc_avx2 "" ON "OQS_ENABLE_SIG_uov_ov_Ip_pkc" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_III_pkc_neon "" ON "OQS_ENABLE_SIG_uov_ov_III_pkc" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_III_pkc_avx2 "" ON "OQS_ENABLE_SIG_uov_ov_III_pkc" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_V_pkc_neon "" ON "OQS_ENABLE_SIG_uov_ov_V_pkc" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_V_pkc_avx2 "" ON "OQS_ENABLE_SIG_uov_ov_V_pkc" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_Is_pkc_skc_neon "" ON "OQS_ENABLE_SIG_uov_ov_Is_pkc_skc" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_Is_pkc_skc_avx2 "" ON "OQS_ENABLE_SIG_uov_ov_Is_pkc_skc" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_Ip_pkc_skc_neon "" ON "OQS_ENABLE_SIG_uov_ov_Ip_pkc_skc" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_Ip_pkc_skc_avx2 "" ON "OQS_ENABLE_SIG_uov_ov_Ip_pkc_skc" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_III_pkc_skc_neon "" ON "OQS_ENABLE_SIG_uov_ov_III_pkc_skc" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_III_pkc_skc_avx2 "" ON "OQS_ENABLE_SIG_uov_ov_III_pkc_skc" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_V_pkc_skc_neon "" ON "OQS_ENABLE_SIG_uov_ov_V_pkc_skc" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_uov_ov_V_pkc_skc_avx2 "" ON "OQS_ENABLE_SIG_uov_ov_V_pkc_skc" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_24_5_4_avx2 "" ON "OQS_ENABLE_SIG_snova_SNOVA_24_5_4" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
 if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_24_5_4_neon "" ON "OQS_ENABLE_SIG_snova_SNOVA_24_5_4" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_24_5_4_SHAKE_avx2 "" ON "OQS_ENABLE_SIG_snova_SNOVA_24_5_4_SHAKE" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
 if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_24_5_4_SHAKE_neon "" ON "OQS_ENABLE_SIG_snova_SNOVA_24_5_4_SHAKE" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_24_5_4_esk_avx2 "" ON "OQS_ENABLE_SIG_snova_SNOVA_24_5_4_esk" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
 if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_24_5_4_esk_neon "" ON "OQS_ENABLE_SIG_snova_SNOVA_24_5_4_esk" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_24_5_4_SHAKE_esk_avx2 "" ON "OQS_ENABLE_SIG_snova_SNOVA_24_5_4_SHAKE_esk" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
 if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_24_5_4_SHAKE_esk_neon "" ON "OQS_ENABLE_SIG_snova_SNOVA_24_5_4_SHAKE_esk" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_37_17_2_avx2 "" ON "OQS_ENABLE_SIG_snova_SNOVA_37_17_2" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
 if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_37_17_2_neon "" ON "OQS_ENABLE_SIG_snova_SNOVA_37_17_2" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_25_8_3_avx2 "" ON "OQS_ENABLE_SIG_snova_SNOVA_25_8_3" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
 if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_25_8_3_neon "" ON "OQS_ENABLE_SIG_snova_SNOVA_25_8_3" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_56_25_2_avx2 "" ON "OQS_ENABLE_SIG_snova_SNOVA_56_25_2" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
 if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_56_25_2_neon "" ON "OQS_ENABLE_SIG_snova_SNOVA_56_25_2" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_49_11_3_avx2 "" ON "OQS_ENABLE_SIG_snova_SNOVA_49_11_3" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
 if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_49_11_3_neon "" ON "OQS_ENABLE_SIG_snova_SNOVA_49_11_3" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_37_8_4_avx2 "" ON "OQS_ENABLE_SIG_snova_SNOVA_37_8_4" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
 if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_37_8_4_neon "" ON "OQS_ENABLE_SIG_snova_SNOVA_37_8_4" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_24_5_5_avx2 "" ON "OQS_ENABLE_SIG_snova_SNOVA_24_5_5" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
 if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_24_5_5_neon "" ON "OQS_ENABLE_SIG_snova_SNOVA_24_5_5" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_60_10_4_avx2 "" ON "OQS_ENABLE_SIG_snova_SNOVA_60_10_4" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
 if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_60_10_4_neon "" ON "OQS_ENABLE_SIG_snova_SNOVA_60_10_4" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_29_6_5_avx2 "" ON "OQS_ENABLE_SIG_snova_SNOVA_29_6_5" OFF)
 endif()
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
 if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
    cmake_dependent_option(OQS_ENABLE_SIG_snova_SNOVA_29_6_5_neon "" ON "OQS_ENABLE_SIG_snova_SNOVA_29_6_5" OFF)
 endif()
 endif()
 ##### OQS_COPY_FROM_UPSTREAM_FRAGMENT_ADD_ENABLE_BY_ALG_CONDITIONAL_END
 ##### OQS_COPY_FROM_LIBJADE_FRAGMENT_ADD_ENABLE_BY_ALG_CONDITIONAL_START
@ -739,8 +1125,8 @@ if(OQS_ALLOW_STFL_KEY_AND_SIG_GEN  STREQUAL "ON")
    message(STATUS "Experimental stateful key and signature generation is enabled. Ensure secret keys are securely stored to prevent multiple simultaneous sign operations.")
 endif()
-# Set XKCP (Keccak) required for Sphincs AVX2 code even if OpenSSL3 SHA3 is used:
+# Set XKCP (Keccak) required for Sphincs and SNOVA AVX2 code even if OpenSSL3 SHA3 is used:
-if (${OQS_ENABLE_SIG_SPHINCS} OR NOT ${OQS_USE_SHA3_OPENSSL})
+if (${OQS_ENABLE_SIG_SPHINCS} OR ${OQS_ENABLE_SIG_SNOVA} OR NOT ${OQS_USE_SHA3_OPENSSL})
    set(OQS_ENABLE_SHA3_xkcp_low ON)
 else()
    set(OQS_ENABLE_SHA3_xkcp_low OFF)
--- a/.CMake/compiler_opts.cmake
+++ b/.CMake/compiler_opts.cmake
@ -113,6 +113,10 @@ if(CMAKE_C_COMPILER_ID MATCHES "Clang")
    if(${OQS_DEBUG_BUILD})
        add_compile_options(-g3)
        add_compile_options(-fno-omit-frame-pointer)
 	if(${USE_COVERAGE})
            add_compile_options(-coverage)
            add_link_options(-coverage)
 	endif()
        if(USE_SANITIZER STREQUAL "Address")
            add_compile_options(-fno-optimize-sibling-calls)
            add_compile_options(-fsanitize-address-use-after-scope)
@ -175,6 +179,10 @@ elseif(CMAKE_C_COMPILER_ID STREQUAL "GNU")
    if(${OQS_DEBUG_BUILD})
        add_compile_options (-Wstrict-overflow)
        add_compile_options(-ggdb3)
 	if(${USE_COVERAGE})
            add_compile_options(-coverage)
            add_link_options(-coverage)
 	endif()
    else()
        add_compile_options(-O3)
        add_compile_options(-fomit-frame-pointer)
@ -207,11 +215,14 @@ endif()
 if(MINGW OR MSYS OR CYGWIN)
    set(OQS_USE_PTHREADS OFF)
-    add_compile_options(-Wno-maybe-uninitialized)
+    # Apply -Wno-maybe-uninitialized only for GCC
    if(CMAKE_C_COMPILER_ID STREQUAL "GNU")
        add_compile_options(-Wno-maybe-uninitialized)
    endif()
    if(CMAKE_VERSION VERSION_GREATER_EQUAL "3.13.0")
        add_link_options(-Wl,--stack,16777216)
    else()
-        set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,--stack,1677216")
+        set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,--stack,16777216")
    endif()
 endif()
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -1,11 +1,24 @@
 # https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners
-* @dstebila
+* @dstebila @baentsch
 /.github/workflows @SWilson4
-/scripts/copy_from_upstream @baentsch @bhess @alexrow
+/docs/cbom.json @bhess
 /scripts/copy_from_upstream @baentsch @bhess @alexrow @praveksharma
 /src/common @dstebila
-/src/kem/bike @crockeea
+/src/common/*/*arm* @Martyrshot
 /src/common/libjade_shims @praveksharma
 /src/kem/bike @brian-jarvis-aws
 /src/kem/frodokem @dstebila
-/src/kem/kyber @jschanck @bhess
+/src/kem/kyber @bhess
 /src/kem/kyber/libjade* @praveksharma
 /src/kem/ml_kem @bhess
 /src/sig/cross @alexrow
 /src/sig/dilithium @bhess
 /src/sig/mayo @bhess
 /src/sig/ml_dsa @bhess
 /src/sig_stfl/lms @ashman-p
 /src/sig_stfl/xmss @cothan
 /tests/ACVP_Vectors @bhess
 /tests/PQC_Intermediate_Values @bhess
 /tests/test_acvp_vectors.py @bhess
 /tests/test_sig_stfl.c @ashman-p @cothan
--- a/.github/actionlint.yaml
+++ b/.github/actionlint.yaml
@ -1,13 +1,6 @@
 # Labels of self-hosted runner in array of strings.
 # NB. oqs-arm64 is not self-hosted but this configuration
 #     is required for liboqs to lint correctly with actionlint v1.7.1
 self-hosted-runner:
  # Labels of self-hosted runner in array of string
  labels:
    - oqs-arm64
 # Configuration variables in array of strings defined in your repository or organization
 # From https://github.com/rhysd/actionlint/blob/v1.7.7/docs/config.md:
 # "When an array is set, actionlint will check vars properties strictly. An empty array means no variable is allowed."
 config-variables:
  # - DEFAULT_RUNNER
  # - JOB_NAME
--- a/.github/workflows/basic.yml
+++ b/.github/workflows/basic.yml
@ -6,7 +6,6 @@ permissions:
 on: [workflow_call, workflow_dispatch]
 jobs:
  workflowcheck:
    name: Check validity of GitHub workflows
    runs-on: ubuntu-latest
@ -19,7 +18,7 @@ jobs:
  stylecheck:
    name: Check code formatting
-    needs: [ workflowcheck ]
+    needs: [workflowcheck]
    runs-on: ubuntu-latest
    container: openquantumsafe/ci-ubuntu-latest:latest
    steps:
@ -34,7 +33,7 @@ jobs:
  upstreamcheck:
    name: Check upstream code is properly integrated
-    needs: [ workflowcheck ]
+    needs: [workflowcheck]
    runs-on: ubuntu-latest
    container: openquantumsafe/ci-ubuntu-latest:latest
    steps:
@ -47,41 +46,128 @@ jobs:
          git config --global --add safe.directory "$PWD" && \
          echo "LIBOQS_DIR=$PWD" >> "$GITHUB_ENV"
      - name: Verify copy_from_upstream state after copy
-        working-directory: 'scripts/copy_from_upstream'
+        working-directory: "scripts/copy_from_upstream"
        run: |
-          python3 copy_from_upstream.py copy && \
+          python3 copy_from_upstream.py -d copy && \
-          ! git status | grep -i modified
+          git status --porcelain && \
          test -z "$(git status --porcelain)"
      - name: Verify copy_from_upstream state after libjade
-        working-directory: 'scripts/copy_from_upstream'
+        working-directory: "scripts/copy_from_upstream"
        run: |
-          python3 copy_from_upstream.py libjade && \
+          python3 copy_from_upstream.py -d libjade && \
-          ! git status | grep -i modified
+          git status --porcelain && \
          test -z "$(git status --porcelain)"
  buildcheck:
    name: Check that code passes a basic build
-    needs: [ workflowcheck, stylecheck, upstreamcheck ]
+    needs: [workflowcheck, stylecheck, upstreamcheck]
    runs-on: ubuntu-latest
    container: openquantumsafe/ci-ubuntu-latest:latest
    env:
      KEM_NAME: ml_kem_768
      SIG_NAME: ml_dsa_65
    steps:
      - name: Create random build folder
        run: tmp_build=$(mktemp -d) && echo "RANDOM_BUILD_DIR=$tmp_build" >> $GITHUB_ENV
      - name: Checkout code
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
      - name: Configure
        run: |
-          mkdir build && \
+          cmake \
-          cd build && \
+            -B ${{ env.RANDOM_BUILD_DIR }} \
          cmake -GNinja -DOQS_STRICT_WARNINGS=ON \
            -GNinja \
            -DOQS_STRICT_WARNINGS=ON \
            -DOQS_MINIMAL_BUILD="KEM_$KEM_NAME;SIG_$SIG_NAME" \
-            --warn-uninitialized .. > config.log 2>&1 && \
+            --warn-uninitialized . > config.log 2>&1 && \
          cat config.log && \
-          cmake -LA -N .. && \
+          cmake -LA -N . && \
          ! (grep -i "uninitialized variable" config.log)
      - name: Build code
        run: ninja
-        working-directory: build
+        working-directory: ${{ env.RANDOM_BUILD_DIR }}
      - name: Build documentation
        run: ninja gen_docs
-        working-directory: build
+        working-directory: ${{ env.RANDOM_BUILD_DIR }}
  cppcheck:
    name: Check C++ linking with example program
    runs-on: ubuntu-latest
    container: openquantumsafe/ci-ubuntu-latest:latest
    env:
      SIG_NAME: dilithium_2
    steps:
      - name: Create random build folder
        run: tmp_build=$(mktemp -d) && echo "RANDOM_BUILD_DIR=$tmp_build" >> $GITHUB_ENV
      - name: Checkout code
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
      - name: Configure
        run: |
          cmake \
            -B ${{ env.RANDOM_BUILD_DIR }} \
            -GNinja \
            -DOQS_STRICT_WARNINGS=ON \
            -DOQS_MINIMAL_BUILD="SIG_$SIG_NAME" \
            --warn-uninitialized . > config.log 2>&1 && \
          cat config.log && \
          cmake -LA -N . && \
          ! (grep -i "uninitialized variable" config.log)
      - name: Build liboqs
        run: ninja
        working-directory: ${{ env.RANDOM_BUILD_DIR }}
      - name: Link with C++ program
        run: |
          g++ "$GITHUB_WORKSPACE"/cpp/sig_linking_test.cpp -g \
          -I./include -L./lib -loqs -lcrypto -std=c++11 -o example_sig && \
          ./example_sig
        working-directory: ${{ env.RANDOM_BUILD_DIR }}
  fuzzbuildcheck:
    name: Check that code passes a basic fuzzing build
    needs: [workflowcheck, stylecheck, upstreamcheck]
    runs-on: ubuntu-latest
    container: openquantumsafe/ci-ubuntu-latest:latest
    env:
      SIG_NAME: dilithium_2
      CC: clang
      CXX: clang++
      CFLAGS: -fsanitize=fuzzer-no-link,address
      LDFLAGS: -fsanitize=address
    steps:
      - name: Create random build folder
        run: tmp_build=$(mktemp -d) && echo "RANDOM_BUILD_DIR=$tmp_build" >> $GITHUB_ENV
      - name: Checkout code
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
      - name: Configure
        run: |
          cmake \
            -B ${{ env.RANDOM_BUILD_DIR }} \
            -GNinja \
            -DOQS_STRICT_WARNINGS=ON \
            -DOQS_BUILD_FUZZ_TESTS=ON \
            -DOQS_MINIMAL_BUILD="SIG_$SIG_NAME" \
            --warn-uninitialized . > config.log 2>&1 && \
          cat config.log && \
          cmake -LA -N . && \
          ! (grep -i "uninitialized variable" config.log)
      - name: Build code
        run: ninja fuzz_test_sig
        working-directory: ${{ env.RANDOM_BUILD_DIR }}
      - name: Short fuzz check (30s)
        run: ./tests/fuzz_test_sig -max_total_time=30
        working-directory: ${{ env.RANDOM_BUILD_DIR }}
  nixflakecheck:
    name: Check that Nix flake has correct syntax and can build
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
      - name: Install Nix
        uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72
      - name: Check devShell
        run: nix develop --command echo 
      - name: Check flake syntax
        run: nix flake check --no-build # check for accurate syntax
      - name: Check that the flake builds
        run: nix build # check that the build runs
--- a/.github/workflows/code-coverage.yml
+++ b/.github/workflows/code-coverage.yml
@ -0,0 +1,60 @@
 name: Code coverage tests
 permissions:
  contents: read
 on: [workflow_call, workflow_dispatch]
 jobs:
  coverage:
    name: Run code coverage testing
    strategy:
      matrix:
        # The 'id' value for each job should be added to the 'carry-forward' string in the 'finish' job.
        include:
          - id: x64-generic
            runner: ubuntu-latest
            CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=generic
          - id: x64-distbuild
            runner: ubuntu-latest
            CMAKE_ARGS: -DOQS_DIST_BUILD=ON
          - id: arm64-distbuild
            runner: ubuntu-24.04-arm
            CMAKE_ARGS: -DOQS_DIST_BUILD=ON
    runs-on: ${{ matrix.runner }}
    container: openquantumsafe/ci-ubuntu-latest:latest
    steps:
      - name: Checkout code
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
      - name: Configure
        run: |
          mkdir build && cd build && \
          cmake -GNinja -DCMAKE_BUILD_TYPE=Debug -DUSE_COVERAGE=ON ${{ matrix.CMAKE_ARGS }} .. && \
          cmake -LA -N ..
      - name: Build
        run: ninja
        working-directory: build
      - name: Run tests
        run: |
          python3 -m pytest --verbose --numprocesses=auto \
          tests/test_acvp_vectors.py \
          tests/test_cmdline.py \
          tests/test_kat.py
      - name: Run lcov
        run: lcov -d . -c -o lcov.info --exclude /usr/lib,/usr/include --ignore-errors unused
      - name: Upload to coveralls.io
        uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # pin@v2.3.6
        with:
          flag-name: ${{ matrix.id }}
          parallel: true
  finish:
    needs: coverage
    if: ${{ always() }}
    runs-on: ubuntu-latest
    steps:
      - name: Finish coveralls.io
        uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # pin@v2.3.6
        with:
          parallel-finished: true
          carry-forward: "x64-generic,x64-distbuild,arm64-distbuild"
--- a/.github/workflows/commit-to-main.yml
+++ b/.github/workflows/commit-to-main.yml
@ -12,28 +12,27 @@ jobs:
  platform-tests:
    uses: ./.github/workflows/platforms.yml
  code-coverage:
    uses: ./.github/workflows/code-coverage.yml
    secrets: inherit
  scorecard:
    uses: ./.github/workflows/scorecard.yml
    secrets: inherit
    # complete list of permissions keys as per
    # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token#defining-access-for-the-github_token-permissions
    # accessed September 4, 2024
    permissions:
      actions: read
      attestations: read
      checks: read
      contents: read
      deployments: read
      id-token: write
      issues: read
      discussions: read
      packages: read
      pages: read
      pull-requests: read
      repository-projects: read
      security-events: write
      statuses: read
  basic-downstream:
    uses: ./.github/workflows/downstream-basic.yml
    secrets: inherit
  call-kem-benchmarking:
    uses: ./.github/workflows/kem-bench.yml
    permissions:
      contents: write
  call-sig-benchmarking:
    uses: ./.github/workflows/sig-bench.yml
    permissions:
      contents: write
--- a/.github/workflows/downstream-basic.yml
+++ b/.github/workflows/downstream-basic.yml
@ -81,3 +81,27 @@ jobs:
               --data '{"event_type":"liboqs-upstream-trigger"}' \
               https://api.github.com/repos/open-quantum-safe/liboqs-python/dispatches | tee curl_out \
          && grep -q "204" curl_out
      - name: Trigger liboqs-java CI
        if: ${{ !cancelled() }} # run all steps independent of failures
        run: |
          curl --silent \
               --write-out "\n%{response_code}\n" \
               --request POST \
               --header "Accept: application/vnd.github+json" \
               --header "Authorization: Bearer ${{ secrets.OQSBOT_GITHUB_ACTIONS }}" \
               --header "X-GitHub-Api-Version: 2022-11-28" \
               --data '{"event_type":"liboqs-upstream-trigger"}' \
               https://api.github.com/repos/open-quantum-safe/liboqs-java/dispatches | tee curl_out \
          && grep -q "204" curl_out
      - name: Trigger liboqs-rust CI
        if: ${{ !cancelled() }} # run all steps independent of failures
        run: |
          curl --silent \
               --write-out "\n%{response_code}\n" \
               --request POST \
               --header "Accept: application/vnd.github+json" \
               --header "Authorization: Bearer ${{ secrets.OQSBOT_GITHUB_ACTIONS }}" \
               --header "X-GitHub-Api-Version: 2022-11-28" \
               --data '{"event_type":"liboqs-upstream-trigger"}' \
               https://api.github.com/repos/open-quantum-safe/liboqs-rust/dispatches | tee curl_out \
          && grep -q "204" curl_out
--- a/.github/workflows/kem-bench.yml
+++ b/.github/workflows/kem-bench.yml
@ -0,0 +1,121 @@
 name: kem benchmark
 on:
  workflow_dispatch:
  workflow_call:
 permissions:
  contents: read
 jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      # Checkout repository
      - name: Checkout repository
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
        with:
          fetch-depth: 0
      # Set up dependencies
      - name: Install dependencies
        run: |
          sudo apt-get update
          sudo apt-get install -y cmake ninja-build gcc g++ python3 python3-pip
          sudo apt-get install -y python3-cpuinfo
      # Build the speed_kem binary only
      - name: Build speed_kem binary
        run: |
          mkdir -p build
          cd build
          cmake -GNinja .. -DBUILD_SHARED_LIBS=OFF
          ninja speed_kem
      # Copy the parse_liboqs_speed.py script
      - name: Copy parse_liboqs_speed.py
        run: |
          cp scripts/parse_liboqs_speed.py build/tests/
      # Upload the built binary and script as an artifact
      - name: Upload artifacts
        uses: actions/upload-artifact@6027e3dd177782cd8ab9af838c04fd81a07f1d47
        with:
          name: built-binary
          path: build/tests/
  benchmark:
    needs: build
    runs-on: ubuntu-latest
    permissions:
      contents: write
    strategy:
      matrix: 
        algorithm: [ # List of available KEMs to perform the benchmarking on
          "BIKE-L1",
          "BIKE-L3", 
          "BIKE-L5",
          "Classic-McEliece-348864", 
          "Classic-McEliece-348864f",
          "Classic-McEliece-460896", 
          "Classic-McEliece-460896f",
          "Classic-McEliece-6688128", 
          "Classic-McEliece-6688128f",
          "Classic-McEliece-6960119", 
          "Classic-McEliece-6960119f",
          "Classic-McEliece-8192128", 
          "Classic-McEliece-8192128f",
          "Kyber512",
          "Kyber768",
          "Kyber1024",
          "ML-KEM-512",
          "ML-KEM-768",
          "ML-KEM-1024",
          "sntrup761",
          "FrodoKEM-640-AES", 
          "FrodoKEM-640-SHAKE",
          "FrodoKEM-976-AES", 
          "FrodoKEM-976-SHAKE",
          "FrodoKEM-1344-AES", 
          "FrodoKEM-1344-SHAKE"
        ]
      max-parallel: 1 # No parallel jobs to not compromise the pull-push operations of the benchmarking actions below
    steps:
      # Ensure the repository is checked out
      - name: Checkout repository
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
        with:
          fetch-depth: 0
      # Download the built binary and script
      - name: Download artifacts
        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # pin@v4
        with:
          name: built-binary
          path: build/tests/
      # Set execute permissions for the binary
      - name: Set execute permissions
        run: chmod +x build/tests/speed_kem
      # Run speed_kem tests for each algorithm
      - name: Run speed_kem tests
        run: |
          cd build/tests
          ./speed_kem "${{matrix.algorithm}}" > ${{matrix.algorithm}}_output.txt
          python3 parse_liboqs_speed.py ${{matrix.algorithm}}_output.txt --algorithm ${{matrix.algorithm}}
      # Push to GitHub pages using continuous-benchmark
      - name: Store benchmark result
        uses: benchmark-action/github-action-benchmark@d48d326b4ca9ba73ca0cd0d59f108f9e02a381c7
        with:
          name: ${{matrix.algorithm}}
          tool: "customSmallerIsBetter"
          output-file-path: build/tests/${{matrix.algorithm}}_formatted.json
          github-token: ${{ secrets.GITHUB_TOKEN }}
          auto-push: true
          comment-on-alert: true
          summary-always: true
          alert-threshold: 105%
          comment-always: false
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@ -13,7 +13,7 @@ jobs:
      matrix:
        include:
          - name: arm64
-            runner: oqs-arm64
+            runner: ubuntu-24.04-arm
            container: openquantumsafe/ci-ubuntu-latest:latest
            PYTEST_ARGS: --maxprocesses=10 --ignore=tests/test_kat_all.py
            CMAKE_ARGS: -DOQS_ENABLE_SIG_STFL_LMS=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON
@ -112,6 +112,11 @@ jobs:
            container: openquantumsafe/ci-ubuntu-latest:latest
            CMAKE_ARGS: -DCMAKE_C_COMPILER=clang -DCMAKE_BUILD_TYPE=Debug -DUSE_SANITIZER=Address -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}"
            PYTEST_ARGS: --ignore=tests/test_distbuild.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py --maxprocesses=10
          - name: noble-no-sha3-avx512vl
            runner: ubuntu-latest
            container: openquantumsafe/ci-ubuntu-latest:latest
            CMAKE_ARGS: -DOQS_USE_SHA3_AVX512VL=OFF
            PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py
    runs-on: ${{ matrix.runner }}
    container:
      image: ${{ matrix.container }}
@ -123,6 +128,12 @@ jobs:
      - name: Build
        run: ninja
        working-directory: build
      - name: Check the library artifacts
        if: matrix.name == 'jammy-std-openssl3-dlopen'
        run: |
          nm -gu lib/liboqs.so | sed -n 's/^[[:space:]]*[Uw] \([^_].*\)/\1/p' > undefined-syms.txt &&
          ! (grep '^\(CRYPTO\|ERR\|EVP\|OPENSSL\|RAND\)_' undefined-syms.txt)
        working-directory: build
      - name: Run tests
        timeout-minutes: 60
        run: mkdir -p tmp && python3 -m pytest --verbose --ignore=tests/test_code_conventions.py --numprocesses=auto ${{ matrix.PYTEST_ARGS }}
@ -132,13 +143,13 @@ jobs:
        working-directory: build
      - name: Retain .deb file
        if: matrix.name == 'jammy-std-openssl3'
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # pin@v3
+        uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # pin@v4
        with:
          name: liboqs-openssl3-shared-x64
          path: build/*.deb
      - name: Check STD algorithm and alias
        if: matrix.name == 'jammy-std-openssl3'
-        run: 'tests/dump_alg_info | grep -zoP "ML-DSA-44:\n    isnull: false" && tests/dump_alg_info | grep -zoP "ML-DSA-44-ipd:\n    isnull: true" && tests/dump_alg_info | grep -zoP "ML-KEM-512:\n    isnull: false"'
+        run: 'tests/dump_alg_info | grep -zoP "ML-DSA-44:\n    isnull: false" && tests/dump_alg_info | grep -zoP "ML-KEM-512:\n    isnull: false"'
        working-directory: build
  linux_arm_emulated:
@ -217,7 +228,7 @@ jobs:
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
      - name: Retrieve OpenSSL330 from cache
        id: cache-openssl330
-        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # pin@v3
+        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # pin@v4
        with:
          path: .localopenssl330
          key: ${{ runner.os }}-openssl330
@ -240,7 +251,7 @@ jobs:
      - name: Save OpenSSL
        id: cache-openssl-save
        if: steps.cache-openssl330.outputs.cache-hit != 'true'
-        uses: actions/cache/save@e12d46a63a90f2fae62d114769bbf2a179198b5c # pin@v3
+        uses: actions/cache/save@d4323d4df104b026a6aa633fdb11d772146be0bf # pin@v4
        with:
          path: |
            .localopenssl330
@ -259,9 +270,42 @@ jobs:
    container: openquantumsafe/ci-ubuntu-latest:latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
      - name: Configure
        run: mkdir build && cd build && scan-build --status-bugs cmake -GNinja ..
      - name: Build
        run: scan-build --status-bugs ninja
        working-directory: build
  linux_x86_emulated:
    runs-on: ubuntu-latest
    container:
      image: openquantumsafe/ci-ubuntu-latest:latest
    strategy:
      fail-fast: false
      matrix:
        include:
          - name: avx512-ml-kem_ml-dsa
            SDE_ARCH: -skx
            CMAKE_ARGS: -DOQS_MINIMAL_BUILD="KEM_ml_kem_512;KEM_ml_kem_768;KEM_ml_kem_1024;SIG_ml_dsa_44;SIG_ml_dsa_65;SIG_ml_dsa_87"
            PYTEST_ARGS: tests/test_hash.py::test_sha3 tests/test_kat.py tests/test_acvp_vectors.py
    env:
      SDE_URL: https://downloadmirror.intel.com/850782/sde-external-9.53.0-2025-03-16-lin.tar.xz
    steps:
      - name: Checkout code
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
      - name: Setup Intel SDE
        run: |
          wget -O sde.tar.xz "$SDE_URL" && \
            mkdir sde && tar -xf sde.tar.xz -C sde --strip-components=1 && \
            echo "$(pwd)/sde" >> $GITHUB_PATH
      - name: Configure
        run: mkdir build && cd build && cmake -GNinja ${{ matrix.CMAKE_ARGS }} .. && cmake -LA -N ..
      - name: Build
        run: ninja
        working-directory: build
      - name: Run tests
        timeout-minutes: 60
        run: |
          mkdir -p tmp && sde64 ${{ matrix.SDE_ARCH }} -- \
            python3 -m pytest --verbose --numprocesses=auto ${{ matrix.PYTEST_ARGS }}
--- a/.github/workflows/macos.yml
+++ b/.github/workflows/macos.yml
@ -12,13 +12,13 @@ jobs:
      fail-fast: false
      matrix:
        os:
-          # macos-14 runs on aarch64; the others run on x64
+          # macos-13 runs on x64; the others run on aarch64
          - macos-12
          - macos-13
          - macos-14
          - macos-15
        CMAKE_ARGS:
          - -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON
-          - -DCMAKE_C_COMPILER=gcc-13
+          - -DCMAKE_C_COMPILER=gcc-14
          - -DOQS_USE_OPENSSL=OFF
          - -DBUILD_SHARED_LIBS=ON -DOQS_DIST_BUILD=OFF
        libjade-build:
@ -27,13 +27,20 @@ jobs:
          # libjade to minimise repeated tests
          - -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}"
        exclude:
-          # macos-14 runs on aarch64, libjade targets x86
+          # macos-14 and macos-15 run on aarch64, libjade targets x86
          # Skip testing libjade on macos-14
          - os: macos-14
            libjade-build: -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}"
          - os: macos-15
            libjade-build: -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}"
          # No point in testing stateful sigs with minimal libjade build
          - libjade-build: -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}"
            CMAKE_ARGS: -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON
          # Failing configuration on Github actions; see https://github.com/open-quantum-safe/liboqs/pull/2148
          - os: macos-15
            CMAKE_ARGS: -DCMAKE_C_COMPILER=gcc-14
            libjade-build: -DOQS_LIBJADE_BUILD=OFF
    runs-on: ${{ matrix.os }}
    steps:
      - name: Install Python
@ -44,8 +51,6 @@ jobs:
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
      - name: Install dependencies
        run: env HOMEBREW_NO_AUTO_UPDATE=1 brew install ninja && pip3 install --require-hashes --break-system-packages -r .github/workflows/requirements.txt
      - name: Patch GCC
        run: env HOMEBREW_NO_AUTO_UPDATE=1 brew uninstall --ignore-dependencies gcc@13 && wget https://raw.githubusercontent.com/Homebrew/homebrew-core/eb6dd225d093b66054e18e07d56509cf670793b1/Formula/g/gcc%4013.rb && env HOMEBREW_NO_AUTO_UPDATE=1 brew install --ignore-dependencies --formula gcc@13.rb
      - name: Get system information
        run: sysctl -a | grep machdep.cpu
      - name: Configure
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@ -18,25 +18,15 @@ jobs:
    needs: basic-checks
    uses: ./.github/workflows/platforms.yml
  code-coverage:
    needs: basic-checks
    uses: ./.github/workflows/code-coverage.yml
    secrets: inherit
  scorecard:
    needs: basic-checks
    uses: ./.github/workflows/scorecard.yml
    secrets: inherit
    # complete list of permissions keys as per
    # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token#defining-access-for-the-github_token-permissions
    # accessed September 4, 2024
    permissions:
      actions: read
      attestations: read
      checks: read
      contents: read
      deployments: read
      id-token: write
      issues: read
      discussions: read
      packages: read
      pages: read
      pull-requests: read
      repository-projects: read
      security-events: write
      statuses: read
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@ -1,6 +1,6 @@
 name: Scorecard supply-chain security
-permissions: read-all
+permissions: {}
 on:
  # For Branch-Protection check. Only the default branch is supported. See
@ -9,6 +9,7 @@ on:
  workflow_call:
  workflow_dispatch:
 jobs:
  analysis:
    name: Scorecard analysis
@ -24,12 +25,12 @@ jobs:
    steps:
      - name: "Checkout code"
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
        with:
          persist-credentials: false
      - name: "Run analysis"
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # pin@v2.3.1
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # pin@v2.4.0
        with:
          results_file: results.sarif
          results_format: sarif
@ -46,18 +47,18 @@ jobs:
          # For private repositories:
          #   - `publish_results` will always be set to `false`, regardless
          #     of the value entered here.
-          publish_results: false
+          publish_results: true
      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
      - name: "Upload artifact"
-        uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # pin@v4
+        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # pin@v4
        with:
          name: SARIF file
          path: results.sarif
-          retention-days: 5
+          retention-days: 28
      # Upload the results to GitHub's code scanning dashboard.
-      #- name: "Upload to code-scanning"
+      - name: "Upload to code-scanning"
-      #  uses: github/codeql-action/upload-sarif@e949a1676c32f4c215780f7429eb9f00ff18b225 # pin@v2
+        uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # pin@v3
-      #  with:
+        with:
-      #    sarif_file: results.sarif
+          sarif_file: results.sarif
--- a/.github/workflows/sig-bench.yml
+++ b/.github/workflows/sig-bench.yml
@ -0,0 +1,151 @@
 name: sig benchmark
 on:
  workflow_dispatch:
  workflow_call:
 permissions:
  contents: read
 jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      # Checkout repository
      - name: Checkout repository
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
        with:
          fetch-depth: 0
      # Set up dependencies
      - name: Install dependencies
        run: |
          sudo apt-get update
          sudo apt-get install -y cmake ninja-build gcc g++ python3 python3-pip
          sudo apt-get install -y python3-cpuinfo
      # Build the speed_sig binary only
      - name: Build speed_sig binary
        run: |
          mkdir -p build
          cd build
          cmake -GNinja .. -DBUILD_SHARED_LIBS=OFF
          ninja speed_sig
      # Copy the parse_liboqs_speed.py script
      - name: Copy parse_liboqs_speed.py
        run: |
          cp scripts/parse_liboqs_speed.py build/tests/
      # Upload the built binary and script as an artifact
      - name: Upload artifacts
        uses: actions/upload-artifact@6027e3dd177782cd8ab9af838c04fd81a07f1d47
        with:
          name: built-sig-binary
          path: build/tests/
  benchmark:
    needs: build
    runs-on: ubuntu-latest
    permissions:
      contents: write
    strategy:
      matrix:
        algorithm: [ # List of available signatures to perform the benchmarking on
          "Dilithium2",
          "Dilithium3",
          "Dilithium5",
          "ML-DSA-44",
          "ML-DSA-65",
          "ML-DSA-87",
          "Falcon-512",
          "Falcon-1024",
          "Falcon-padded-512",
          "Falcon-padded-1024",
          "SPHINCS+-SHA2-128f-simple",
          "SPHINCS+-SHA2-128s-simple",
          "SPHINCS+-SHA2-192f-simple",
          "SPHINCS+-SHA2-192s-simple",
          "SPHINCS+-SHA2-256f-simple",
          "SPHINCS+-SHA2-256s-simple",
          "SPHINCS+-SHAKE-128f-simple",
          "SPHINCS+-SHAKE-128s-simple",
          "SPHINCS+-SHAKE-192f-simple",
          "SPHINCS+-SHAKE-192s-simple",
          "SPHINCS+-SHAKE-256f-simple",
          "SPHINCS+-SHAKE-256s-simple",
          "MAYO-1",
          "MAYO-2",
          "MAYO-3",
          "MAYO-5",
          "cross-rsdp-128-balanced",
          "cross-rsdp-128-fast",
          "cross-rsdp-128-small",
          "cross-rsdp-192-balanced",
          "cross-rsdp-192-fast",
          "cross-rsdp-192-small",
          "cross-rsdp-256-balanced",
          "cross-rsdp-256-fast",
          "cross-rsdp-256-small",
          "cross-rsdpg-128-balanced",
          "cross-rsdpg-128-fast",
          "cross-rsdpg-128-small",
          "cross-rsdpg-192-balanced",
          "cross-rsdpg-192-fast",
          "cross-rsdpg-192-small",
          "cross-rsdpg-256-balanced",
          "cross-rsdpg-256-fast",
          "cross-rsdpg-256-small",
          "OV-Is",
          "OV-Ip",
          "OV-III",
          "OV-V",
          "OV-Is-pkc",
          "OV-Ip-pkc",
          "OV-III-pkc",
          "OV-V-pkc",
          "OV-Is-pkc-skc",
          "OV-Ip-pkc-skc",
          "OV-III-pkc-skc",
          "OV-V-pkc-skc"
        ]
      max-parallel: 1 # No parallel jobs to not compromise the pull-push operations of the benchmarking actions below
    steps:
      # Ensure the repository is checked out
      - name: Checkout repository
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
        with:
          fetch-depth: 0
      # Download the built binary and script
      - name: Download artifacts
        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # pin@v4
        with:
          name: built-sig-binary
          path: build/tests/
      # Set execute permissions for the binary
      - name: Set execute permissions
        run: chmod +x build/tests/speed_sig
      # Run speed_sig tests for each algorithm
      - name: Run speed_sig tests
        run: |
          cd build/tests
          ./speed_sig "${{matrix.algorithm}}" > ${{matrix.algorithm}}_output.txt
          python3 parse_liboqs_speed.py ${{matrix.algorithm}}_output.txt --algorithm ${{matrix.algorithm}}
      # Push to GitHub pages using continuous-benchmark
      - name: Store benchmark result
        uses: benchmark-action/github-action-benchmark@d48d326b4ca9ba73ca0cd0d59f108f9e02a381c7
        with:
          name: ${{matrix.algorithm}}
          tool: "customSmallerIsBetter"
          output-file-path: build/tests/${{matrix.algorithm}}_formatted.json
          github-token: ${{ secrets.GITHUB_TOKEN }}
          auto-push: true
          comment-on-alert: true
          summary-always: true
          alert-threshold: 105%
          comment-always: false
--- a/.github/workflows/weekly.yml
+++ b/.github/workflows/weekly.yml
@ -14,24 +14,9 @@ jobs:
  scorecard:
    uses: ./.github/workflows/scorecard.yml
    secrets: inherit
    # complete list of permissions keys as per
    # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token#defining-access-for-the-github_token-permissions
    # accessed September 4, 2024
    permissions:
      actions: read
      attestations: read
      checks: read
      contents: read
      deployments: read
      id-token: write
      issues: read
      discussions: read
      packages: read
      pages: read
      pull-requests: read
      repository-projects: read
      security-events: write
      statuses: read
  extended-tests:
    uses: ./.github/workflows/extended.yml
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@ -8,10 +8,11 @@ on: [workflow_call, workflow_dispatch]
 jobs:
  windows-arm64:
    runs-on: windows-2022
    strategy:
      matrix:
        runner: [windows-2022, windows-2025]
        stfl_opt: [ON, OFF]
    runs-on: ${{ matrix.runner }}
    steps:
      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3
      - name: Generate Project
@ -20,12 +21,13 @@ jobs:
        run: cmake --build build
  windows-x86:
    runs-on: windows-2022
    strategy:
      fail-fast: false
      matrix:
        runner: [windows-2022, windows-2025]
        toolchain: [.CMake/toolchain_windows_x86.cmake, .CMake/toolchain_windows_amd64.cmake]
        stfl_opt: [ON, OFF]
    runs-on: ${{ matrix.runner }}
    steps:
      - name: Install Python
        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # pin@v5
--- a/.github/workflows/zephyr.yml
+++ b/.github/workflows/zephyr.yml
@ -9,7 +9,7 @@ jobs:
  zephyr_test:
    runs-on: ubuntu-22.04
-    container: ghcr.io/zephyrproject-rtos/ci:latest
+    container: ghcr.io/zephyrproject-rtos/ci:v0.27.4
    env:
        CMAKE_PREFIX_PATH: /opt/toolchains
    strategy:
@ -17,7 +17,7 @@ jobs:
        matrix:
          config:
            - zephyr-ref: v3.4.0
-            - zephyr-ref: v3.5.0
+            - zephyr-ref: v3.7.0
    steps:
        - name: Init Zephyr workspace
--- a/.gitignore
+++ b/.gitignore
@ -37,3 +37,6 @@ __pycache__
 .CMake/a.out
 compile_commands.json
 # Generated by Nix flake
 result/
--- a/.travis.yml
+++ b/.travis.yml
@ -0,0 +1,21 @@
 language: c
 before_script:
  - sudo apt update && sudo apt -y install astyle cmake gcc ninja-build libssl-dev python3-pytest python3-pytest-xdist unzip xsltproc doxygen graphviz valgrind
 jobs:
  include:
    - arch: ppc64le         # The IBM Power LXD container based build for OSS only
      os: linux             # required for arch different than amd64
      dist: focal           # or bionic | xenial with xenial as default
      compiler: gcc
      if: NOT branch =~ /^ghactionsonly-/
      script:
        - mkdir build && cd build && cmake -GNinja -DOQS_ENABLE_SIG_STFL_LMS=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_STFL_SIG_KEY_SIG_GEN=ON .. && cmake -LA -N .. && ninja
        - cd build & ninja run_tests
    - arch: s390x
      os: linux
      dist: focal
      compiler: gcc
      if: NOT branch =~ /^ghactionsonly-/
      script:
        - mkdir build && cd build && cmake -GNinja -DOQS_ENABLE_SIG_STFL_LMS=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_STFL_SIG_KEY_SIG_GEN=ON .. && cmake -LA -N .. && ninja
        - cd build & ninja run_tests
--- a/CI.md
+++ b/CI.md
@ -26,12 +26,12 @@ For example, "[full tests] [trigger downstream]" will trigger both the platform
 #### <a name="pr.yml"></a> Pull request workflow (`pr.yml`)
 This workflow runs on pull requests.
-It calls [basic checks](#basic.yml), [platform tests](#platforms.yml) and [scorecard analysis](#scorecard.yml).
+It calls [basic checks](#basic.yml), [code coverage tests](#code-coverage.yml), [platform tests](#platforms.yml) and [scorecard analysis](#scorecard.yml).
 #### <a name="commit-to-main.yml"></a> Commit-to-main workflow (`commit-to-main.yml`)
 This workflow runs on pushes to the `main` branch (typically done automatically when a pull request is merged).
-It calls [platform tests](#platforms.yml), [scorecard analysis](#scorecard.yml), and [basic downstream tests](#downstream-basic.yml).
+It calls [platform tests](#platforms.yml), [code coverage tests](#code-coverage.yml), [scorecard analysis](#scorecard.yml), and [basic downstream tests](#downstream-basic.yml).
 #### <a name="weekly.yml"></a> Weekly workflow (`weekly.yml`)
@ -53,6 +53,10 @@ Users with "write" permissions can also trigger them manually via the GitHub web
 This workflow runs a minimal set of tests that should pass before heavier tests are triggered.
 #### <a name="code-coverage.yml"></a> Code coverage tests (`code-coverage.yml`)
 This workflow runs code coverage tests and uploads the results to [Coveralls.io](https://coveralls.io/github/open-quantum-safe/liboqs).
 #### <a name="<platform>.yml"></a> Individual platform tests (`<platform>.yml`)
 These workflows contain tests for the individual [platforms supported by liboqs](PLATFORMS.md).
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -27,6 +27,13 @@ option(OQS_LIBJADE_BUILD "Enable formally verified implementation of supported a
 option(OQS_PERMIT_UNSUPPORTED_ARCHITECTURE "Permit compilation on an an unsupported architecture." OFF)
 option(OQS_STRICT_WARNINGS "Enable all compiler warnings." OFF)
 option(OQS_EMBEDDED_BUILD "Compile liboqs for an Embedded environment without a full standard library." OFF)
 option(OQS_USE_CUPQC "Utilize cuPQC as the backend for supported PQC algorithms." OFF)
 # Libfuzzer isn't supported on gcc
 if('${CMAKE_C_COMPILER_ID}' STREQUAL 'Clang')
    option(OQS_BUILD_FUZZ_TESTS "Build fuzz test suite" OFF)
 endif()
 set(OQS_OPT_TARGET auto CACHE STRING "The target microarchitecture for optimization.")
@ -34,11 +41,25 @@ set(CMAKE_C_STANDARD 11)
 set(CMAKE_C_STANDARD_REQUIRED ON)
 set(CMAKE_POSITION_INDEPENDENT_CODE ON)
 set(CMAKE_C_VISIBILITY_PRESET hidden)
-set(OQS_VERSION_TEXT "0.10.2-dev")
+set(OQS_VERSION_MAJOR 0)
 set(OQS_VERSION_MINOR 13)
 set(OQS_VERSION_PATCH 1)
 set(OQS_VERSION_PRE_RELEASE "-dev")
 set(OQS_VERSION_TEXT "${OQS_VERSION_MAJOR}.${OQS_VERSION_MINOR}.${OQS_VERSION_PATCH}${OQS_VERSION_PRE_RELEASE}")
 set(OQS_COMPILE_BUILD_TARGET "${CMAKE_SYSTEM_PROCESSOR}-${CMAKE_HOST_SYSTEM}")
 set(OQS_MINIMAL_GCC_VERSION "7.1.0")
 set(CMAKE_EXPORT_COMPILE_COMMANDS ON)
 # Determine the flags for fuzzing. Use OSS-Fuzz's configuration if available, otherwise fall back to defaults.
 if(DEFINED ENV{LIB_FUZZING_ENGINE})
    set(FUZZING_ENGINE $ENV{LIB_FUZZING_ENGINE})
    set(FUZZING_COMPILE_FLAGS "")
    set(FUZZING_LINK_FLAGS "${FUZZING_ENGINE}")
 else()
    set(FUZZING_COMPILE_FLAGS "-fsanitize=fuzzer,address")
    set(FUZZING_LINK_FLAGS "-fsanitize=fuzzer,address")
 endif()
 # heuristic check to see whether we're running on a RaspberryPi
 if(EXISTS "/opt/vc/include/bcm_host.h")
 	add_definitions( -DOQS_USE_RASPBERRY_PI )
@ -107,6 +128,12 @@ elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "s390x")
    endif()
 elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "riscv")
    set(ARCH "riscv")
 elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "loongarch64")
    set(ARCH "loongarch64")
    set(ARCH_LOONGARCH64 ON)
    if(${OQS_DIST_BUILD})
        set(OQS_DIST_LOONGARCH64_BUILD ON)
    endif()
 elseif(OQS_PERMIT_UNSUPPORTED_ARCHITECTURE)
    message(WARNING "Unknown or unsupported processor: " ${CMAKE_SYSTEM_PROCESSOR})
    message(WARNING "Compilation on an unsupported processor should only be used for testing, as it may result an insecure configuration, for example due to variable-time instructions leaking secret information.")
@ -114,6 +141,16 @@ else()
    message(FATAL_ERROR "Unknown or unsupported processor: " ${CMAKE_SYSTEM_PROCESSOR} ". Override by setting OQS_PERMIT_UNSUPPORTED_ARCHITECTURE=ON")
 endif()
 if(${OQS_USE_CUPQC})
    # CMAKE's CUDA language requires CMAKE 3.18
    cmake_minimum_required (VERSION 3.18)
    enable_language(CUDA)
    if(NOT DEFINED CMAKE_CUDA_ARCHITECTURES)
      set(CMAKE_CUDA_ARCHITECTURES 80 90)
    endif()
    find_package(cuPQC 0.2.0 REQUIRED)
 endif()
 if (NOT ((CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin") AND (ARCH_X86_64 STREQUAL "ON")) AND (OQS_LIBJADE_BUILD STREQUAL "ON"))
    message(FATAL_ERROR "Building liboqs with libjade implementations from libjade is only supported on Linux and Darwin on x86_64.")
 endif()
@ -227,6 +264,12 @@ endif()
 if(OQS_ENABLE_SIG_CROSS)
    set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/sig/cross/sig_cross.h)
 endif()
 if(OQS_ENABLE_SIG_UOV)
    set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/sig/uov/sig_uov.h)
 endif()
 if(OQS_ENABLE_SIG_SNOVA)
    set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/sig/snova/sig_snova.h)
 endif()
 ##### OQS_COPY_FROM_UPSTREAM_FRAGMENT_INCLUDE_HEADERS_END
 if(OQS_ENABLE_SIG_STFL_XMSS)
    set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/sig_stfl/xmss/sig_stfl_xmss.h)
--- a/CONFIGURE.md
+++ b/CONFIGURE.md
@ -13,14 +13,17 @@ The following options can be passed to CMake before the build file generation pr
 - [OQS_DIST_BUILD](#OQS_DIST_BUILD)
 - [OQS_USE_CPUFEATURE_INSTRUCTIONS](#OQS_USE_CPUFEATURE_INSTRUCTIONS)
 - [OQS_USE_OPENSSL](#OQS_USE_OPENSSL)
 - [OQS_USE_CUPQC](#OQS_USE_CUPQC)
 - [OQS_OPT_TARGET](#OQS_OPT_TARGET)
 - [OQS_SPEED_USE_ARM_PMU](#OQS_SPEED_USE_ARM_PMU)
 - [USE_COVERAGE](#USE_COVERAGE)
 - [USE_SANITIZER](#USE_SANITIZER)
 - [OQS_ENABLE_TEST_CONSTANT_TIME](#OQS_ENABLE_TEST_CONSTANT_TIME)
 - [OQS_STRICT_WARNINGS](#OQS_STRICT_WARNINGS)
 - [OQS_EMBEDDED_BUILD](#OQS_EMBEDDED_BUILD)
 - [OQS_LIBJADE_BUILD](#OQS_LIBJADE_BUILD)
 - [OQS_ENABLE_LIBJADE_KEM_ALG/OQS_ENABLE_LIBJADE_SIG_ALG](#OQS_ENABLE_LIBJADE_KEM_ALG/OQS_ENABLE_LIBJADE_SIG_ALG)
 - [OQS_BUILD_FUZZ_TESTS](#OQS_BUILD_FUZZ_TESTS)
 ## BUILD_SHARED_LIBS
@ -34,7 +37,9 @@ This means liboqs is built as a static library by default.
 Can be set to the following values:
- `Debug`: This turns off all compiler optimizations and produces debugging information. When the compiler is Clang, the [USE_SANITIZER](#USE_SANITIZER) option can also be specified to enable a Clang sanitizer. **This value only has effect when the compiler is GCC or Clang**
+- `Debug`: This turns off all compiler optimizations and produces debugging information. **This value only has effect when the compiler is GCC or Clang**
  - The [USE_COVERAGE](#USE_COVERAGE) option can also be specified to enable code coverage testing.
  - When the compiler is Clang, the [USE_SANITIZER](#USE_SANITIZER) option can also be specified to enable a Clang sanitizer.
 - `Release`: This compiles code at the `O3` optimization level, and sets other compiler flags that reduce the size of the binary.
@ -123,6 +128,13 @@ Dynamically load OpenSSL through `dlopen`. When using liboqs from other cryptogr
 Only has an effect if the system supports `dlopen` and ELF binary format, such as Linux or BSD family.
 ### OQS_USE_CUPQC
 Can be `ON` or `OFF`.  When `ON`, use NVIDIA's cuPQC library where able (currently just ML-KEM).  When this option is enabled, liboqs may not run correctly on machines that lack supported GPUs. To download cuPQC follow the instructions at (https://developer.nvidia.com/cupqc-download/). Detailed descriptions of the API, requirements, and installation guide are in the cuPQC documentation (https://docs.nvidia.com/cuda/cupqc/index.html). While the code shipped by liboqs required to use cuPQC is licensed under Apache 2.0 the cuPQC SDK comes with its own license agreement (https://docs.nvidia.com/cuda/cupqc/license.html). 
 **Default**: `OFF`
 ## Stateful Hash Based Signatures 
 XMSS and LMS are the two supported Hash-Based Signatures schemes.
@ -164,6 +176,12 @@ Note that this option is not known to work on Apple M1 chips.
 **Default**: `OFF`.
 ## USE_COVERAGE
 This has an effect when the compiler is GCC or Clang and when [CMAKE_BUILD_TYPE](#CMAKE_BUILD_TYPE) is `Debug`. Can be `ON` or `OFF`. When `ON`, code coverage testing will be enabled.
 **Default**: Unset.
 ## USE_SANITIZER
 This has an effect when the compiler is Clang and when [CMAKE_BUILD_TYPE](#CMAKE_BUILD_TYPE) is `Debug`. Then, it can be set to:
@ -214,4 +232,11 @@ At the moment, libjade only supports Linux and Darwin based operating systems on
 Note: `ALG` in `OQS_ENABLE_LIBJADE_KEM_ALG/OQS_ENABLE_LIBJADE_SIG_ALG` should be replaced with the specific algorithm name as demonstrated in OQS_ENABLE_KEM_ALG/OQS_ENABLE_SIG_ALG.
-**Default**: `OFF` if OQS_LIBJADE_BUILD is `OFF` else unset.
+**Default**: `OFF` if OQS_LIBJADE_BUILD is `OFF` else unset.
 ## OQS_BUILD_FUZZ_TESTS
 Can be `ON` or `OFF`. When `ON` liboqs the fuzz test-suite will be enabled. This option is only available if the c compiler is set to clang i.e. `-DCMAKE_C_COMPILER=clang`.
 Note: It is strongly recommended that this configuration be enabled with `CFLAGS=-fsanitize=address,fuzzer-no-link LDFLAGS=-fsanitize=address`. While fuzzing will run without these flags, enabling this instrumentation will make fuzzing performance much faster and catch [potential memory related bugs](https://clang.llvm.org/docs/AddressSanitizer.html). 
 **Default** `OFF`.
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -5,6 +5,14 @@ the form of [a discussion](https://github.com/open-quantum-safe/liboqs/discussio
 for input or feedback, possible bug reports or feature requests via [issues](https://github.com/open-quantum-safe/liboqs/issues)
 as well as new code and documentation via a [pull request (PR)](https://github.com/open-quantum-safe/liboqs/pulls).
 ## Baseline design goal
 OQS is a collection of many different PQC algorithms, maintained by a small team of people who are not guaranteed to be versed in the intricate details of each algorithm.
 Therefore, all contributions to the general logic of the project should be as independent of any single algorithm such as to ease long-term maintainability. If changes are contributed catering to the properties of a specific algorithm, it is expected that consideration is given at least how the other algorithms of the same type (KEM or SIG) should cater to the proposed changes, e.g., by way of a new, generally satisfiable API.
 All contributions to a specific algorithm ideally come with the willingness to provide long-term support, or at least a contact person that can help the OQS team pinpoint potential problems with the algorithm.
 ## Review and Feedback
 We aim to provide timely feedback to any input. If you are uncertain as to whether
--- a/GOVERNANCE.md
+++ b/GOVERNANCE.md
@ -96,21 +96,29 @@ Votes are to be executed by way of open GitHub discussions. No quorum is needed
 ### Maintainers
-@baentsch
+@baentsch (on leave of absence as of March 11, 2025)
@dstebila
@SWilson4
 ### Committers
-@baentsch
+@baentsch (on leave of absence as of March 11, 2025)
@bhess
@christianpaquin
@dstebila
@jschanck
@Martyrshot
@praveksharma
-@swilson4
+@SWilson4
@vsoftco
 ## Former Maintainers and Committers
 OQS is grateful to the following individuals who have previously served as Maintainers or Committers for liboqs.
 ### Former Committers
@jschanck
 ## Afterword
 *This governance document was based in part of the [Falco Project governance document](https://github.com/falcosecurity/evolution/blob/main/GOVERNANCE.md).
--- a/PLATFORMS.md
+++ b/PLATFORMS.md
@ -10,6 +10,8 @@ This classification is roughly based on the [rust platform support tier classifi
 Tier 1 targets can be thought of as "guaranteed to work". The CI system builds and tests binary versions for each tier 1 target to make sure any change does not negatively affect those platforms. Platform-specific build documentation must exist. Tier 1 targets marked with a dagger (†) are additionally tested for constant-time behaviour. The CI system contains automated constant-time testing for each of these starred targets, and all failures are documented in the `tests/constant_time` directory. IMPORTANT: This does not mean that constant-time behaviour is guaranteed on these targets, or that non-constant-time behaviour is limited to documented exceptions. It does, however, mean that `liboqs` developers should track constant-time issues on these platforms.
 Tier 1 platforms are also prioritized for security support, as per the [OQS security response process](https://github.com/open-quantum-safe/tsc/blob/main/security/response-process.md).
 ### Tier 2
 Tier 2 targets can be thought of as "guaranteed to build". The `liboqs` CI system contains builds for each tier 2 target; testing may or may not be available (typically depending on CI system platform availability). Therefore, tier 2 targets often work to quite a good degree and patches are always welcome! Tier 2 targets may also have known deficiencies caused by a lack of expertise to fix those on a given platform. Again, help and PRs to move platforms from tier 2 to tier 1 are always welcome.
@ -45,14 +47,14 @@ In this policy, the words "must" and "must not" specify absolute requirements th
 ### Tier 1
 - x86_64/amd64/x64 for Ubuntu Linux (Noble)†
- x86_64/amd64/x64 for MacOS (XCode 14 and 15)
+- x86_64/amd64/x64 for MacOS (XCode 15)
 - aarch64 for Ubuntu (Noble)
- aarch64 for MacOS (XCode 15)
+- aarch64 for MacOS (XCode 15 and 16)
 - armhf/ARM7 and aarch64 emulation on Ubuntu
 ### Tier 2
- x86_64/amd64/x64 for Windows (Visual Studio Toolchain) 2022
+- x86_64/amd64/x64 for Windows (Visual Studio Toolchain) 2022 and 2025
 - armeabi-v7a, arm64-v8a, x86, x86_64 for Android
 - aarch64 for Apple iOS and tvOS (CMake `-DPLATFORM=OS64` and `TVOS`)
 - arm64, arm (32 bit), x86, x86_64, riscv32, riscv64 for Zephyr
@ -60,3 +62,7 @@ In this policy, the words "must" and "must not" specify absolute requirements th
 ### Tier 3
 - x86 for Windows (Visual Studio Toolchain)
 - ppc641e for Ubuntu (Focal)
 - s390x for Ubuntu (Focal)
 - loongarch64 for Debian Linux (trixie)
 - NVIDIA GPU architectures 70, 75, 80, 86, 89, and 90 with a x86_64 CPU for Linux
--- a/README.md
+++ b/README.md
@ -1,6 +1,11 @@
 liboqs
 ======================
 [![Main Branch Tests](https://github.com/open-quantum-safe/liboqs/actions/workflows/commit-to-main.yml/badge.svg)](https://github.com/open-quantum-safe/liboqs/actions/workflows/commit-to-main.yml)
 [![Weekly Tests](https://github.com/open-quantum-safe/liboqs/actions/workflows/weekly.yml/badge.svg)](https://github.com/open-quantum-safe/liboqs/actions/workflows/weekly.yml)
 ![Travis Build Status](https://img.shields.io/travis/com/open-quantum-safe/liboqs?logo=travis&label=Travis%20CI&labelColor=%23343B42&color=%232EBB4E)
 [![Coverage Status](https://coveralls.io/repos/github/open-quantum-safe/liboqs/badge.svg?branch=main)](https://coveralls.io/github/open-quantum-safe/liboqs?branch=main)
 liboqs is an open source C library for quantum-safe cryptographic algorithms.
 - [liboqs](#liboqs)
@ -32,6 +37,8 @@ liboqs is part of the **Open Quantum Safe (OQS)** project, which aims to develop
 The OQS project is supported by the [Post-Quantum Cryptography Alliance](https://pqca.org/) as part of the [Linux Foundation](https://linuxfoundation.org/). More information about the Open Quantum Safe project can be found at [openquantumsafe.org](https://openquantumsafe.org/).
 OQS is running a survey to better understand our community. We would like to hear from organizations and individuals about their interest in and use of the Open Quantum Safe project. Please take a few minutes to fill out the survey: https://linuxfoundation.surveymonkey.com/r/oqssurvey
 ## Status
 ### Supported Algorithms
@ -40,7 +47,7 @@ Details on each supported algorithm can be found in the [docs/algorithms](https:
 The list below indicates all algorithms currently supported by liboqs, including experimental algorithms and already excluding algorithm variants pruned during the NIST competition, such as Kyber-90s or Dilithium-AES.
-The only algorithms in `liboqs` that implement NIST standards are the [`ML-KEM`](https://csrc.nist.gov/pubs/fips/203/final) (final standard) and [`ML-DSA`](https://csrc.nist.gov/pubs/fips/204/ipd) (initial public draft) variants with their respective different bit strengths. `liboqs` will retain these algorithm names selected by NIST throughout the finishing stages of the standardization process, so users can rely on their presence going forward. If NIST changes the implementation details of these algorithms, `liboqs` will adjust the implementation so that users are protected from such potential changes. For users interested in explicitly selecting the current "proposed draft standard" code, the variants with the suffix "-ipd" are made available. At this stage, "ml-dsa-ipd" and "ml-dsa" are functionally equivalent, denoted by the "alias" moniker below.
+The only algorithms in `liboqs` that implement NIST standards are the [`ML-KEM`](https://csrc.nist.gov/pubs/fips/203/final) (final standard) and [`ML-DSA`](https://csrc.nist.gov/pubs/fips/204/final) (final standard) variants with their respective different bit strengths. `liboqs` will retain these algorithm names selected by NIST throughout the finishing stages of the standardization process, so users can rely on their presence going forward. If NIST changes the implementation details of these algorithms, `liboqs` will adjust the implementation so that users are protected from such potential changes.
 Falcon and SPHINCS+ have also been [selected for standardization](https://csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022), but the `liboqs` implementations of these algorithms are currently tracking Round 3 submissions and not NIST standards drafts.
@ -65,9 +72,11 @@ All names other than `ML-KEM` and `ML-DSA` are subject to change. `liboqs` makes
 - **CRYSTALS-Dilithium**: Dilithium2, Dilithium3, Dilithium5
 - **Falcon**: Falcon-512, Falcon-1024, Falcon-padded-512, Falcon-padded-1024
 - **MAYO**: MAYO-1, MAYO-2, MAYO-3, MAYO-5†
- **ML-DSA**: ML-DSA-44-ipd (alias: ML-DSA-44), ML-DSA-65-ipd (alias: ML-DSA-65), ML-DSA-87-ipd (alias: ML-DSA-87)
+- **ML-DSA**: ML-DSA-44, ML-DSA-65, ML-DSA-87
 - **SNOVA**: SNOVA\_24\_5\_4, SNOVA\_24\_5\_4\_SHAKE, SNOVA\_24\_5\_4\_esk, SNOVA\_24\_5\_4\_SHAKE\_esk, SNOVA\_37\_17\_2†, SNOVA\_25\_8\_3, SNOVA\_56\_25\_2†, SNOVA\_49\_11\_3†, SNOVA\_37\_8\_4†, SNOVA\_24\_5\_5†, SNOVA\_60\_10\_4†, SNOVA\_29\_6\_5†
 - **SPHINCS+-SHA2**: SPHINCS+-SHA2-128f-simple, SPHINCS+-SHA2-128s-simple, SPHINCS+-SHA2-192f-simple, SPHINCS+-SHA2-192s-simple, SPHINCS+-SHA2-256f-simple, SPHINCS+-SHA2-256s-simple
 - **SPHINCS+-SHAKE**: SPHINCS+-SHAKE-128f-simple, SPHINCS+-SHAKE-128s-simple, SPHINCS+-SHAKE-192f-simple, SPHINCS+-SHAKE-192s-simple, SPHINCS+-SHAKE-256f-simple, SPHINCS+-SHAKE-256s-simple
 - **UOV**: OV-Is, OV-Ip, OV-III, OV-V, OV-Is-pkc, OV-Ip-pkc, OV-III-pkc, OV-V-pkc, OV-Is-pkc-skc, OV-Ip-pkc-skc, OV-III-pkc-skc, OV-V-pkc-skc
 <!--- OQS_TEMPLATE_FRAGMENT_LIST_SIGS_END -->
 - **XMSS**: XMSS-SHA2_10_256, XMSS-SHA2_16_256, XMSS-SHA2_20_256, XMSS-SHAKE_10_256, XMSS-SHAKE_16_256, XMSS-SHAKE_20_256, XMSS-SHA2_10_512, XMSS-SHA2_16_512, XMSS-SHA2_20_512, XMSS-SHAKE_10_512, XMSS-SHAKE_16_512, XMSS-SHAKE_20_512, XMSS-SHA2_10_192, XMSS-SHA2_16_192, XMSS-SHA2_20_192, XMSS-SHAKE256_10_192, XMSS-SHAKE256_16_192, XMSS-SHAKE256_20_192, SHAKE256_10_256, SHAKE256_16_256, SHAKE256_20_256, XMSSMT-SHA2_20/2_256, XMSSMT-SHA2_20/4_256, XMSSMT-SHA2_40/2_256, XMSSMT-SHA2_40/4_256, XMSSMT-SHA2_40/8_256, XMSSMT-SHA2_60/3_256, XMSSMT-SHA2_60/6_256, XMSSMT-SHA2_60/12_256, XMSSMT-SHAKE_20/2_256, XMSSMT-SHAKE_20/4_256, XMSSMT-SHAKE_40/2_256, XMSSMT-SHAKE_40/4_256, XMSSMT-SHAKE_40/8_256, XMSSMT-SHAKE_60/3_256, XMSSMT-SHAKE_60/6_256, XMSSMT-SHAKE_60/12_256 
 - **LMS**: LMS_SHA256_H5_W1, LMS_SHA256_H5_W2, LMS_SHA256_H5_W4, LMS_SHA256_H5_W8, LMS_SHA256_H10_W1, LMS_SHA256_H10_W2, LMS_SHA256_H10_W4, LMS_SHA256_H10_W8, LMS_SHA256_H15_W1, LMS_SHA256_H15_W2, LMS_SHA256_H15_W4, LMS_SHA256_H15_W8, LMS_SHA256_H20_W1, LMS_SHA256_H20_W2, LMS_SHA256_H20_W4, LMS_SHA256_H20_W8, LMS_SHA256_H25_W1, LMS_SHA256_H25_W2, LMS_SHA256_H25_W4, LMS_SHA256_H25_W8, LMS_SHA256_H5_W8_H5_W8, LMS_SHA256_H10_W4_H5_W8, LMS_SHA256_H10_W8_H5_W8, LMS_SHA256_H10_W2_H10_W2, LMS_SHA256_H10_W4_H10_W4, LMS_SHA256_H10_W8_H10_W8, LMS_SHA256_H15_W8_H5_W8, LMS_SHA256_H15_W8_H10_W8, LMS_SHA256_H15_W8_H15_W8, LMS_SHA256_H20_W8_H5_W8, LMS_SHA256_H20_W8_H10_W8, LMS_SHA256_H20_W8_H15_W8, LMS_SHA256_H20_W8_H20_W8
@ -84,12 +93,19 @@ We realize some parties may want to deploy quantum-safe cryptography prior to th
 **WE DO NOT CURRENTLY RECOMMEND RELYING ON THIS LIBRARY IN A PRODUCTION ENVIRONMENT OR TO PROTECT ANY SENSITIVE DATA.** This library is meant to help with research and prototyping.  While we make a best-effort approach to avoid security bugs, this library has not received the level of auditing and analysis that would be necessary to rely on it for high security use.
 Please see [SECURITY.md](SECURITY.md#security-policy) for details on how to report a vulnerability and the OQS vulnerability response process.
 #### Platform limitations
 In order to optimize support effort,
 - not all algorithms are equally well supported on all platforms. In case of questions, it is first advised to review the [documentation files for each algorithm](docs/algorithms).
 - not all compilers are equally well supported. For example, at least v7.1.0 of the GNU compiler is required.
 #### Support limitations
 This project is not commercially supported. All guidelines and goals for liboqs are reflections of current practices, executed by a community of academic, part-time, and/or voluntary contributors on a best-effort basis and may change at any time. Any entity seeking more reliable commitments is strongly encouraged to join the OQS community and thus enhance the code and support that the community can provide.
 ## Quickstart
 ### Linux and Mac
@ -105,6 +121,10 @@ In order to optimize support effort,
 		brew install cmake ninja openssl@3 wget doxygen graphviz astyle valgrind
 		pip3 install pytest pytest-xdist pyyaml
 	Using Nix:
 	    nix develop
 	Note that, if you want liboqs to use OpenSSL for various symmetric crypto algorithms (AES, SHA-2, etc.) then you must have OpenSSL installed (version 3.x recommended; EOL version 1.1.1 also still possible).
 2. Get the source:
@ -134,6 +154,7 @@ The following instructions assume we are in `build`.
 	- `kat_sig_stfl`: Program for checking results against submitted KAT values using `tests/test_kat.py`
 	- `speed_kem`: Benchmarking program for key encapsulation mechanisms; see `./speed_kem --help` for usage instructions
 	- `speed_sig`: Benchmarking program for signature mechanisms; see `./speed_sig --help` for usage instructions
 	- `speed_sig_stfl`: Benchmarking program for stateful signature mechanisms; see `./speed_sig_stfl --help` for usage instructions
 	- `example_kem`: Minimal runnable example showing the usage of the KEM API
 	- `example_sig`: Minimal runnable example showing the usage of the signature API
 	- `example_sig_stfl`: Minimal runnable example showing the usage of the stateful signature API
@ -194,7 +215,7 @@ liboqs includes some third party libraries or modules that are licensed differen
 - `src/kem/kyber/pqcrystals-*`: public domain (CC0) or Apache License v2.0
 - `src/kem/kyber/pqclean_*`: public domain (CC0), and public domain (CC0) or Apache License v2.0, and public domain (CC0) or MIT, and MIT
 - `src/kem/kyber/libjade_*` public domain (CC0) or Apache License v2.
- `src/kem/ml_kem/pqcrystals-*`: public domain (CC0) or Apache License v2.0
+- `src/kem/ml_kem/mlkem-native_*`: Apache License v2.0
 - `src/sig/dilithium/pqcrystals-*`: public domain (CC0) or Apache License v2.0
 - `src/sig/dilithium/pqclean_*`: public domain (CC0), and public domain (CC0) or Apache License v2.0, and public domain (CC0) or MIT, and MIT
 -  src/sig/falcon/pqclean_\*\_aarch64 : Apache License v2.0
--- a/RELEASE.md
+++ b/RELEASE.md
@ -1,4 +1,4 @@
-liboqs version 0.10.0
+liboqs version 0.13.0
 =====================
 About
@ -14,117 +14,104 @@ liboqs can be used with the following Open Quantum Safe application integrations
 - **OQS-BoringSSL**: A prototype integration of liboqs-based authentication and key exchange into TLS 1.3 in our fork of BoringSSL; see https://github.com/open-quantum-safe/boringssl.
 - **OQS-OpenSSH**: A prototype integration of liboqs-based authentication and key exchange into Secure Shell (SSH) version 2 in our fork of OpenSSH; see https://github.com/open-quantum-safe/openssh.
-Several [demos](https://github.com/open-quantum-safe/oqs-demos) are available for using the above libraries in applications, including Apache, Chromium, curl, haproxy, nginx, and Wireshark.  Performance of liboqs in several settings is measured at https://openquantumsafe.org/benchmarking/.
+Several [demos](https://github.com/open-quantum-safe/oqs-demos) are available for using the above libraries in applications, including Apache, Chromium, curl, haproxy, nginx, and Wireshark.
 liboqs can also be used in the following programming languages via language-specific wrappers:
 - C++, via https://github.com/open-quantum-safe/liboqs-cpp
 - Go, via https://github.com/open-quantum-safe/liboqs-go
 - Java, via https://github.com/open-quantum-safe/liboqs-java
 - .NET, via https://github.com/open-quantum-safe/liboqs-dotnet
 - Python 3, via https://github.com/open-quantum-safe/liboqs-python
 - Rust, via https://github.com/open-quantum-safe/liboqs-rust
 Release notes
 =============
-This is version 0.10.0 of liboqs. It was released on March 20, 2024.
+This is version 0.13.0 of liboqs. It was released on April 16, 2025.
-This release adds support for ML-KEM (previously known as CRYSTALS-Kyber) and ML-DSA (previously known as CRYSTALS-Dilithium), based on the initial public drafts of [FIPS 203](https://csrc.nist.gov/pubs/fips/203/ipd) and [FIPS 204](https://csrc.nist.gov/pubs/fips/204/ipd), respectively. OQS continues to support the NIST Round 3 versions of Kyber and Dilithium for interoperability purposes. This release additionally updates HQC to the NIST Round 4 version and adds support for fixed-length Falcon signatures.
+This release improves support for NIST Additional Signatures Round 2 candidates: CROSS and MAYO implementations are updated and support is added for UOV. This release also adds a new KEM API for deterministic key generation (only supported by ML-KEM at the moment). Finally, this release adds support for ML-KEM implementations from 2 new sources: formally verified portable C, AVX2, and AArch64 implementations from [PQCP's mlkem-native](https://github.com/pq-code-package/mlkem-native) and a GPU accelerated CUDA implementation from [Nvidia cuPQC](https://developer.nvidia.com/cupqc). 
 OQS is running a survey to better understand our community. We would like to hear from organizations and individuals about their interest in and use of the Open Quantum Safe project. Please take a few minutes to fill out the survey: https://linuxfoundation.surveymonkey.com/r/oqssurvey
 What's New
 ----------
-This release continues from the 0.9.2 release of liboqs.
+This release continues from the 0.12.0 release of liboqs.
 ### Key encapsulation mechanisms
- BIKE: Updated portable C implementation to include constant-time fixes from upstream.
+- New API: Added a deterministic key generation and API for KEMs (only ML-KEM supported at the moment).
- HQC: Updated to NIST Round 4 version.
+- ML-KEM: Changed the default ML-KEM implementation to [PQCP's mlkem-native](https://github.com/pq-code-package/mlkem-native). There are three variants: Portable C, AVX2, and AArch64. Large parts of these implementations are formally verified: all of the C code is verified for memory and type safety using [CBMC](https://github.com/diffblue/cbmc) and the functional correctness of the core AArch64 assembly routines is verified using [HOL-Light](https://github.com/jrh13/hol-light). 
- ML-KEM: Added portable C and AVX2 implementations of Initial Public Draft (IPD) versions of ML-KEM-512, ML-KEM-768, and ML-KEM-1024.
+- ML-KEM: Added support for the ML-KEM implementation from [Nvidia cuPQC](https://developer.nvidia.com/cupqc), a GPU accelerated cryptography library.
 - ML-KEM: Implementation from mlkem-native upstream updated to add Pair-wise Consistency Test (PCT) and Intel CET support.
 - ML-KEM: Improved testing of ML-KEM keys.
 - HQC: Disabled HQC by default until [a new security flaw](https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/Wiu4ZQo3fP8) is fixed.
 ### Digital signature schemes
- Falcon: Updated portable C, AVX2, and AArch64 implementations to support fixed-length (PADDED-format) signatures. Fixed the maximum length of variable-length signatures to comply with the NIST Round 3 specification.
+- ML-DSA: Improved testing for ML-DSA.
- ML-DSA: Added portable C and AVX2 implementations of Initial Public Draft (IPD) versions of ML-DSA-44, ML-DSA-65, and ML-DSA-87.
+- CROSS: Updated to NIST Additional Signatures Round 2 version.
 - MAYO: Updated to NIST Additional Signatures Round 2 version.
 - UOV: Added support for UOV algorithm from NIST Additional Signatures Round 2.
 ### Other changes
- Improved thread safety.
+- Added support for loongarch64 architecture.
 - Added uninstall support via `ninja uninstall`
 - Documented platforms by support tier in PLATFORMS.md.
 - Added support for Zephyr RTOS.
 - Improved support for macOS on Apple Silicon.
 - Removed support for the "NIST-KAT" DRBG.
 - Added extended KAT test programs.
 ---
 Detailed changelog
 ------------------
-* PR template update & OpenSSL clarification by @baentsch in https://github.com/open-quantum-safe/liboqs/pull/1582
+## What's Changed
-* Use CMAKE_USE_PTHREADS_INIT by @zxjtan in https://github.com/open-quantum-safe/liboqs/pull/1576
+* Bump version to 0.12.1-dev by @dstebila in https://github.com/open-quantum-safe/liboqs/pull/2015
-* Add section to CONFIGURE.md link by @iyanmv in https://github.com/open-quantum-safe/liboqs/pull/1578
+* Add loongarch64 support by @zhaixiaojuan in https://github.com/open-quantum-safe/liboqs/pull/2010
-* Run copy_from_upstream and test by @baentsch in https://github.com/open-quantum-safe/liboqs/pull/1589
+* Minor changes to ML_DSA ACVP tests by @abhinav-thales in https://github.com/open-quantum-safe/liboqs/pull/2007
-* Support several pqclean upstream versions by @baentsch in https://github.com/open-quantum-safe/liboqs/pull/1595
+* Update upload-artifact action to v4 by @dstebila in https://github.com/open-quantum-safe/liboqs/pull/2017
-* Call Keccak_(X4_)Dispatch with pthread_once by @zxjtan in https://github.com/open-quantum-safe/liboqs/pull/1549
+* Remove hardcoded build paths & modify basic workflow to build in random path by @iyanmv in https://github.com/open-quantum-safe/liboqs/pull/2019
-* minor updates by @vsoftco in https://github.com/open-quantum-safe/liboqs/pull/1600
+* Trigger liboqs-java and liboqs-rust downstream CI by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/2021
-* Pull new HQC implementation from upstream by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/1585
+* #1830 update scorecard to v5 (gh action 2.4.0) by @planetf1 in https://github.com/open-quantum-safe/liboqs/pull/1890
-* add uninstall support by @baentsch in https://github.com/open-quantum-safe/liboqs/pull/1604
+* Update PQClean commit and delete patch for HQC by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/2026
-* Ensure generic OQS_OPT_TARGET in weekly CT tests by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/1618
+* Bump jinja2 from 3.1.4 to 3.1.5 in /scripts/copy_from_upstream in the pip group by @dependabot in https://github.com/open-quantum-safe/liboqs/pull/2036
-* update .travis.yml by @bhess in https://github.com/open-quantum-safe/liboqs/pull/1629
+* Avoid unresolved symbols from libcrypto when compiled with OQS_DLOPEN_OPENSSL by @ueno in https://github.com/open-quantum-safe/liboqs/pull/2043
-* Pull latest Kyber version from upstream by @bhess in https://github.com/open-quantum-safe/liboqs/pull/1631
+* Update to public Ubuntu 24.04 ARM runner by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/2050
-* platform support documentation [skip ci] by @baentsch in https://github.com/open-quantum-safe/liboqs/pull/1605
+* NVIDIA: Adding cuPQC as a backend for ML-KEM. by @stevenireeves in https://github.com/open-quantum-safe/liboqs/pull/2044
-* Add support for Zephyr RTOS by @Frauschi in https://github.com/open-quantum-safe/liboqs/pull/1621
+* Update ACVP vectors for KEM and DSA by @abhinav-thales in https://github.com/open-quantum-safe/liboqs/pull/2051
-* Apply patch to Kyber aarch64 code from PQClean for variable-time division issue. by @bhess in https://github.com/open-quantum-safe/liboqs/pull/1636
+* CI: Check unresolved symbols when compiled with OQS_DLOPEN_OPENSSL by @ueno in https://github.com/open-quantum-safe/liboqs/pull/2058
-* Fix BIKE constant-time errors by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/1632
+* Fix failing zephyr CI workflows, pinning v0.27.4 by @bhess in https://github.com/open-quantum-safe/liboqs/pull/2063
-* Fix falcon constant time check in Valgrind by @cothan in https://github.com/open-quantum-safe/liboqs/pull/1646
+* Update sig_stfl Doxygen documentation by @pablo-gf in https://github.com/open-quantum-safe/liboqs/pull/2059
-* Correct cmake version requirement by @baentsch in https://github.com/open-quantum-safe/liboqs/pull/1643
+* Import ML-KEM from mlkem-native/PQ code package by @bhess in https://github.com/open-quantum-safe/liboqs/pull/2041
-* Pull Kyber division fixes from PQ-Crystals into main by @praveksharma in https://github.com/open-quantum-safe/liboqs/pull/1649
+* Update example files by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/2071
-* Bump gitpython from 3.1.37 to 3.1.41 in /scripts/copy_from_upstream by @dependabot in https://github.com/open-quantum-safe/liboqs/pull/1659
+* GitHub runner updates by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/2069
-* Zephyr: fixes for platform support by @Frauschi in https://github.com/open-quantum-safe/liboqs/pull/1658
+* Disable cupqc-buildcheck by @praveksharma in https://github.com/open-quantum-safe/liboqs/pull/2075
-* Bump jinja2 from 2.11.3 to 3.1.3 in /scripts/copy_from_upstream by @dependabot in https://github.com/open-quantum-safe/liboqs/pull/1661
+* Add threat model by @dstebila in https://github.com/open-quantum-safe/liboqs/pull/2033
-* Riscv zephyr support by @trigpolynom in https://github.com/open-quantum-safe/liboqs/pull/1641
+* Update CROSS to version 2.0 by @rtjk in https://github.com/open-quantum-safe/liboqs/pull/2078
-* Zephyr: CMake fixes by @Frauschi in https://github.com/open-quantum-safe/liboqs/pull/1664
+* improving CONTRIBUTING.md for maintainability [skip ci] by @baentsch in https://github.com/open-quantum-safe/liboqs/pull/2081
-* Clarify that copyright is held by authors and not the project itself [skip ci] by @dstebila in https://github.com/open-quantum-safe/liboqs/pull/1668
+* Ensure that building against liboqs build directory works by @levitte in https://github.com/open-quantum-safe/liboqs/pull/2086
-* Make internal API available to (only) test programs by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/1667
+* Added alg_version details to test output by @pablo-gf in https://github.com/open-quantum-safe/liboqs/pull/2080
-* Remove reference to old BIKE variants from CONFIGURE.md [skip ci] by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/1669
+* Add checks for ML-KEM keys by @abhinav-thales in https://github.com/open-quantum-safe/liboqs/pull/2009
-* Add a document describing our subproject governance by @dstebila in https://github.com/open-quantum-safe/liboqs/pull/1675
+* Update actions/cache to v4.2.2 by @mkannwischer in https://github.com/open-quantum-safe/liboqs/pull/2093
-* Set the correct compile flag for the memory sanitizer build by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/1680
+* Add Nix flake by @aidenfoxivey in https://github.com/open-quantum-safe/liboqs/pull/1970
-* Test against all 100 KAT values by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/1560
+* Update MAYO to NIST round 2 by @bhess in https://github.com/open-quantum-safe/liboqs/pull/2095
-* Update BIKE documentation to exclude x86 by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/1679
+* Update mlkem-native to v1.0.0-beta by @mkannwischer in https://github.com/open-quantum-safe/liboqs/pull/2092
-* find_package(Threads) regardless of BUILD_ONLY_LIB by @zxjtan in https://github.com/open-quantum-safe/liboqs/pull/1653
+* Add references to security response process by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/2077
-* Call set_available_cpu_extensions using pthread_once by @zxjtan in https://github.com/open-quantum-safe/liboqs/pull/1671
+* Bump version to 0.13.0-dev [skip ci] by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/2099
-* Discontinue AppVeyor CI testing by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/1682
+* Add UOV  by @mkannwischer in https://github.com/open-quantum-safe/liboqs/pull/2094
-* Run oqs-provider release tests in CI on release candidate branches by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/1654
+* Add bitflip test for trivial SUF-CMA forgeries by @rtjk in https://github.com/open-quantum-safe/liboqs/pull/2090
-* Fix link in GOVERNANCE.md by @Martyrshot in https://github.com/open-quantum-safe/liboqs/pull/1686
+* Update MAYO version in algorithm datasheet by @bhess in https://github.com/open-quantum-safe/liboqs/pull/2103
-* Rename weekly runs and skip Falcon-1024 [skip ci] by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/1684
+* Add DeriveKeyPair API by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/2070
-* Update McEliece suppression files for generic config by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/1677
+* Update nist-round in UOV and MAYO data sheet by @bhess in https://github.com/open-quantum-safe/liboqs/pull/2105
-* Update SPHINCS+ "clean" suppression files by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/1683
+* build: search unistd.h separately from sys/random.h for getentropy by @mkroening in https://github.com/open-quantum-safe/liboqs/pull/2104
-* Update Sphincs+ Markdown documentation from YAML by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/1690
+* Add support caveat by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/2114
-* properly document release support level [skip ci] by @baentsch in https://github.com/open-quantum-safe/liboqs/pull/1688
+* Temporarily disable HQC by @dstebila in https://github.com/open-quantum-safe/liboqs/pull/2122
-* set(OQS_USE_PTHREADS OFF) on MinGW/Cygwin by @zxjtan in https://github.com/open-quantum-safe/liboqs/pull/1695
+* Fix PR workflow runs by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/2123
 * Fix cross compilation and test in CI by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/1696
 * update brew install instructions to use openssl@3 instead of openssl@1.1.1 [skip ci] by @Martyrshot in https://github.com/open-quantum-safe/liboqs/pull/1701
 * Add ML-DSA-ipd and ML-KEM-ipd & NIST supplied test vectors by @bhess in https://github.com/open-quantum-safe/liboqs/pull/1626
 * Small fixes after adding ML-\* by @bhess in https://github.com/open-quantum-safe/liboqs/pull/1702
 * Move MacOS CI tests to GitHub Actions; add M1 CI tests by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/1709
 * Update liboqs readme to point to oqs-provider instead of deprecated openssl1.1.1 fork [skip ci] by @Martyrshot in https://github.com/open-quantum-safe/liboqs/pull/1699
 * Fix for the Zephyr CI tests by @Frauschi in https://github.com/open-quantum-safe/liboqs/pull/1714
 * remove references to unsupported openssh [skip ci] by @baentsch in https://github.com/open-quantum-safe/liboqs/pull/1713
 * fix documentation generation by @baentsch in https://github.com/open-quantum-safe/liboqs/pull/1715
 * Support Falcon PADDED format by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/1710
 * Fix for alg_support.cmake by @bhess in https://github.com/open-quantum-safe/liboqs/pull/1716
 * Fix SPHINCS+ naming in CT tests [skip ci] by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/1720
 * improve algorithm documentation [skip ci] by @baentsch in https://github.com/open-quantum-safe/liboqs/pull/1721
 * Always build "internal" library as static by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/1725
 ## New Contributors
-* @zxjtan made their first contribution in https://github.com/open-quantum-safe/liboqs/pull/1576
+* @zhaixiaojuan made their first contribution in https://github.com/open-quantum-safe/liboqs/pull/2010
-* @iyanmv made their first contribution in https://github.com/open-quantum-safe/liboqs/pull/1578
+* @stevenireeves made their first contribution in https://github.com/open-quantum-safe/liboqs/pull/2044
-* @Frauschi made their first contribution in https://github.com/open-quantum-safe/liboqs/pull/1621
+* @pablo-gf made their first contribution in https://github.com/open-quantum-safe/liboqs/pull/2059
-* @cothan made their first contribution in https://github.com/open-quantum-safe/liboqs/pull/1646
+* @levitte made their first contribution in https://github.com/open-quantum-safe/liboqs/pull/2086
-* @trigpolynom made their first contribution in https://github.com/open-quantum-safe/liboqs/pull/1641
+* @mkannwischer made their first contribution in https://github.com/open-quantum-safe/liboqs/pull/2093
 * @mkroening made their first contribution in https://github.com/open-quantum-safe/liboqs/pull/2104
-**Full Changelog**: https://github.com/open-quantum-safe/liboqs/compare/0.9.2...0.10.0
+**Full Changelog**: https://github.com/open-quantum-safe/liboqs/compare/0.12.0...0.13.0
--- a/SECURITY.md
+++ b/SECURITY.md
@ -4,14 +4,32 @@
 We only support the most recent release.
-Using any code prior to 0.9.2 is strongly discouraged due to a [known security vulnerability in Kyber](https://github.com/open-quantum-safe/liboqs/releases/tag/0.9.2).
+Using any code prior to 0.12.0 is strongly discouraged due to a [known security vulnerability in HQC](https://github.com/open-quantum-safe/liboqs/security/advisories/GHSA-gpf4-vrrw-r8v7).
 | Version | Supported          |
 | ------- | ------------------ |
-| 0.10.0  | :white_check_mark: |
+| 0.13.0  | :white_check_mark: |
-| < 0.10  | :x:                |
+| < 0.13  | :x:                |
 ## Reporting a Vulnerability
 Please follow [this information to report a vulnerability](https://openquantumsafe.org/liboqs/security.html#reporting-security-bugs).
 ## Threat Model
 Some timing-based side-channel attacks are within the scope of our threat model. OQS tests for secret-dependent branches and memory accesses on Linux on x86\_64. All test failures are documented as either "passes," which we have assessed to be false positives, or "issues," which may constitute non–constant-time behaviour. The [algorithm datasheets](https://github.com/open-quantum-safe/liboqs/tree/main/docs/algorithms) indicate whether or not an implementation passes our constant-time tests, as well as whether or not it is expected to pass. Details about passes and issues are available in the [tests/constant_time directory](https://github.com/open-quantum-safe/liboqs/tree/main/tests/constant_time). These tests do not encompass all classes of non–constant-time behaviour; for example, they do not detect possible variable-time instructions, such as `DIV`. Reports of non–constant-time behaviour that fall outside this scope will be considered on a case-by-case basis, with a priority on [Tier 1 platforms](https://github.com/open-quantum-safe/liboqs/blob/main/PLATFORMS.md#tier-1).
 The following types of attacks are outside the scope of our threat model:
 - same physical system side channel
 - CPU / hardware flaws
 - physical fault injection attacks (including Rowhammer-style attacks)
 - physical observation side channels (such as power consumption, electromagnetic emissions)
 Mitigations for security issues outside the stated threat model may still be applied depending on the nature of the issue and the mitigation.
 (Based in part on https://openssl-library.org/policies/general/security-policy/index.html)
 ## Security Response Process
 Security reports for liboqs will be handled in accordance with the [OQS security response process](https://github.com/open-quantum-safe/tsc/blob/main/security/response-process.md). Please also see the general [support disclaimer](README.md#support-limitations) for liboqs.
--- a/cpp/sig_linking_test.cpp
+++ b/cpp/sig_linking_test.cpp
@ -0,0 +1,182 @@
 /*
 * example_sig.cpp
 *
 * Minimal C++ example of using a post-quantum signature implemented in liboqs.
 *
 * SPDX-License-Identifier: MIT
 */
 #include <cstdint>
 #include <cstdlib>
 #include <cstring>
 #include <iostream>
 #include <memory>
 #include <oqs/oqs.h>
 constexpr size_t MESSAGE_LEN = 50;
 /* Cleaning up memory etc */
 void cleanup_stack(uint8_t *secret_key, size_t secret_key_len);
 struct OQSSecureDeleter {
    size_t length;
    explicit OQSSecureDeleter(size_t len) : length(len) {}
    void operator()(uint8_t* ptr) const {
        if (ptr) {
            OQS_MEM_secure_free(ptr, length);
        }
    }
 };
 struct OQSInsecureDeleter {
 	void operator()(uint8_t* ptr) {
 		if (ptr) {
 			OQS_MEM_insecure_free(ptr);
 		}
 	}
 };
 struct OQSSigDeleter {
    void operator()(OQS_SIG* sig) {
        if (sig) {
            OQS_SIG_free(sig);
        }
    }
 };
 /* This function gives an example of the signing operations
 * using only compile-time macros and allocating variables
 * statically on the stack, calling a specific algorithm's functions
 * directly.
 *
 * The macros OQS_SIG_dilithium_2_length_* and the functions OQS_SIG_dilithium_2_*
 * are only defined if the algorithm dilithium_2 was enabled at compile-time
 * which must be checked using the OQS_ENABLE_SIG_dilithium_2 macro.
 *
 * <oqs/oqsconfig.h>, which is included in <oqs/oqs.h>, contains macros
 * indicating which algorithms were enabled when this instance of liboqs
 * was compiled.
 */
 static OQS_STATUS example_stack(void) {
 #ifdef OQS_ENABLE_SIG_dilithium_2
 	OQS_STATUS rc;
 	uint8_t public_key[OQS_SIG_dilithium_2_length_public_key];
 	uint8_t secret_key[OQS_SIG_dilithium_2_length_secret_key];
 	uint8_t message[MESSAGE_LEN];
 	uint8_t signature[OQS_SIG_dilithium_2_length_signature];
 	size_t message_len = MESSAGE_LEN;
 	size_t signature_len;
 	// let's create a random test message to sign
 	OQS_randombytes(message, message_len);
 	rc = OQS_SIG_dilithium_2_keypair(public_key, secret_key);
 	if (rc != OQS_SUCCESS) {
 		std::cerr << "ERROR: OQS_SIG_dilithium_2_keypair failed!" << std::endl;
 		cleanup_stack(secret_key, OQS_SIG_dilithium_2_length_secret_key);
 		return OQS_ERROR;
 	}
 	rc = OQS_SIG_dilithium_2_sign(signature, &signature_len, message, message_len, secret_key);
 	if (rc != OQS_SUCCESS) {
 		std::cerr << "ERROR: OQS_SIG_dilithium_2_sign failed!" << std::endl;
 		cleanup_stack(secret_key, OQS_SIG_dilithium_2_length_secret_key);
 		return OQS_ERROR;
 	}
 	rc = OQS_SIG_dilithium_2_verify(message, message_len, signature, signature_len, public_key);
 	if (rc != OQS_SUCCESS) {
 		std::cerr << "ERROR: OQS_SIG_dilithium_2_verify failed!" << std::endl;
 		cleanup_stack(secret_key, OQS_SIG_dilithium_2_length_secret_key);
 		return OQS_ERROR;
 	}
 	std::cout << "[example_stack] OQS_SIG_dilithium_2 operations completed" << std::endl;
 	cleanup_stack(secret_key, OQS_SIG_dilithium_2_length_secret_key);
 	return OQS_SUCCESS; // success!
 #else
 	std::cout << "[example_stack] OQS_SIG_dilithium_2 was not enabled at compile-time" << std::endl;
 	return OQS_SUCCESS;
 #endif
 }
 /* This function gives an example of the signing operations,
 * allocating variables dynamically on the heap and calling the generic
 * OQS_SIG object.
 *
 * This does not require the use of compile-time macros to check if the
 * algorithm in question was enabled at compile-time; instead, the caller
 * must check that the OQS_SIG object returned is not nullptr.
 */
 static OQS_STATUS example_heap(void) {
 #ifdef OQS_ENABLE_SIG_dilithium_2
 	size_t message_len = MESSAGE_LEN;
 	size_t signature_len;
 	OQS_STATUS rc;
 	std::unique_ptr<OQS_SIG, OQSSigDeleter> sig(OQS_SIG_new((OQS_SIG_alg_dilithium_2)));
 	if (sig == nullptr) {
 		throw std::runtime_error("[example_heap]  OQS_SIG_alg_dilithium_2 was not enabled at compile-time.");
 	}
 	std::unique_ptr<uint8_t[], OQSInsecureDeleter> public_key(static_cast<uint8_t*>(malloc(sig->length_public_key)));
 	std::unique_ptr<uint8_t[], OQSSecureDeleter> secret_key(static_cast<uint8_t*>(malloc(sig->length_secret_key)), OQSSecureDeleter(sig->length_secret_key));
 	std::unique_ptr<uint8_t[], OQSInsecureDeleter> message(static_cast<uint8_t*>(malloc(message_len)));
 	std::unique_ptr<uint8_t[], OQSInsecureDeleter> signature(static_cast<uint8_t*>(malloc(sig->length_signature)));
 	if ((public_key == nullptr) || (secret_key == nullptr) || (message == nullptr) || (signature == nullptr)) {
 		throw std::runtime_error("ERROR: malloc failed!");
 	}
 	// let's create a random test message to sign
 	OQS_randombytes(message.get(), message_len);
 	rc = OQS_SIG_keypair(sig.get(), public_key.get(), secret_key.get());
 	if (rc != OQS_SUCCESS) {
 		throw std::runtime_error("ERROR: OQS_SIG_keypair failed!");
 	}
 	rc = OQS_SIG_sign(sig.get(), signature.get(), &signature_len, message.get(), message_len, secret_key.get());
 	if (rc != OQS_SUCCESS) {
 		throw std::runtime_error("ERROR: OQS_SIG_sign failed!");
 	}
 	rc = OQS_SIG_verify(sig.get(), message.get(), message_len, signature.get(), signature_len, public_key.get());
 	if (rc != OQS_SUCCESS) {
 		throw std::runtime_error("ERROR: OQS_SIG_verify failed!");
 	}
 	std::cout << "[example_heap]  OQS_SIG_dilithium_2 operations completed." << std::endl;
 	return OQS_SUCCESS; // success
 #else
 	std::cout << "[example_heap] OQS_SIG_dilithium_2 was not enabled at compile-time." << std::endl;
 	return OQS_SUCCESS;
 #endif
 }
 int main() {
 	OQS_init();
 	try {
 		example_stack();
 		example_heap();
 	}
 	catch (std::exception e) {
 		std::cerr << e.what() << std::endl;
 		OQS_destroy();
 		return EXIT_FAILURE;
 	}
 	OQS_destroy();
 	return EXIT_SUCCESS;
 }
 void cleanup_stack(uint8_t *secret_key, size_t secret_key_len) {
 	OQS_MEM_cleanse(secret_key, secret_key_len);
 }
--- a/docs/.Doxyfile
+++ b/docs/.Doxyfile
@ -957,8 +957,10 @@ INPUT                  = src/common/aes/aes_ops.h \
                         src/common/sha3/sha3x4_ops.h \
                         src/kem/kem.h \
                         src/sig/sig.h \
                         src/sig_stfl/sig_stfl.h \
                         README.md \
                         CONFIGURE.md \
                         SECURITY.md \
                         CONTRIBUTORS
 # This tag can be used to specify the character encoding of the source files
--- a/docs/FUZZING.md
+++ b/docs/FUZZING.md
@ -0,0 +1,77 @@
 # Fuzzing
 Fuzz testing is an automated software testing method that injects invalid, 
 malformed, or unexpected inputs to reveal defects and vulnerabilities. A fuzzing 
 tool monitors the system for exceptions like crashes, information leakage, or 
 errors, helping developers identify and fix bugs and security loopholes.
 ## Current state of fuzzing in liboqs
 - [ ] kem 
  - [ ] bike
  - [ ] classic_mceliece
  - [ ] frodokem
  - [ ] hqc
  - [ ] kyber
  - [ ] ml_kem
  - [ ] ntruprime
 - [ ] sig
  - [x] dilithium
  - [x] falcon
  - [x] mayo
  - [x] ml_dsa
  - [x] sphincs
 - [ ] sig_stfl
  - [ ] lms
  - [ ] sig_stfl
  - [ ] xmss
 ## Building and running fuzz tests
 Building fuzz tests is very similar to building normally with some optional
 steps to target different types of bugs. The most basic ways to build the
 fuzz tests is as follows;
 ```bash
 mkdir build && cd build
 cmake -GNinja ..  -DOQS_BUILD_FUZZ_TESTS=ON
 ninja -j$(nproc)
 ```
 You'll now be able to run a fuzz test e.g.
 ```bash
 ./tests/fuzz_test_dilithium2
 #9764	NEW    cov: 4 ft: 708 corp: 100/318b lim: 43 exec/s: 9764 rss: 362Mb L: 41/41 MS: 4 EraseBytes-InsertRepeatedBytes-CMP-ChangeBit- DE: "\0004m\372"-
 ...
 ```
 The fuzzer will run indefinetely or;
 - until it finds a bug and crashes,
 - you manually stop the fuzzer i.e. CTRL-C
 - you set a timeout using the command line.
 For more details on the available command line args please consult the [libfuzzer docs](https://llvm.org/docs/LibFuzzer.html).
 ## Sanitizers
 It is a common pattern to combine fuzzing with various sanitizers to catch different bugs.
 One of the simpler sanitizers is the fuzzing sanitizer, which will instrument the code
 for coverage driven fuzzing. To enable this simply add this to your environment variables
 before configuring cmake;
 ```
 export CFLAGS=-fsanitize=fuzzer-no-link
 ```
 It is common to combine the fuzzer sanitizer with either the [address](https://clang.llvm.org/docs/AddressSanitizer.html)
 or the [undefined behaviour sanitizer](https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html). To
 add these simply add the relevant flags to BOTH the CFLAGS and LDFLAGS e.g.
 ```
 export CFLAGS=-fsanitize=fuzzer-no-link,address
 export LDFLAGS=-fsanitize=address
 ```
 Then rerun cmake as normal i.e.
 ```bash
 mkdir build && cd build
 cmake -GNinja ..  -DOQS_BUILD_FUZZ_TESTS=ON
 ninja -j$(nproc)
 ```
--- a/docs/algorithms/kem/bike.md
+++ b/docs/algorithms/kem/bike.md
@ -13,11 +13,11 @@
 ## Parameter set summary
-|  Parameter set  | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Ciphertext size (bytes) |   Shared secret size (bytes) |
+|  Parameter set  | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Ciphertext size (bytes) |   Shared secret size (bytes) | Keypair seed size (bytes)   |
-|:---------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|--------------------------:|-----------------------------:|
+|:---------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|--------------------------:|-----------------------------:|:----------------------------|
-|     BIKE-L1     | NA                    | IND-CPA          |                    1 |                      1541 |                      5223 |                      1573 |                           32 |
+|     BIKE-L1     | NA                    | IND-CPA          |                    1 |                      1541 |                      5223 |                      1573 |                           32 | NA                          |
-|     BIKE-L3     | NA                    | IND-CPA          |                    3 |                      3083 |                     10105 |                      3115 |                           32 |
+|     BIKE-L3     | NA                    | IND-CPA          |                    3 |                      3083 |                     10105 |                      3115 |                           32 | NA                          |
-|     BIKE-L5     | NA                    | IND-CPA          |                    5 |                      5122 |                     16494 |                      5154 |                           32 |
+|     BIKE-L5     | NA                    | IND-CPA          |                    5 |                      5122 |                     16494 |                      5154 |                           32 | NA                          |
 ## BIKE-L1 implementation characteristics
--- a/docs/algorithms/kem/classic_mceliece.md
+++ b/docs/algorithms/kem/classic_mceliece.md
@ -6,7 +6,7 @@
 - **Authors' website**: https://classic.mceliece.org
 - **Specification version**: SUPERCOP-20221025.
 - **Primary Source**<a name="primary-source"></a>:
-  - **Source**: https://github.com/PQClean/PQClean/commit/8e221ae797b229858a0b0d784577a8cb149d5789
+  - **Source**: https://github.com/PQClean/PQClean/commit/1eacfdafc15ddc5d5759d0b85b4cef26627df181
  - **Implementation license (SPDX-Identifier)**: Public domain
 - **Ancestors of primary source**:
  - SUPERCOP-20221025 "clean" and "avx2" implementations
@ -18,18 +18,18 @@
 ## Parameter set summary
-|       Parameter set       | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Ciphertext size (bytes) |   Shared secret size (bytes) |
+|       Parameter set       | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Ciphertext size (bytes) |   Shared secret size (bytes) | Keypair seed size (bytes)   |
-|:-------------------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|--------------------------:|-----------------------------:|
+|:-------------------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|--------------------------:|-----------------------------:|:----------------------------|
-|  Classic-McEliece-348864  | NA                    | IND-CCA2         |                    1 |                    261120 |                      6492 |                        96 |                           32 |
+|  Classic-McEliece-348864  | NA                    | IND-CCA2         |                    1 |                    261120 |                      6492 |                        96 |                           32 | NA                          |
-| Classic-McEliece-348864f  | NA                    | IND-CCA2         |                    1 |                    261120 |                      6492 |                        96 |                           32 |
+| Classic-McEliece-348864f  | NA                    | IND-CCA2         |                    1 |                    261120 |                      6492 |                        96 |                           32 | NA                          |
-|  Classic-McEliece-460896  | NA                    | IND-CCA2         |                    3 |                    524160 |                     13608 |                       156 |                           32 |
+|  Classic-McEliece-460896  | NA                    | IND-CCA2         |                    3 |                    524160 |                     13608 |                       156 |                           32 | NA                          |
-| Classic-McEliece-460896f  | NA                    | IND-CCA2         |                    3 |                    524160 |                     13608 |                       156 |                           32 |
+| Classic-McEliece-460896f  | NA                    | IND-CCA2         |                    3 |                    524160 |                     13608 |                       156 |                           32 | NA                          |
-| Classic-McEliece-6688128  | NA                    | IND-CCA2         |                    5 |                   1044992 |                     13932 |                       208 |                           32 |
+| Classic-McEliece-6688128  | NA                    | IND-CCA2         |                    5 |                   1044992 |                     13932 |                       208 |                           32 | NA                          |
-| Classic-McEliece-6688128f | NA                    | IND-CCA2         |                    5 |                   1044992 |                     13932 |                       208 |                           32 |
+| Classic-McEliece-6688128f | NA                    | IND-CCA2         |                    5 |                   1044992 |                     13932 |                       208 |                           32 | NA                          |
-| Classic-McEliece-6960119  | NA                    | IND-CCA2         |                    5 |                   1047319 |                     13948 |                       194 |                           32 |
+| Classic-McEliece-6960119  | NA                    | IND-CCA2         |                    5 |                   1047319 |                     13948 |                       194 |                           32 | NA                          |
-| Classic-McEliece-6960119f | NA                    | IND-CCA2         |                    5 |                   1047319 |                     13948 |                       194 |                           32 |
+| Classic-McEliece-6960119f | NA                    | IND-CCA2         |                    5 |                   1047319 |                     13948 |                       194 |                           32 | NA                          |
-| Classic-McEliece-8192128  | NA                    | IND-CCA2         |                    5 |                   1357824 |                     14120 |                       208 |                           32 |
+| Classic-McEliece-8192128  | NA                    | IND-CCA2         |                    5 |                   1357824 |                     14120 |                       208 |                           32 | NA                          |
-| Classic-McEliece-8192128f | NA                    | IND-CCA2         |                    5 |                   1357824 |                     14120 |                       208 |                           32 |
+| Classic-McEliece-8192128f | NA                    | IND-CCA2         |                    5 |                   1357824 |                     14120 |                       208 |                           32 | NA                          |
 ## Classic-McEliece-348864 implementation characteristics
--- a/docs/algorithms/kem/classic_mceliece.yml
+++ b/docs/algorithms/kem/classic_mceliece.yml
@ -378,4 +378,4 @@ parameter-sets:
 auxiliary-submitters: []
 primary-upstream:
  spdx-license-identifier: Public domain
-  source: https://github.com/PQClean/PQClean/commit/8e221ae797b229858a0b0d784577a8cb149d5789
+  source: https://github.com/PQClean/PQClean/commit/1eacfdafc15ddc5d5759d0b85b4cef26627df181
--- a/docs/algorithms/kem/frodokem.md
+++ b/docs/algorithms/kem/frodokem.md
@ -12,14 +12,14 @@
 ## Parameter set summary
-|    Parameter set    | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Ciphertext size (bytes) |   Shared secret size (bytes) |
+|    Parameter set    | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Ciphertext size (bytes) |   Shared secret size (bytes) | Keypair seed size (bytes)   |
-|:-------------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|--------------------------:|-----------------------------:|
+|:-------------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|--------------------------:|-----------------------------:|:----------------------------|
-|  FrodoKEM-640-AES   | NA                    | IND-CCA2         |                    1 |                      9616 |                     19888 |                      9720 |                           16 |
+|  FrodoKEM-640-AES   | NA                    | IND-CCA2         |                    1 |                      9616 |                     19888 |                      9720 |                           16 | NA                          |
-| FrodoKEM-640-SHAKE  | NA                    | IND-CCA2         |                    1 |                      9616 |                     19888 |                      9720 |                           16 |
+| FrodoKEM-640-SHAKE  | NA                    | IND-CCA2         |                    1 |                      9616 |                     19888 |                      9720 |                           16 | NA                          |
-|  FrodoKEM-976-AES   | NA                    | IND-CCA2         |                    3 |                     15632 |                     31296 |                     15744 |                           24 |
+|  FrodoKEM-976-AES   | NA                    | IND-CCA2         |                    3 |                     15632 |                     31296 |                     15744 |                           24 | NA                          |
-| FrodoKEM-976-SHAKE  | NA                    | IND-CCA2         |                    3 |                     15632 |                     31296 |                     15744 |                           24 |
+| FrodoKEM-976-SHAKE  | NA                    | IND-CCA2         |                    3 |                     15632 |                     31296 |                     15744 |                           24 | NA                          |
-|  FrodoKEM-1344-AES  | NA                    | IND-CCA2         |                    5 |                     21520 |                     43088 |                     21632 |                           32 |
+|  FrodoKEM-1344-AES  | NA                    | IND-CCA2         |                    5 |                     21520 |                     43088 |                     21632 |                           32 | NA                          |
-| FrodoKEM-1344-SHAKE | NA                    | IND-CCA2         |                    5 |                     21520 |                     43088 |                     21632 |                           32 |
+| FrodoKEM-1344-SHAKE | NA                    | IND-CCA2         |                    5 |                     21520 |                     43088 |                     21632 |                           32 | NA                          |
 ## FrodoKEM-640-AES implementation characteristics
--- a/docs/algorithms/kem/hqc.md
+++ b/docs/algorithms/kem/hqc.md
@ -6,7 +6,7 @@
 - **Authors' website**: https://pqc-hqc.org/
 - **Specification version**: 2023-04-30.
 - **Primary Source**<a name="primary-source"></a>:
-  - **Source**: https://github.com/PQClean/PQClean/commit/8e221ae797b229858a0b0d784577a8cb149d5789
+  - **Source**: https://github.com/PQClean/PQClean/commit/1eacfdafc15ddc5d5759d0b85b4cef26627df181
  - **Implementation license (SPDX-Identifier)**: Public domain
 - **Ancestors of primary source**:
  - https://github.com/SWilson4/package-pqclean/tree/8db1b24b/hqc, which takes it from:
@ -14,11 +14,11 @@
 ## Parameter set summary
-|  Parameter set  | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Ciphertext size (bytes) |   Shared secret size (bytes) |
+|  Parameter set  | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Ciphertext size (bytes) |   Shared secret size (bytes) | Keypair seed size (bytes)   |
-|:---------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|--------------------------:|-----------------------------:|
+|:---------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|--------------------------:|-----------------------------:|:----------------------------|
-|     HQC-128     | NA                    | IND-CCA2         |                    1 |                      2249 |                      2305 |                      4433 |                           64 |
+|     HQC-128     | NA                    | IND-CCA2         |                    1 |                      2249 |                      2305 |                      4433 |                           64 | NA                          |
-|     HQC-192     | NA                    | IND-CCA2         |                    3 |                      4522 |                      4586 |                      8978 |                           64 |
+|     HQC-192     | NA                    | IND-CCA2         |                    3 |                      4522 |                      4586 |                      8978 |                           64 | NA                          |
-|     HQC-256     | NA                    | IND-CCA2         |                    5 |                      7245 |                      7317 |                     14421 |                           64 |
+|     HQC-256     | NA                    | IND-CCA2         |                    5 |                      7245 |                      7317 |                     14421 |                           64 | NA                          |
 ## HQC-128 implementation characteristics
--- a/docs/algorithms/kem/hqc.yml
+++ b/docs/algorithms/kem/hqc.yml
@ -76,4 +76,4 @@ parameter-sets:
    upstream: primary-upstream
 primary-upstream:
  spdx-license-identifier: Public domain
-  source: https://github.com/PQClean/PQClean/commit/8e221ae797b229858a0b0d784577a8cb149d5789
+  source: https://github.com/PQClean/PQClean/commit/1eacfdafc15ddc5d5759d0b85b4cef26627df181
--- a/docs/algorithms/kem/kyber.md
+++ b/docs/algorithms/kem/kyber.md
@ -21,11 +21,11 @@
 ## Parameter set summary
-|  Parameter set  | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Ciphertext size (bytes) |   Shared secret size (bytes) |
+|  Parameter set  | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Ciphertext size (bytes) |   Shared secret size (bytes) | Keypair seed size (bytes)   |
-|:---------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|--------------------------:|-----------------------------:|
+|:---------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|--------------------------:|-----------------------------:|:----------------------------|
-|    Kyber512     | NA                    | IND-CCA2         |                    1 |                       800 |                      1632 |                       768 |                           32 |
+|    Kyber512     | NA                    | IND-CCA2         |                    1 |                       800 |                      1632 |                       768 |                           32 | NA                          |
-|    Kyber768     | NA                    | IND-CCA2         |                    3 |                      1184 |                      2400 |                      1088 |                           32 |
+|    Kyber768     | NA                    | IND-CCA2         |                    3 |                      1184 |                      2400 |                      1088 |                           32 | NA                          |
-|    Kyber1024    | NA                    | IND-CCA2         |                    5 |                      1568 |                      3168 |                      1568 |                           32 |
+|    Kyber1024    | NA                    | IND-CCA2         |                    5 |                      1568 |                      3168 |                      1568 |                           32 | NA                          |
 ## Kyber512 implementation characteristics
--- a/docs/algorithms/kem/ml_kem.md
+++ b/docs/algorithms/kem/ml_kem.md
@ -7,24 +7,30 @@
 - **Authors' website**: https://pq-crystals.org/kyber/ and https://csrc.nist.gov/pubs/fips/203
 - **Specification version**: ML-KEM.
 - **Primary Source**<a name="primary-source"></a>:
-  - **Source**: https://github.com/pq-crystals/kyber/commit/10b478fc3cc4ff6215eb0b6a11bd758bf0929cbd with copy_from_upstream patches
+  - **Source**: https://github.com/pq-code-package/mlkem-native/commit/048fc2a7a7b4ba0ad4c989c1ac82491aa94d5bfa
  - **Implementation license (SPDX-Identifier)**: CC0-1.0 or Apache-2.0
 - **Optimized Implementation sources**: https://github.com/pq-code-package/mlkem-native/commit/048fc2a7a7b4ba0ad4c989c1ac82491aa94d5bfa
  - **cupqc-cuda**:<a name="cupqc-cuda"></a>
      - **Source**: https://github.com/open-quantum-safe/liboqs-cupqc-meta/commit/b026f4e5475cd9c20c2082c7d9bad80e5b0ba89e
      - **Implementation license (SPDX-Identifier)**: Apache-2.0
 ## Parameter set summary
-|  Parameter set  | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Ciphertext size (bytes) |   Shared secret size (bytes) |
+|  Parameter set  | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Ciphertext size (bytes) |   Shared secret size (bytes) |   Keypair seed size (bytes) |
-|:---------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|--------------------------:|-----------------------------:|
+|:---------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|--------------------------:|-----------------------------:|----------------------------:|
-|   ML-KEM-512    | NA                    | IND-CCA2         |                    1 |                       800 |                      1632 |                       768 |                           32 |
+|   ML-KEM-512    | NA                    | IND-CCA2         |                    1 |                       800 |                      1632 |                       768 |                           32 |                          64 |
-|   ML-KEM-768    | NA                    | IND-CCA2         |                    3 |                      1184 |                      2400 |                      1088 |                           32 |
+|   ML-KEM-768    | NA                    | IND-CCA2         |                    3 |                      1184 |                      2400 |                      1088 |                           32 |                          64 |
-|   ML-KEM-1024   | NA                    | IND-CCA2         |                    5 |                      1568 |                      3168 |                      1568 |                           32 |
+|   ML-KEM-1024   | NA                    | IND-CCA2         |                    5 |                      1568 |                      3168 |                      1568 |                           32 |                          64 |
 ## ML-KEM-512 implementation characteristics
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?‡   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:----------------------|
 | [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                 |
-| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2,BMI2,POPCNT        | True                               | True                                           | False                 |
+| [Primary Source](#primary-source) | x86\_64                  | x86\_64                     | Linux,Darwin                    | AVX2,BMI2,POPCNT        | True                               | True                                           | False                 |
 | [Primary Source](#primary-source) | aarch64                  | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                 |
 |     [cupqc-cuda](#cupqc-cuda)     | cuda                     | CUDA                        | Linux,Darwin                    | None                    | False                              | False                                          | False                 |
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
@ -35,7 +41,9 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
 | [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
-| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2,BMI2,POPCNT        | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | x86\_64                  | x86\_64                     | Linux,Darwin                    | AVX2,BMI2,POPCNT        | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | aarch64                  | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                |
 |     [cupqc-cuda](#cupqc-cuda)     | cuda                     | CUDA                        | Linux,Darwin                    | None                    | False                              | False                                          | False                |
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
@ -44,7 +52,9 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
 | [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
-| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2,BMI2,POPCNT        | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | x86\_64                  | x86\_64                     | Linux,Darwin                    | AVX2,BMI2,POPCNT        | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | aarch64                  | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                |
 |     [cupqc-cuda](#cupqc-cuda)     | cuda                     | CUDA                        | Linux,Darwin                    | None                    | False                              | False                                          | False                |
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
--- a/docs/algorithms/kem/ml_kem.yml
+++ b/docs/algorithms/kem/ml_kem.yml
@ -17,9 +17,12 @@ website: https://pq-crystals.org/kyber/ and https://csrc.nist.gov/pubs/fips/203
 nist-round: FIPS203
 spec-version: ML-KEM
 primary-upstream:
-  source: https://github.com/pq-crystals/kyber/commit/10b478fc3cc4ff6215eb0b6a11bd758bf0929cbd
+  source: https://github.com/pq-code-package/mlkem-native/commit/048fc2a7a7b4ba0ad4c989c1ac82491aa94d5bfa
    with copy_from_upstream patches
  spdx-license-identifier: CC0-1.0 or Apache-2.0
 optimized-upstreams:
  cupqc-cuda:
    source: https://github.com/open-quantum-safe/liboqs-cupqc-meta/commit/b026f4e5475cd9c20c2082c7d9bad80e5b0ba89e
    spdx-license-identifier: Apache-2.0
 parameter-sets:
 - name: ML-KEM-512
  claimed-nist-level: 1
@ -28,6 +31,7 @@ parameter-sets:
  length-ciphertext: 768
  length-secret-key: 1632
  length-shared-secret: 32
  length-keypair-seed: 64
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
@ -39,7 +43,7 @@ parameter-sets:
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
-    upstream-id: avx2
+    upstream-id: x86_64
    supported-platforms:
    - architecture: x86_64
      operating_systems:
@ -54,6 +58,28 @@ parameter-sets:
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: aarch64
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Linux
      - Darwin
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
  - upstream: cupqc-cuda
    upstream-id: cuda
    supported-platforms:
    - architecture: CUDA
      operating_systems:
      - Linux
      - Darwin
    no-secret-dependent-branching-claimed: false
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
 - name: ML-KEM-768
  claimed-nist-level: 3
  claimed-security: IND-CCA2
@ -61,6 +87,7 @@ parameter-sets:
  length-ciphertext: 1088
  length-secret-key: 2400
  length-shared-secret: 32
  length-keypair-seed: 64
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
@ -72,7 +99,7 @@ parameter-sets:
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
-    upstream-id: avx2
+    upstream-id: x86_64
    supported-platforms:
    - architecture: x86_64
      operating_systems:
@ -87,6 +114,28 @@ parameter-sets:
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: aarch64
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Linux
      - Darwin
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
  - upstream: cupqc-cuda
    upstream-id: cuda
    supported-platforms:
    - architecture: CUDA
      operating_systems:
      - Linux
      - Darwin
    no-secret-dependent-branching-claimed: false
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
 - name: ML-KEM-1024
  claimed-nist-level: 5
  claimed-security: IND-CCA2
@ -94,6 +143,7 @@ parameter-sets:
  length-ciphertext: 1568
  length-secret-key: 3168
  length-shared-secret: 32
  length-keypair-seed: 64
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
@ -105,7 +155,7 @@ parameter-sets:
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
-    upstream-id: avx2
+    upstream-id: x86_64
    supported-platforms:
    - architecture: x86_64
      operating_systems:
@ -120,3 +170,25 @@ parameter-sets:
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: aarch64
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Linux
      - Darwin
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
  - upstream: cupqc-cuda
    upstream-id: cuda
    supported-platforms:
    - architecture: CUDA
      operating_systems:
      - Linux
      - Darwin
    no-secret-dependent-branching-claimed: false
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
--- a/docs/algorithms/kem/ntruprime.md
+++ b/docs/algorithms/kem/ntruprime.md
@ -14,9 +14,9 @@
 ## Parameter set summary
-|  Parameter set  | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Ciphertext size (bytes) |   Shared secret size (bytes) |
+|  Parameter set  | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Ciphertext size (bytes) |   Shared secret size (bytes) | Keypair seed size (bytes)   |
-|:---------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|--------------------------:|-----------------------------:|
+|:---------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|--------------------------:|-----------------------------:|:----------------------------|
-|    sntrup761    | NA                    | IND-CCA2         |                    2 |                      1158 |                      1763 |                      1039 |                           32 |
+|    sntrup761    | NA                    | IND-CCA2         |                    2 |                      1158 |                      1763 |                      1039 |                           32 | NA                          |
 ## sntrup761 implementation characteristics
--- a/docs/algorithms/sig/cross.md
+++ b/docs/algorithms/sig/cross.md
@ -2,12 +2,12 @@
 - **Algorithm type**: Digital signature scheme.
 - **Main cryptographic assumption**: hardness of the restricted syndrome decoding problem for random linear codes on a finite field.
- **Principal submitters**: Marco Baldi, Alessandro Barenghi, Sebastian Bitzer, Patrick Karl, Felice Manganiello, Alessio Pavoni, Gerardo Pelosi, Paolo Santini, Jonas Schupp, Freeman Slaughter, Antonia Wachter-Zeh, Violetta Weger.
+- **Principal submitters**: Marco Baldi, Alessandro Barenghi, Michele Battagliola, Sebastian Bitzer, Patrick Karl, Felice Manganiello, Alessio Pavoni, Gerardo Pelosi, Paolo Santini, Jonas Schupp, Edoardo Signorini, Freeman Slaughter, Antonia Wachter-Zeh, Violetta Weger.
 - **Auxiliary submitters**: Marco Gianvecchio.
 - **Authors' website**: https://www.cross-crypto.com/
- **Specification version**: 1.2 + Keccak_x4 + PQClean fixes.
+- **Specification version**: 2.0 + PQClean and OQS patches.
 - **Primary Source**<a name="primary-source"></a>:
-  - **Source**: https://github.com/rtjk/CROSS-PQClean/commit/577d7c761c684637923c8648644cf2f4d7b41954
+  - **Source**: https://github.com/CROSS-signature/CROSS-lib-oqs/commit/efd17279e75308b000bda7c7f58866620d652bc1
  - **Implementation license (SPDX-Identifier)**: CC0-1.0
@ -15,24 +15,24 @@
 |      Parameter set       | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Signature size (bytes) |
 |:------------------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|-------------------------:|
-| cross-rsdp-128-balanced  | NA                    | EUF-CMA          |                    1 |                        77 |                        32 |                    12912 |
+| cross-rsdp-128-balanced  | NA                    | EUF-CMA          |                    1 |                        77 |                        32 |                    13152 |
-|   cross-rsdp-128-fast    | NA                    | EUF-CMA          |                    1 |                        77 |                        32 |                    19152 |
+|   cross-rsdp-128-fast    | NA                    | EUF-CMA          |                    1 |                        77 |                        32 |                    18432 |
-|   cross-rsdp-128-small   | NA                    | EUF-CMA          |                    1 |                        77 |                        32 |                    10080 |
+|   cross-rsdp-128-small   | NA                    | EUF-CMA          |                    1 |                        77 |                        32 |                    12432 |
-| cross-rsdp-192-balanced  | NA                    | EUF-CMA          |                    3 |                       115 |                        48 |                    28222 |
+| cross-rsdp-192-balanced  | NA                    | EUF-CMA          |                    3 |                       115 |                        48 |                    29853 |
-|   cross-rsdp-192-fast    | NA                    | EUF-CMA          |                    3 |                       115 |                        48 |                    42682 |
+|   cross-rsdp-192-fast    | NA                    | EUF-CMA          |                    3 |                       115 |                        48 |                    41406 |
-|   cross-rsdp-192-small   | NA                    | EUF-CMA          |                    3 |                       115 |                        48 |                    23642 |
+|   cross-rsdp-192-small   | NA                    | EUF-CMA          |                    3 |                       115 |                        48 |                    28391 |
-| cross-rsdp-256-balanced  | NA                    | EUF-CMA          |                    5 |                       153 |                        64 |                    51056 |
+| cross-rsdp-256-balanced  | NA                    | EUF-CMA          |                    5 |                       153 |                        64 |                    53527 |
-|   cross-rsdp-256-fast    | NA                    | EUF-CMA          |                    5 |                       153 |                        64 |                    76298 |
+|   cross-rsdp-256-fast    | NA                    | EUF-CMA          |                    5 |                       153 |                        64 |                    74590 |
-|   cross-rsdp-256-small   | NA                    | EUF-CMA          |                    5 |                       153 |                        64 |                    43592 |
+|   cross-rsdp-256-small   | NA                    | EUF-CMA          |                    5 |                       153 |                        64 |                    50818 |
-| cross-rsdpg-128-balanced | NA                    | EUF-CMA          |                    1 |                        54 |                        32 |                     9236 |
+| cross-rsdpg-128-balanced | NA                    | EUF-CMA          |                    1 |                        54 |                        32 |                     9120 |
-|   cross-rsdpg-128-fast   | NA                    | EUF-CMA          |                    1 |                        54 |                        32 |                    12472 |
+|   cross-rsdpg-128-fast   | NA                    | EUF-CMA          |                    1 |                        54 |                        32 |                    11980 |
-|  cross-rsdpg-128-small   | NA                    | EUF-CMA          |                    1 |                        54 |                        32 |                     7956 |
+|  cross-rsdpg-128-small   | NA                    | EUF-CMA          |                    1 |                        54 |                        32 |                     8960 |
-| cross-rsdpg-192-balanced | NA                    | EUF-CMA          |                    3 |                        83 |                        48 |                    23380 |
+| cross-rsdpg-192-balanced | NA                    | EUF-CMA          |                    3 |                        83 |                        48 |                    22464 |
-|   cross-rsdpg-192-fast   | NA                    | EUF-CMA          |                    3 |                        83 |                        48 |                    27404 |
+|   cross-rsdpg-192-fast   | NA                    | EUF-CMA          |                    3 |                        83 |                        48 |                    26772 |
-|  cross-rsdpg-192-small   | NA                    | EUF-CMA          |                    3 |                        83 |                        48 |                    18188 |
+|  cross-rsdpg-192-small   | NA                    | EUF-CMA          |                    3 |                        83 |                        48 |                    20452 |
-| cross-rsdpg-256-balanced | NA                    | EUF-CMA          |                    5 |                       106 |                        64 |                    40134 |
+| cross-rsdpg-256-balanced | NA                    | EUF-CMA          |                    5 |                       106 |                        64 |                    40100 |
-|   cross-rsdpg-256-fast   | NA                    | EUF-CMA          |                    5 |                       106 |                        64 |                    48938 |
+|   cross-rsdpg-256-fast   | NA                    | EUF-CMA          |                    5 |                       106 |                        64 |                    48102 |
-|  cross-rsdpg-256-small   | NA                    | EUF-CMA          |                    5 |                       106 |                        64 |                    32742 |
+|  cross-rsdpg-256-small   | NA                    | EUF-CMA          |                    5 |                       106 |                        64 |                    36454 |
 ## cross-rsdp-128-balanced implementation characteristics
@ -52,7 +52,7 @@ Are implementations chosen based on runtime CPU feature detection? **No**.
 | [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | False                |
-Are implementations chosen based on runtime CPU feature detection? **Yes**.
+Are implementations chosen based on runtime CPU feature detection? **No**.
 ## cross-rsdp-128-small implementation characteristics
@ -61,7 +61,7 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
 | [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | True                 |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | True                 |
-Are implementations chosen based on runtime CPU feature detection? **Yes**.
+Are implementations chosen based on runtime CPU feature detection? **No**.
 ## cross-rsdp-192-balanced implementation characteristics
@ -70,7 +70,7 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
 | [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | False                |
-Are implementations chosen based on runtime CPU feature detection? **Yes**.
+Are implementations chosen based on runtime CPU feature detection? **No**.
 ## cross-rsdp-192-fast implementation characteristics
@ -79,7 +79,7 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
 | [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | False                |
-Are implementations chosen based on runtime CPU feature detection? **Yes**.
+Are implementations chosen based on runtime CPU feature detection? **No**.
 ## cross-rsdp-192-small implementation characteristics
@ -88,7 +88,7 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
 | [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | True                 |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | True                 |
-Are implementations chosen based on runtime CPU feature detection? **Yes**.
+Are implementations chosen based on runtime CPU feature detection? **No**.
 ## cross-rsdp-256-balanced implementation characteristics
@ -97,7 +97,7 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
 | [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | True                 |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | True                 |
-Are implementations chosen based on runtime CPU feature detection? **Yes**.
+Are implementations chosen based on runtime CPU feature detection? **No**.
 ## cross-rsdp-256-fast implementation characteristics
@ -106,7 +106,7 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
 | [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | False                |
-Are implementations chosen based on runtime CPU feature detection? **Yes**.
+Are implementations chosen based on runtime CPU feature detection? **No**.
 ## cross-rsdp-256-small implementation characteristics
@ -115,7 +115,7 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
 | [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | True                 |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | True                 |
-Are implementations chosen based on runtime CPU feature detection? **Yes**.
+Are implementations chosen based on runtime CPU feature detection? **No**.
 ## cross-rsdpg-128-balanced implementation characteristics
@ -124,7 +124,7 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
 | [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | False                |
-Are implementations chosen based on runtime CPU feature detection? **Yes**.
+Are implementations chosen based on runtime CPU feature detection? **No**.
 ## cross-rsdpg-128-fast implementation characteristics
@ -133,7 +133,7 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
 | [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | False                |
-Are implementations chosen based on runtime CPU feature detection? **Yes**.
+Are implementations chosen based on runtime CPU feature detection? **No**.
 ## cross-rsdpg-128-small implementation characteristics
@ -142,7 +142,7 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
 | [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | False                |
-Are implementations chosen based on runtime CPU feature detection? **Yes**.
+Are implementations chosen based on runtime CPU feature detection? **No**.
 ## cross-rsdpg-192-balanced implementation characteristics
@ -151,7 +151,7 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
 | [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | False                |
-Are implementations chosen based on runtime CPU feature detection? **Yes**.
+Are implementations chosen based on runtime CPU feature detection? **No**.
 ## cross-rsdpg-192-fast implementation characteristics
@ -160,7 +160,7 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
 | [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | False                |
-Are implementations chosen based on runtime CPU feature detection? **Yes**.
+Are implementations chosen based on runtime CPU feature detection? **No**.
 ## cross-rsdpg-192-small implementation characteristics
@ -169,7 +169,7 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
 | [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | True                 |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | True                 |
-Are implementations chosen based on runtime CPU feature detection? **Yes**.
+Are implementations chosen based on runtime CPU feature detection? **No**.
 ## cross-rsdpg-256-balanced implementation characteristics
@ -178,7 +178,7 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
 | [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | False                |
-Are implementations chosen based on runtime CPU feature detection? **Yes**.
+Are implementations chosen based on runtime CPU feature detection? **No**.
 ## cross-rsdpg-256-fast implementation characteristics
@ -187,7 +187,7 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
 | [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | False                |
-Are implementations chosen based on runtime CPU feature detection? **Yes**.
+Are implementations chosen based on runtime CPU feature detection? **No**.
 ## cross-rsdpg-256-small implementation characteristics
@ -196,7 +196,7 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
 | [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | True                 |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | True                 |
-Are implementations chosen based on runtime CPU feature detection? **Yes**.
+Are implementations chosen based on runtime CPU feature detection? **No**.
 ## Explanation of Terms
--- a/docs/algorithms/sig/cross.yml
+++ b/docs/algorithms/sig/cross.yml
@ -3,6 +3,7 @@ type: signature
 principal-submitters:
 - Marco Baldi
 - Alessandro Barenghi
 - Michele Battagliola
 - Sebastian Bitzer
 - Patrick Karl
 - Felice Manganiello
@ -10,6 +11,7 @@ principal-submitters:
 - Gerardo Pelosi
 - Paolo Santini
 - Jonas Schupp
 - Edoardo Signorini
 - Freeman Slaughter
 - Antonia Wachter-Zeh
 - Violetta Weger
@ -18,10 +20,10 @@ auxiliary-submitters:
 crypto-assumption: hardness of the restricted syndrome decoding problem for random
  linear codes on a finite field
 website: https://www.cross-crypto.com/
-nist-round: 1
+nist-round: 2
-spec-version: 1.2 + Keccak_x4 + PQClean fixes
+spec-version: 2.0 + PQClean and OQS patches
 primary-upstream:
-  source: https://github.com/rtjk/CROSS-PQClean/commit/577d7c761c684637923c8648644cf2f4d7b41954
+  source: https://github.com/CROSS-signature/CROSS-lib-oqs/commit/efd17279e75308b000bda7c7f58866620d652bc1
  spdx-license-identifier: CC0-1.0
 parameter-sets:
 - name: cross-rsdp-128-balanced
@ -30,7 +32,7 @@ parameter-sets:
  claimed-security: EUF-CMA
  length-public-key: 77
  length-secret-key: 32
-  length-signature: 12912
+  length-signature: 13152
  implementations-switch-on-runtime-cpu-features: false
  implementations:
  - upstream: primary-upstream
@ -58,8 +60,8 @@ parameter-sets:
  claimed-security: EUF-CMA
  length-public-key: 77
  length-secret-key: 32
-  length-signature: 19152
+  length-signature: 18432
-  implementations-switch-on-runtime-cpu-features: true
+  implementations-switch-on-runtime-cpu-features: false
  implementations:
  - upstream: primary-upstream
    upstream-id: clean
@ -86,8 +88,8 @@ parameter-sets:
  claimed-security: EUF-CMA
  length-public-key: 77
  length-secret-key: 32
-  length-signature: 10080
+  length-signature: 12432
-  implementations-switch-on-runtime-cpu-features: true
+  implementations-switch-on-runtime-cpu-features: false
  implementations:
  - upstream: primary-upstream
    upstream-id: clean
@ -114,8 +116,8 @@ parameter-sets:
  claimed-security: EUF-CMA
  length-public-key: 115
  length-secret-key: 48
-  length-signature: 28222
+  length-signature: 29853
-  implementations-switch-on-runtime-cpu-features: true
+  implementations-switch-on-runtime-cpu-features: false
  implementations:
  - upstream: primary-upstream
    upstream-id: clean
@ -142,8 +144,8 @@ parameter-sets:
  claimed-security: EUF-CMA
  length-public-key: 115
  length-secret-key: 48
-  length-signature: 42682
+  length-signature: 41406
-  implementations-switch-on-runtime-cpu-features: true
+  implementations-switch-on-runtime-cpu-features: false
  implementations:
  - upstream: primary-upstream
    upstream-id: clean
@ -170,8 +172,8 @@ parameter-sets:
  claimed-security: EUF-CMA
  length-public-key: 115
  length-secret-key: 48
-  length-signature: 23642
+  length-signature: 28391
-  implementations-switch-on-runtime-cpu-features: true
+  implementations-switch-on-runtime-cpu-features: false
  implementations:
  - upstream: primary-upstream
    upstream-id: clean
@ -198,8 +200,8 @@ parameter-sets:
  claimed-security: EUF-CMA
  length-public-key: 153
  length-secret-key: 64
-  length-signature: 51056
+  length-signature: 53527
-  implementations-switch-on-runtime-cpu-features: true
+  implementations-switch-on-runtime-cpu-features: false
  implementations:
  - upstream: primary-upstream
    upstream-id: clean
@ -226,8 +228,8 @@ parameter-sets:
  claimed-security: EUF-CMA
  length-public-key: 153
  length-secret-key: 64
-  length-signature: 76298
+  length-signature: 74590
-  implementations-switch-on-runtime-cpu-features: true
+  implementations-switch-on-runtime-cpu-features: false
  implementations:
  - upstream: primary-upstream
    upstream-id: clean
@ -254,8 +256,8 @@ parameter-sets:
  claimed-security: EUF-CMA
  length-public-key: 153
  length-secret-key: 64
-  length-signature: 43592
+  length-signature: 50818
-  implementations-switch-on-runtime-cpu-features: true
+  implementations-switch-on-runtime-cpu-features: false
  implementations:
  - upstream: primary-upstream
    upstream-id: clean
@ -282,8 +284,8 @@ parameter-sets:
  claimed-security: EUF-CMA
  length-public-key: 54
  length-secret-key: 32
-  length-signature: 9236
+  length-signature: 9120
-  implementations-switch-on-runtime-cpu-features: true
+  implementations-switch-on-runtime-cpu-features: false
  implementations:
  - upstream: primary-upstream
    upstream-id: clean
@ -310,8 +312,8 @@ parameter-sets:
  claimed-security: EUF-CMA
  length-public-key: 54
  length-secret-key: 32
-  length-signature: 12472
+  length-signature: 11980
-  implementations-switch-on-runtime-cpu-features: true
+  implementations-switch-on-runtime-cpu-features: false
  implementations:
  - upstream: primary-upstream
    upstream-id: clean
@ -338,8 +340,8 @@ parameter-sets:
  claimed-security: EUF-CMA
  length-public-key: 54
  length-secret-key: 32
-  length-signature: 7956
+  length-signature: 8960
-  implementations-switch-on-runtime-cpu-features: true
+  implementations-switch-on-runtime-cpu-features: false
  implementations:
  - upstream: primary-upstream
    upstream-id: clean
@ -366,8 +368,8 @@ parameter-sets:
  claimed-security: EUF-CMA
  length-public-key: 83
  length-secret-key: 48
-  length-signature: 23380
+  length-signature: 22464
-  implementations-switch-on-runtime-cpu-features: true
+  implementations-switch-on-runtime-cpu-features: false
  implementations:
  - upstream: primary-upstream
    upstream-id: clean
@ -394,8 +396,8 @@ parameter-sets:
  claimed-security: EUF-CMA
  length-public-key: 83
  length-secret-key: 48
-  length-signature: 27404
+  length-signature: 26772
-  implementations-switch-on-runtime-cpu-features: true
+  implementations-switch-on-runtime-cpu-features: false
  implementations:
  - upstream: primary-upstream
    upstream-id: clean
@ -422,8 +424,8 @@ parameter-sets:
  claimed-security: EUF-CMA
  length-public-key: 83
  length-secret-key: 48
-  length-signature: 18188
+  length-signature: 20452
-  implementations-switch-on-runtime-cpu-features: true
+  implementations-switch-on-runtime-cpu-features: false
  implementations:
  - upstream: primary-upstream
    upstream-id: clean
@ -450,8 +452,8 @@ parameter-sets:
  claimed-security: EUF-CMA
  length-public-key: 106
  length-secret-key: 64
-  length-signature: 40134
+  length-signature: 40100
-  implementations-switch-on-runtime-cpu-features: true
+  implementations-switch-on-runtime-cpu-features: false
  implementations:
  - upstream: primary-upstream
    upstream-id: clean
@ -478,8 +480,8 @@ parameter-sets:
  claimed-security: EUF-CMA
  length-public-key: 106
  length-secret-key: 64
-  length-signature: 48938
+  length-signature: 48102
-  implementations-switch-on-runtime-cpu-features: true
+  implementations-switch-on-runtime-cpu-features: false
  implementations:
  - upstream: primary-upstream
    upstream-id: clean
@ -506,8 +508,8 @@ parameter-sets:
  claimed-security: EUF-CMA
  length-public-key: 106
  length-secret-key: 64
-  length-signature: 32742
+  length-signature: 36454
-  implementations-switch-on-runtime-cpu-features: true
+  implementations-switch-on-runtime-cpu-features: false
  implementations:
  - upstream: primary-upstream
    upstream-id: clean
--- a/docs/algorithms/sig/dilithium.md
+++ b/docs/algorithms/sig/dilithium.md
@ -19,9 +19,9 @@
 |  Parameter set  | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Signature size (bytes) |
 |:---------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|-------------------------:|
-|   Dilithium2    | NA                    | EUF-CMA          |                    2 |                      1312 |                      2528 |                     2420 |
+|   Dilithium2    | NA                    | SUF-CMA          |                    2 |                      1312 |                      2528 |                     2420 |
-|   Dilithium3    | NA                    | EUF-CMA          |                    3 |                      1952 |                      4000 |                     3293 |
+|   Dilithium3    | NA                    | SUF-CMA          |                    3 |                      1952 |                      4000 |                     3293 |
-|   Dilithium5    | NA                    | EUF-CMA          |                    5 |                      2592 |                      4864 |                     4595 |
+|   Dilithium5    | NA                    | SUF-CMA          |                    5 |                      2592 |                      4864 |                     4595 |
 ## Dilithium2 implementation characteristics
--- a/docs/algorithms/sig/dilithium.yml
+++ b/docs/algorithms/sig/dilithium.yml
@ -28,7 +28,7 @@ parameter-sets:
 - name: Dilithium2
  oqs_alg: OQS_SIG_alg_dilithium_2
  claimed-nist-level: 2
-  claimed-security: EUF-CMA
+  claimed-security: SUF-CMA
  length-public-key: 1312
  length-secret-key: 2528
  length-signature: 2420
@ -72,7 +72,7 @@ parameter-sets:
 - name: Dilithium3
  oqs_alg: OQS_SIG_alg_dilithium_3
  claimed-nist-level: 3
-  claimed-security: EUF-CMA
+  claimed-security: SUF-CMA
  length-public-key: 1952
  length-secret-key: 4000
  length-signature: 3293
@ -116,7 +116,7 @@ parameter-sets:
 - name: Dilithium5
  oqs_alg: OQS_SIG_alg_dilithium_5
  claimed-nist-level: 5
-  claimed-security: EUF-CMA
+  claimed-security: SUF-CMA
  length-public-key: 2592
  length-secret-key: 4864
  length-signature: 4595
--- a/docs/algorithms/sig/falcon.md
+++ b/docs/algorithms/sig/falcon.md
@ -7,9 +7,9 @@
 - **Authors' website**: https://falcon-sign.info
 - **Specification version**: 20211101.
 - **Primary Source**<a name="primary-source"></a>:
-  - **Source**: https://github.com/PQClean/PQClean/commit/8e221ae797b229858a0b0d784577a8cb149d5789
+  - **Source**: https://github.com/PQClean/PQClean/commit/1eacfdafc15ddc5d5759d0b85b4cef26627df181
  - **Implementation license (SPDX-Identifier)**: MIT
- **Optimized Implementation sources**: https://github.com/PQClean/PQClean/commit/8e221ae797b229858a0b0d784577a8cb149d5789
+- **Optimized Implementation sources**: https://github.com/PQClean/PQClean/commit/1eacfdafc15ddc5d5759d0b85b4cef26627df181
  - **pqclean-aarch64**:<a name="pqclean-aarch64"></a>
      - **Source**: https://github.com/PQClean/PQClean/commit/7707d1bcc8ae7f9ffd296dd13b1d76d2767d14f8
      - **Implementation license (SPDX-Identifier)**: Apache-2.0
--- a/docs/algorithms/sig/falcon.yml
+++ b/docs/algorithms/sig/falcon.yml
@ -18,7 +18,7 @@ website: https://falcon-sign.info
 nist-round: 3
 spec-version: 20211101
 primary-upstream:
-  source: https://github.com/PQClean/PQClean/commit/8e221ae797b229858a0b0d784577a8cb149d5789
+  source: https://github.com/PQClean/PQClean/commit/1eacfdafc15ddc5d5759d0b85b4cef26627df181
  spdx-license-identifier: MIT
  upstream-ancestors:
  - https://www.falcon-sign.info
--- a/docs/algorithms/sig/mayo.md
+++ b/docs/algorithms/sig/mayo.md
@ -4,9 +4,9 @@
 - **Main cryptographic assumption**: multivariable quadratic equations, oil and vinegar.
 - **Principal submitters**: Ward Beullens, Fabio Campos, Sofía Celi, Basil Hess, Matthias J. Kannwischer.
 - **Authors' website**: https://pqmayo.org
- **Specification version**: https://doi.org/10.46586/tches.v2024.i2.252-275.
+- **Specification version**: NIST Round 2 (February 2025).
 - **Primary Source**<a name="primary-source"></a>:
-  - **Source**: https://github.com/PQCMayo/MAYO-C/commit/cde2675ff404b0ae070e7dbc3d962ea0b026a81e with copy_from_upstream patches
+  - **Source**: https://github.com/PQCMayo/MAYO-C/commit/4b7cd94c96b9522864efe40c6ad1fa269584a807 with copy_from_upstream patches
  - **Implementation license (SPDX-Identifier)**: Apache-2.0
@ -14,10 +14,10 @@
 |  Parameter set  | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Signature size (bytes) |
 |:---------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|-------------------------:|
-|     MAYO-1      | NA                    | EUF-CMA          |                    1 |                      1168 |                        24 |                      321 |
+|     MAYO-1      | NA                    | EUF-CMA          |                    1 |                      1420 |                        24 |                      454 |
-|     MAYO-2      | NA                    | EUF-CMA          |                    1 |                      5488 |                        24 |                      180 |
+|     MAYO-2      | NA                    | EUF-CMA          |                    1 |                      4912 |                        24 |                      186 |
-|     MAYO-3      | NA                    | EUF-CMA          |                    3 |                      2656 |                        32 |                      577 |
+|     MAYO-3      | NA                    | EUF-CMA          |                    3 |                      2986 |                        32 |                      681 |
-|     MAYO-5      | NA                    | EUF-CMA          |                    5 |                      5008 |                        40 |                      838 |
+|     MAYO-5      | NA                    | EUF-CMA          |                    5 |                      5554 |                        40 |                      964 |
 ## MAYO-1 implementation characteristics
@ -25,6 +25,7 @@
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:----------------------|
 | [Primary Source](#primary-source) | opt                      | All                         | All                             | None                    | True                               | True                                           | False                 |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | Darwin,Linux                    | AVX2                    | True                               | True                                           | False                 |
 | [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Darwin,Linux                    | None                    | True                               | False                                          | False                 |
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
@ -36,6 +37,7 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
 | [Primary Source](#primary-source) | opt                      | All                         | All                             | None                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | Darwin,Linux                    | AVX2                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Darwin,Linux                    | None                    | True                               | False                                          | False                |
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
@ -45,6 +47,7 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
 | [Primary Source](#primary-source) | opt                      | All                         | All                             | None                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | Darwin,Linux                    | AVX2                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Darwin,Linux                    | None                    | True                               | False                                          | False                |
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
@ -52,8 +55,9 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
-| [Primary Source](#primary-source) | opt                      | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | opt                      | All                         | All                             | None                    | True                               | True                                           | True                 |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | Darwin,Linux                    | AVX2                    | True                               | True                                           | True                 |
 | [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Darwin,Linux                    | None                    | True                               | False                                          | True                 |
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
--- a/docs/algorithms/sig/mayo.yml
+++ b/docs/algorithms/sig/mayo.yml
@ -8,19 +8,19 @@ principal-submitters:
 - Matthias J. Kannwischer
 crypto-assumption: multivariable quadratic equations, oil and vinegar
 website: https://pqmayo.org
-nist-round: 1
+nist-round: 2
-spec-version: https://doi.org/10.46586/tches.v2024.i2.252-275
+spec-version: NIST Round 2 (February 2025)
 primary-upstream:
-  source: https://github.com/PQCMayo/MAYO-C/commit/cde2675ff404b0ae070e7dbc3d962ea0b026a81e
+  source: https://github.com/PQCMayo/MAYO-C/commit/4b7cd94c96b9522864efe40c6ad1fa269584a807
    with copy_from_upstream patches
  spdx-license-identifier: Apache-2.0
 parameter-sets:
 - name: MAYO-1
  claimed-nist-level: 1
  claimed-security: EUF-CMA
-  length-public-key: 1168
+  length-public-key: 1420
  length-secret-key: 24
-  length-signature: 321
+  length-signature: 454
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
@ -47,12 +47,25 @@ parameter-sets:
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: neon
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Darwin
      - Linux
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
 - name: MAYO-2
  claimed-nist-level: 1
  claimed-security: EUF-CMA
-  length-public-key: 5488
+  length-public-key: 4912
  length-secret-key: 24
-  length-signature: 180
+  length-signature: 186
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
@ -79,12 +92,25 @@ parameter-sets:
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: neon
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Darwin
      - Linux
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
 - name: MAYO-3
  claimed-nist-level: 3
  claimed-security: EUF-CMA
-  length-public-key: 2656
+  length-public-key: 2986
  length-secret-key: 32
-  length-signature: 577
+  length-signature: 681
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
@ -110,12 +136,25 @@ parameter-sets:
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: neon
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Darwin
      - Linux
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
 - name: MAYO-5
  claimed-nist-level: 5
  claimed-security: EUF-CMA
-  length-public-key: 5008
+  length-public-key: 5554
  length-secret-key: 40
-  length-signature: 838
+  length-signature: 964
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
@ -125,7 +164,7 @@ parameter-sets:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
-    large-stack-usage: false
+    large-stack-usage: true
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
@ -141,3 +180,16 @@ parameter-sets:
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: true
  - upstream: primary-upstream
    upstream-id: neon
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Darwin
      - Linux
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: true
--- a/docs/algorithms/sig/ml_dsa.md
+++ b/docs/algorithms/sig/ml_dsa.md
@ -4,10 +4,10 @@
 - **Main cryptographic assumption**: hardness of lattice problems over module lattices.
 - **Principal submitters**: Vadim Lyubashevsky.
 - **Auxiliary submitters**: Shi Bai, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Peter Schwabe, Gregor Seiler, Damien Stehlé.
- **Authors' website**: https://pq-crystals.org/dilithium/ and https://csrc.nist.gov/pubs/fips/204/ipd
+- **Authors' website**: https://pq-crystals.org/dilithium/ and https://csrc.nist.gov/pubs/fips/204/final
- **Specification version**: ML-DSA-ipd.
+- **Specification version**: ML-DSA.
 - **Primary Source**<a name="primary-source"></a>:
-  - **Source**: https://github.com/pq-crystals/dilithium/commit/e7bed6258b9a3703ce78d4ec38021c86382ce31c with copy_from_upstream patches
+  - **Source**: https://github.com/pq-crystals/dilithium/commit/444cdcc84eb36b66fe27b3a2529ee48f6d8150c2 with copy_from_upstream patches
  - **Implementation license (SPDX-Identifier)**: CC0-1.0 or Apache-2.0
@ -15,11 +15,11 @@
 |  Parameter set  | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Signature size (bytes) |
 |:---------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|-------------------------:|
-|  ML-DSA-44-ipd  | ML-DSA-44             | EUF-CMA          |                    2 |                      1312 |                      2560 |                     2420 |
+|    ML-DSA-44    | NA                    | SUF-CMA          |                    2 |                      1312 |                      2560 |                     2420 |
-|  ML-DSA-65-ipd  | ML-DSA-65             | EUF-CMA          |                    3 |                      1952 |                      4032 |                     3309 |
+|    ML-DSA-65    | NA                    | SUF-CMA          |                    3 |                      1952 |                      4032 |                     3309 |
-|  ML-DSA-87-ipd  | ML-DSA-87             | EUF-CMA          |                    5 |                      2592 |                      4896 |                     4627 |
+|    ML-DSA-87    | NA                    | SUF-CMA          |                    5 |                      2592 |                      4896 |                     4627 |
-## ML-DSA-44-ipd implementation characteristics
+## ML-DSA-44 implementation characteristics
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?‡   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:----------------------|
@ -30,7 +30,7 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
 ‡For an explanation of what this denotes, consult the [Explanation of Terms](#explanation-of-terms) section at the end of this file.
-## ML-DSA-65-ipd implementation characteristics
+## ML-DSA-65 implementation characteristics
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
@ -39,7 +39,7 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
-## ML-DSA-87-ipd implementation characteristics
+## ML-DSA-87 implementation characteristics
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
--- a/docs/algorithms/sig/ml_dsa.yml
+++ b/docs/algorithms/sig/ml_dsa.yml
@ -11,18 +11,17 @@ auxiliary-submitters:
 - Gregor Seiler
 - Damien Stehlé
 crypto-assumption: hardness of lattice problems over module lattices
-website: https://pq-crystals.org/dilithium/ and https://csrc.nist.gov/pubs/fips/204/ipd
+website: https://pq-crystals.org/dilithium/ and https://csrc.nist.gov/pubs/fips/204/final
-nist-round: ipd
+nist-round: FIPS204
-spec-version: ML-DSA-ipd
+spec-version: ML-DSA
 primary-upstream:
-  source: https://github.com/pq-crystals/dilithium/commit/e7bed6258b9a3703ce78d4ec38021c86382ce31c
+  source: https://github.com/pq-crystals/dilithium/commit/444cdcc84eb36b66fe27b3a2529ee48f6d8150c2
    with copy_from_upstream patches
  spdx-license-identifier: CC0-1.0 or Apache-2.0
 parameter-sets:
- name: ML-DSA-44-ipd
+- name: ML-DSA-44
  alias: ML-DSA-44
  claimed-nist-level: 2
-  claimed-security: EUF-CMA
+  claimed-security: SUF-CMA
  length-public-key: 1312
  length-secret-key: 2560
  length-signature: 2420
@ -51,10 +50,9 @@ parameter-sets:
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
- name: ML-DSA-65-ipd
+- name: ML-DSA-65
  alias: ML-DSA-65
  claimed-nist-level: 3
-  claimed-security: EUF-CMA
+  claimed-security: SUF-CMA
  length-public-key: 1952
  length-secret-key: 4032
  length-signature: 3309
@ -83,10 +81,9 @@ parameter-sets:
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
- name: ML-DSA-87-ipd
+- name: ML-DSA-87
  alias: ML-DSA-87
  claimed-nist-level: 5
-  claimed-security: EUF-CMA
+  claimed-security: SUF-CMA
  length-public-key: 2592
  length-secret-key: 4896
  length-signature: 4627
--- a/docs/algorithms/sig/snova.md
+++ b/docs/algorithms/sig/snova.md
@ -0,0 +1,154 @@
 # SNOVA
 - **Algorithm type**: Digital signature scheme.
 - **Main cryptographic assumption**: multivariable quadratic equations, oil and vinegar.
 - **Principal submitters**: Lih-Chung Wang, Chun-Yen Chou, Jintai Ding, Yen-Liang Kuan, Jan Adriaan Leegwater, Ming-Siou Li, Bo-Shu Tseng, Po-En Tseng, Chia-Chun Wang.
 - **Authors' website**: https://snova.pqclab.org/
 - **Specification version**: Round 2.
 - **Primary Source**<a name="primary-source"></a>:
  - **Source**: https://github.com/vacuas/SNOVA/commit/1c3ca6f4f7286c0bde98d7d6f222cf63b9d52bff
  - **Implementation license (SPDX-Identifier)**: MIT
 ## Parameter set summary
 |        Parameter set        | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Signature size (bytes) |
 |:---------------------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|-------------------------:|
 |       SNOVA\_24\_5\_4       | NA                    | EUF-CMA          |                    1 |                      1016 |                        48 |                      248 |
 |   SNOVA\_24\_5\_4\_SHAKE    | NA                    | EUF-CMA          |                    1 |                      1016 |                        48 |                      248 |
 |    SNOVA\_24\_5\_4\_esk     | NA                    | EUF-CMA          |                    1 |                      1016 |                     36848 |                      248 |
 | SNOVA\_24\_5\_4\_SHAKE\_esk | NA                    | EUF-CMA          |                    1 |                      1016 |                     36848 |                      248 |
 |      SNOVA\_37\_17\_2       | NA                    | EUF-CMA          |                    1 |                      9842 |                        48 |                      124 |
 |       SNOVA\_25\_8\_3       | NA                    | EUF-CMA          |                    1 |                      2320 |                        48 |                      165 |
 |      SNOVA\_56\_25\_2       | NA                    | EUF-CMA          |                    3 |                     31266 |                        48 |                      178 |
 |      SNOVA\_49\_11\_3       | NA                    | EUF-CMA          |                    3 |                      6006 |                        48 |                      286 |
 |       SNOVA\_37\_8\_4       | NA                    | EUF-CMA          |                    3 |                      4112 |                        48 |                      376 |
 |       SNOVA\_24\_5\_5       | NA                    | EUF-CMA          |                    3 |                      1579 |                        48 |                      379 |
 |      SNOVA\_60\_10\_4       | NA                    | EUF-CMA          |                    5 |                      8016 |                        48 |                      576 |
 |       SNOVA\_29\_6\_5       | NA                    | EUF-CMA          |                    5 |                      2716 |                        48 |                      454 |
 ## SNOVA\_24\_5\_4 implementation characteristics
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?‡   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:----------------------|
 | [Primary Source](#primary-source) | opt                      | All                         | All                             | None                    | True                               | True                                           | False                 |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux                           | AVX2                    | True                               | True                                           | False                 |
 | [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Darwin,Linux                    | None                    | True                               | True                                           | False                 |
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
 ‡For an explanation of what this denotes, consult the [Explanation of Terms](#explanation-of-terms) section at the end of this file.
 ## SNOVA\_24\_5\_4\_SHAKE implementation characteristics
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
 | [Primary Source](#primary-source) | opt                      | All                         | All                             | None                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux                           | AVX2                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Darwin,Linux                    | None                    | True                               | True                                           | False                |
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
 ## SNOVA\_24\_5\_4\_esk implementation characteristics
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
 | [Primary Source](#primary-source) | opt                      | All                         | All                             | None                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux                           | AVX2                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Darwin,Linux                    | None                    | True                               | True                                           | False                |
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
 ## SNOVA\_24\_5\_4\_SHAKE\_esk implementation characteristics
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
 | [Primary Source](#primary-source) | opt                      | All                         | All                             | None                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux                           | AVX2                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Darwin,Linux                    | None                    | True                               | True                                           | False                |
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
 ## SNOVA\_37\_17\_2 implementation characteristics
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
 | [Primary Source](#primary-source) | opt                      | All                         | All                             | None                    | True                               | True                                           | True                 |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux                           | AVX2                    | True                               | True                                           | True                 |
 | [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Darwin,Linux                    | None                    | True                               | True                                           | True                 |
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
 ## SNOVA\_25\_8\_3 implementation characteristics
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
 | [Primary Source](#primary-source) | opt                      | All                         | All                             | None                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux                           | AVX2                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Darwin,Linux                    | None                    | True                               | True                                           | False                |
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
 ## SNOVA\_56\_25\_2 implementation characteristics
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
 | [Primary Source](#primary-source) | opt                      | All                         | All                             | None                    | True                               | True                                           | True                 |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux                           | AVX2                    | True                               | True                                           | True                 |
 | [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Darwin,Linux                    | None                    | True                               | True                                           | True                 |
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
 ## SNOVA\_49\_11\_3 implementation characteristics
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
 | [Primary Source](#primary-source) | opt                      | All                         | All                             | None                    | True                               | True                                           | True                 |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux                           | AVX2                    | True                               | True                                           | True                 |
 | [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Darwin,Linux                    | None                    | True                               | True                                           | True                 |
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
 ## SNOVA\_37\_8\_4 implementation characteristics
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
 | [Primary Source](#primary-source) | opt                      | All                         | All                             | None                    | True                               | True                                           | True                 |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux                           | AVX2                    | True                               | True                                           | True                 |
 | [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Darwin,Linux                    | None                    | True                               | True                                           | True                 |
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
 ## SNOVA\_24\_5\_5 implementation characteristics
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
 | [Primary Source](#primary-source) | opt                      | All                         | All                             | None                    | True                               | True                                           | True                 |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux                           | AVX2                    | True                               | True                                           | True                 |
 | [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Darwin,Linux                    | None                    | True                               | True                                           | True                 |
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
 ## SNOVA\_60\_10\_4 implementation characteristics
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
 | [Primary Source](#primary-source) | opt                      | All                         | All                             | None                    | True                               | True                                           | True                 |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux                           | AVX2                    | True                               | True                                           | True                 |
 | [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Darwin,Linux                    | None                    | True                               | True                                           | True                 |
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
 ## SNOVA\_29\_6\_5 implementation characteristics
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
 | [Primary Source](#primary-source) | opt                      | All                         | All                             | None                    | True                               | True                                           | True                 |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux                           | AVX2                    | True                               | True                                           | True                 |
 | [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Darwin,Linux                    | None                    | True                               | True                                           | True                 |
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
 ## Explanation of Terms
 - **Large Stack Usage**: Implementations identified as having such may cause failures when running in threads or in constrained environments.
--- a/docs/algorithms/sig/snova.yml
+++ b/docs/algorithms/sig/snova.yml
@ -0,0 +1,560 @@
 name: SNOVA
 type: signature
 principal-submitters:
 - Lih-Chung Wang
 - Chun-Yen Chou
 - Jintai Ding
 - Yen-Liang Kuan
 - Jan Adriaan Leegwater
 - Ming-Siou Li
 - Bo-Shu Tseng
 - Po-En Tseng
 - Chia-Chun Wang
 crypto-assumption: multivariable quadratic equations, oil and vinegar
 website: https://snova.pqclab.org/
 nist-round: 2
 spec-version: Round 2
 primary-upstream:
  source: https://github.com/vacuas/SNOVA/commit/1c3ca6f4f7286c0bde98d7d6f222cf63b9d52bff
  spdx-license-identifier: MIT
 parameter-sets:
 - name: SNOVA_24_5_4
  oqs_alg: OQS_SIG_alg_snova_24_5_4
  claimed-nist-level: 1
  claimed-security: EUF-CMA
  length-public-key: 1016
  length-secret-key: 48
  length-signature: 248
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: opt
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      required_flags:
      - avx2
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: neon
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Darwin
      - Linux
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
 - name: SNOVA_24_5_4_SHAKE
  oqs_alg: OQS_SIG_alg_SNOVA_24_5_4_SHAKE
  claimed-nist-level: 1
  claimed-security: EUF-CMA
  length-public-key: 1016
  length-secret-key: 48
  length-signature: 248
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: opt
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      required_flags:
      - avx2
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: neon
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Darwin
      - Linux
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
 - name: SNOVA_24_5_4_esk
  oqs_alg: OQS_SIG_alg_snova_24_5_4_esk
  claimed-nist-level: 1
  claimed-security: EUF-CMA
  length-public-key: 1016
  length-secret-key: 36848
  length-signature: 248
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: opt
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      required_flags:
      - avx2
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: neon
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Darwin
      - Linux
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
 - name: SNOVA_24_5_4_SHAKE_esk
  oqs_alg: OQS_SIG_alg_SNOVA_24_5_4_SHAKE_esk
  claimed-nist-level: 1
  claimed-security: EUF-CMA
  length-public-key: 1016
  length-secret-key: 36848
  length-signature: 248
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: opt
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      required_flags:
      - avx2
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: neon
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Darwin
      - Linux
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
 - name: SNOVA_37_17_2
  oqs_alg: OQS_SIG_alg_SNOVA_37_17_2
  claimed-nist-level: 1
  claimed-security: EUF-CMA
  length-public-key: 9842
  length-secret-key: 48
  length-signature: 124
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: opt
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: true
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      required_flags:
      - avx2
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: true
  - upstream: primary-upstream
    upstream-id: neon
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Darwin
      - Linux
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: true
 - name: SNOVA_25_8_3
  oqs_alg: OQS_SIG_alg_SNOVA_25_8_3
  claimed-nist-level: 1
  claimed-security: EUF-CMA
  length-public-key: 2320
  length-secret-key: 48
  length-signature: 165
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: opt
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      required_flags:
      - avx2
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: neon
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Darwin
      - Linux
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
 - name: SNOVA_56_25_2
  oqs_alg: OQS_SIG_alg_snova_56_25_2
  claimed-nist-level: 3
  claimed-security: EUF-CMA
  length-public-key: 31266
  length-secret-key: 48
  length-signature: 178
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: opt
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: true
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      required_flags:
      - avx2
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: true
  - upstream: primary-upstream
    upstream-id: neon
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Darwin
      - Linux
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: true
 - name: SNOVA_49_11_3
  oqs_alg: OQS_SIG_alg_snova_49_11_3
  claimed-nist-level: 3
  claimed-security: EUF-CMA
  length-public-key: 6006
  length-secret-key: 48
  length-signature: 286
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: opt
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: true
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      required_flags:
      - avx2
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: true
  - upstream: primary-upstream
    upstream-id: neon
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Darwin
      - Linux
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: true
 - name: SNOVA_37_8_4
  oqs_alg: OQS_SIG_alg_snova_37_8_4
  claimed-nist-level: 3
  claimed-security: EUF-CMA
  length-public-key: 4112
  length-secret-key: 48
  length-signature: 376
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: opt
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: true
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      required_flags:
      - avx2
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: true
  - upstream: primary-upstream
    upstream-id: neon
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Darwin
      - Linux
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: true
 - name: SNOVA_24_5_5
  oqs_alg: OQS_SIG_alg_SNOVA_24_5_5
  claimed-nist-level: 3
  claimed-security: EUF-CMA
  length-public-key: 1579
  length-secret-key: 48
  length-signature: 379
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: opt
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: true
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      required_flags:
      - avx2
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: true
  - upstream: primary-upstream
    upstream-id: neon
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Darwin
      - Linux
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: true
 - name: SNOVA_60_10_4
  oqs_alg: OQS_SIG_alg_snova_60_10_4
  claimed-nist-level: 5
  claimed-security: EUF-CMA
  length-public-key: 8016
  length-secret-key: 48
  length-signature: 576
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: opt
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: true
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      required_flags:
      - avx2
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: true
  - upstream: primary-upstream
    upstream-id: neon
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Darwin
      - Linux
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: true
 - name: SNOVA_29_6_5
  oqs_alg: OQS_SIG_alg_SNOVA_29_6_5
  claimed-nist-level: 5
  claimed-security: EUF-CMA
  length-public-key: 2716
  length-secret-key: 48
  length-signature: 454
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: opt
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: true
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      required_flags:
      - avx2
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: true
  - upstream: primary-upstream
    upstream-id: neon
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Darwin
      - Linux
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: true
--- a/docs/algorithms/sig/sphincs.md
+++ b/docs/algorithms/sig/sphincs.md
@ -7,7 +7,7 @@
 - **Authors' website**: https://sphincs.org/
 - **Specification version**: NIST Round 3 submission, v3.1 (June 10, 2022).
 - **Primary Source**<a name="primary-source"></a>:
-  - **Source**: https://github.com/PQClean/PQClean/commit/8e221ae797b229858a0b0d784577a8cb149d5789 with copy_from_upstream patches
+  - **Source**: https://github.com/PQClean/PQClean/commit/1eacfdafc15ddc5d5759d0b85b4cef26627df181 with copy_from_upstream patches
  - **Implementation license (SPDX-Identifier)**: CC0-1.0
--- a/docs/algorithms/sig/sphincs.yml
+++ b/docs/algorithms/sig/sphincs.yml
@ -26,7 +26,7 @@ nist-round: 3
 spec-version: NIST Round 3 submission, v3.1 (June 10, 2022)
 spdx-license-identifier: CC0-1.0
 primary-upstream:
-  source: https://github.com/PQClean/PQClean/commit/8e221ae797b229858a0b0d784577a8cb149d5789
+  source: https://github.com/PQClean/PQClean/commit/1eacfdafc15ddc5d5759d0b85b4cef26627df181
    with copy_from_upstream patches
  spdx-license-identifier: CC0-1.0
  upstream-ancestors:
--- a/docs/algorithms/sig/uov.md
+++ b/docs/algorithms/sig/uov.md
@ -0,0 +1,154 @@
 # UOV
 - **Algorithm type**: Digital signature scheme.
 - **Main cryptographic assumption**: multivariable quadratic equations, oil and vinegar.
 - **Principal submitters**: Ward Beullens, Ming-Shing Chen, Jintai Ding, Boru Gong, Matthias J. Kannwischer, Jacques Patarin, Bo-Yuan Peng, Dieter Schmidt, Cheng-Jhih Shih, Chengdong Tao, Bo-Yin Yang.
 - **Authors' website**: https://www.uovsig.org/
 - **Specification version**: NIST Round 2 (February 2025).
 - **Primary Source**<a name="primary-source"></a>:
  - **Source**: https://github.com/pqov/pqov/commit/7e0832b6732a476119742c4acabd11b7c767aefb
  - **Implementation license (SPDX-Identifier)**: CC0 OR Apache-2.0
 ## Parameter set summary
 |  Parameter set  | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Signature size (bytes) |
 |:---------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|-------------------------:|
 |      OV-Is      | NA                    | EUF-CMA          |                    1 |                    412160 |                    348704 |                       96 |
 |      OV-Ip      | NA                    | EUF-CMA          |                    1 |                    278432 |                    237896 |                      128 |
 |     OV-III      | NA                    | EUF-CMA          |                    3 |                   1225440 |                   1044320 |                      200 |
 |      OV-V       | NA                    | EUF-CMA          |                    5 |                   2869440 |                   2436704 |                      260 |
 |    OV-Is-pkc    | NA                    | EUF-CMA          |                    1 |                     66576 |                    348704 |                       96 |
 |    OV-Ip-pkc    | NA                    | EUF-CMA          |                    1 |                     43576 |                    237896 |                      128 |
 |   OV-III-pkc    | NA                    | EUF-CMA          |                    3 |                    189232 |                   1044320 |                      200 |
 |    OV-V-pkc     | NA                    | EUF-CMA          |                    5 |                    446992 |                   2436704 |                      260 |
 |  OV-Is-pkc-skc  | NA                    | EUF-CMA          |                    1 |                     66576 |                        32 |                       96 |
 |  OV-Ip-pkc-skc  | NA                    | EUF-CMA          |                    1 |                     43576 |                        32 |                      128 |
 | OV-III-pkc-skc  | NA                    | EUF-CMA          |                    3 |                    189232 |                        32 |                      200 |
 |  OV-V-pkc-skc   | NA                    | EUF-CMA          |                    5 |                    446992 |                        32 |                      260 |
 ## OV-Is implementation characteristics
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?‡   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:----------------------|
 | [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                 |
 | [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                 |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                 |
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
 ‡For an explanation of what this denotes, consult the [Explanation of Terms](#explanation-of-terms) section at the end of this file.
 ## OV-Ip implementation characteristics
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
 | [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                |
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
 ## OV-III implementation characteristics
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
 | [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                |
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
 ## OV-V implementation characteristics
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
 | [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                |
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
 ## OV-Is-pkc implementation characteristics
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
 | [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                |
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
 ## OV-Ip-pkc implementation characteristics
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
 | [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                |
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
 ## OV-III-pkc implementation characteristics
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
 | [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                |
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
 ## OV-V-pkc implementation characteristics
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
 | [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                |
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
 ## OV-Is-pkc-skc implementation characteristics
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
 | [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                |
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
 ## OV-Ip-pkc-skc implementation characteristics
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
 | [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                |
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
 ## OV-III-pkc-skc implementation characteristics
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
 | [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                |
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
 ## OV-V-pkc-skc implementation characteristics
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
 | [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
 | [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                |
 | [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                |
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
 ## Explanation of Terms
 - **Large Stack Usage**: Implementations identified as having such may cause failures when running in threads or in constrained environments.
--- a/docs/algorithms/sig/uov.yml
+++ b/docs/algorithms/sig/uov.yml
@ -0,0 +1,562 @@
 name: UOV
 type: signature
 principal-submitters:
 - Ward Beullens
 - Ming-Shing Chen
 - Jintai Ding
 - Boru Gong
 - Matthias J. Kannwischer
 - Jacques Patarin
 - Bo-Yuan Peng
 - Dieter Schmidt
 - Cheng-Jhih Shih
 - Chengdong Tao
 - Bo-Yin Yang
 crypto-assumption: multivariable quadratic equations, oil and vinegar
 website: https://www.uovsig.org/
 nist-round: 2
 spec-version: NIST Round 2 (February 2025)
 primary-upstream:
  source: https://github.com/pqov/pqov/commit/7e0832b6732a476119742c4acabd11b7c767aefb
  spdx-license-identifier: CC0 OR Apache-2.0
 parameter-sets:
 - name: OV-Is
  claimed-nist-level: 1
  claimed-security: EUF-CMA
  length-public-key: 412160
  length-secret-key: 348704
  length-signature: 96
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: ref
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: neon
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Linux
      - Darwin
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      - Darwin
      required_flags:
      - avx2
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
 - name: OV-Ip
  claimed-nist-level: 1
  claimed-security: EUF-CMA
  length-public-key: 278432
  length-secret-key: 237896
  length-signature: 128
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: ref
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: neon
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Linux
      - Darwin
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      - Darwin
      required_flags:
      - avx2
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
 - name: OV-III
  claimed-nist-level: 3
  claimed-security: EUF-CMA
  length-public-key: 1225440
  length-secret-key: 1044320
  length-signature: 200
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: ref
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: neon
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Linux
      - Darwin
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      - Darwin
      required_flags:
      - avx2
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
 - name: OV-V
  claimed-nist-level: 5
  claimed-security: EUF-CMA
  length-public-key: 2869440
  length-secret-key: 2436704
  length-signature: 260
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: ref
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: neon
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Linux
      - Darwin
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      - Darwin
      required_flags:
      - avx2
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
 - name: OV-Is-pkc
  claimed-nist-level: 1
  claimed-security: EUF-CMA
  length-public-key: 66576
  length-secret-key: 348704
  length-signature: 96
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: ref
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: neon
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Linux
      - Darwin
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      - Darwin
      required_flags:
      - avx2
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
 - name: OV-Ip-pkc
  claimed-nist-level: 1
  claimed-security: EUF-CMA
  length-public-key: 43576
  length-secret-key: 237896
  length-signature: 128
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: ref
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: neon
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Linux
      - Darwin
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      - Darwin
      required_flags:
      - avx2
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
 - name: OV-III-pkc
  claimed-nist-level: 3
  claimed-security: EUF-CMA
  length-public-key: 189232
  length-secret-key: 1044320
  length-signature: 200
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: ref
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: neon
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Linux
      - Darwin
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      - Darwin
      required_flags:
      - avx2
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
 - name: OV-V-pkc
  claimed-nist-level: 5
  claimed-security: EUF-CMA
  length-public-key: 446992
  length-secret-key: 2436704
  length-signature: 260
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: ref
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: neon
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Linux
      - Darwin
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      - Darwin
      required_flags:
      - avx2
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
 - name: OV-Is-pkc-skc
  claimed-nist-level: 1
  claimed-security: EUF-CMA
  length-public-key: 66576
  length-secret-key: 32
  length-signature: 96
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: ref
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: neon
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Linux
      - Darwin
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      - Darwin
      required_flags:
      - avx2
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
 - name: OV-Ip-pkc-skc
  claimed-nist-level: 1
  claimed-security: EUF-CMA
  length-public-key: 43576
  length-secret-key: 32
  length-signature: 128
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: ref
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: neon
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Linux
      - Darwin
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      - Darwin
      required_flags:
      - avx2
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
 - name: OV-III-pkc-skc
  claimed-nist-level: 3
  claimed-security: EUF-CMA
  length-public-key: 189232
  length-secret-key: 32
  length-signature: 200
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: ref
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: neon
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Linux
      - Darwin
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      - Darwin
      required_flags:
      - avx2
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
 - name: OV-V-pkc-skc
  claimed-nist-level: 5
  claimed-security: EUF-CMA
  length-public-key: 446992
  length-secret-key: 32
  length-signature: 260
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: ref
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: neon
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Linux
      - Darwin
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      - Darwin
      required_flags:
      - avx2
    common-crypto:
    - SHA3: liboqs
    - AES: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
--- a/docs/cbom.json
+++ b/docs/cbom.json
--- a/flake.lock
+++ b/flake.lock
@ -0,0 +1,61 @@
 {
  "nodes": {
    "flake-utils": {
      "inputs": {
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1735563628,
        "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-24.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "flake-utils": "flake-utils",
        "nixpkgs": "nixpkgs"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,94 @@
 {
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
    flake-utils.url = "github:numtide/flake-utils";
  };
  outputs = {
    self,
    nixpkgs,
    flake-utils,
  }:
    flake-utils.lib.eachDefaultSystem (system: let
      name = "liboqs";
      src = ./.;
      pkgs = nixpkgs.legacyPackages.${system};
      # Function to create compiler-specific package sets
      mkPackageSet = compiler: let
        # Override the stdenv to use the specified compiler
        stdenv =
          if compiler == "clang"
          then pkgs.clangStdenv
          else pkgs.stdenv;
        mkLib = shared:
          stdenv.mkDerivation {
            inherit name src;
            # for whatever reason, trying to 'fix' the CMake file causes a failure
            dontFixCmake = true;
            nativeBuildInputs = with pkgs;
              [cmake ninja doxygen pkg-config graphviz]
              ++ (
                if compiler == "clang"
                then [pkgs.clang]
                else [pkgs.gcc]
              );
            buildInputs = with pkgs; [openssl];
            cmakeFlags = [
              "-GNinja"
              "-DOQS_DIST_BUILD=ON"
              "-DOQS_BUILD_ONLY_LIB=ON"
              "-DBUILD_SHARED_LIBS=${
                if shared
                then "ON"
                else "OFF"
              }"
              "-DCMAKE_INSTALL_LIBDIR=lib"
              "-DCMAKE_INSTALL_INCLUDEDIR=include"
              "-DCMAKE_INSTALL_PREFIX=${placeholder "out"}"
              "-DCMAKE_INSTALL_FULL_LIBDIR=${placeholder "out"}/lib"
              "-DCMAKE_INSTALL_FULL_INCLUDEDIR=${placeholder "out"}/include"
            ];
          };
      in {
        shared = mkLib true;
        static = mkLib false;
      };
      # Create development shell for specified compiler
      mkDevShell = compiler: let
        packageSet = mkPackageSet compiler;
      in
        pkgs.mkShell {
          inherit (packageSet.shared) nativeBuildInputs buildInputs;
          # astyle formats C source code and alejandra formats nix source code
          packages = with pkgs; [astyle alejandra];
          shellHook = ''
            export CMAKE_EXPORT_COMPILE_COMMANDS=1
            echo "Using ${compiler} toolchain"
          '';
        };
    in {
      formatter = pkgs.alejandra;
      packages = {
        default = (mkPackageSet "gcc").shared; # default is gcc shared
        gcc-shared = (mkPackageSet "gcc").shared;
        clang-shared = (mkPackageSet "clang").shared;
        gcc-static = (mkPackageSet "gcc").static;
        clang-static = (mkPackageSet "clang").static;
      };
      # Development shells
      devShells = {
        default = mkDevShell "gcc";
        gcc = mkDevShell "gcc";
        clang = mkDevShell "clang";
      };
    });
 }
--- a/scripts/copy_from_upstream/.CMake/alg_support.cmake/add_enable_by_alg.fragment
+++ b/scripts/copy_from_upstream/.CMake/alg_support.cmake/add_enable_by_alg.fragment
@ -1,5 +1,9 @@
 {% for family in instructions['kems'] %}
 {%- if 'disable_by_default' in family and family['disable_by_default'] %}
 option(OQS_ENABLE_KEM_{{ family['name']|upper }} "Enable {{ family['name'] }} algorithm family" OFF)
 {%- else %}
 option(OQS_ENABLE_KEM_{{ family['name']|upper }} "Enable {{ family['name'] }} algorithm family" ON)
 {%- endif %}
    {%- for scheme in family['schemes'] %}
 cmake_dependent_option(OQS_ENABLE_KEM_{{ family['name'] }}_{{ scheme['scheme'] }} "" ON "OQS_ENABLE_KEM_{{ family['name']|upper }}" OFF)
 {%- if 'alias_scheme' in scheme %}
@ -9,7 +13,11 @@ cmake_dependent_option(OQS_ENABLE_KEM_{{ family['name'] }}_{{ scheme['alias_sche
 {% endfor -%}
 {% for family in instructions['sigs'] %}
 {%- if 'disable_by_default' in family and family['disable_by_default'] %}
 option(OQS_ENABLE_SIG_{{ family['name']|upper }} "Enable {{ family['name'] }} algorithm family" OFF)
 {%- else %}
 option(OQS_ENABLE_SIG_{{ family['name']|upper }} "Enable {{ family['name'] }} algorithm family" ON)
 {%- endif %}
    {%- for scheme in family['schemes'] %}
 cmake_dependent_option(OQS_ENABLE_SIG_{{ family['name'] }}_{{ scheme['scheme'] }} "" ON "OQS_ENABLE_SIG_{{ family['name']|upper }}" OFF)
 {%- if 'alias_scheme' in scheme %}
--- a/scripts/copy_from_upstream/.CMake/alg_support.cmake/add_enable_by_alg_conditional.fragment
+++ b/scripts/copy_from_upstream/.CMake/alg_support.cmake/add_enable_by_alg_conditional.fragment
@ -11,6 +11,18 @@ if(OQS_DIST_X86_64_BUILD OR ({% for flag in platform['required_flags'] -%} OQS_U
 {%- endif %}
 endif()
 {% if platform['operating_systems'] %}endif()
 {% endif -%}
            {%- endfor -%}
            {%- for platform in impl['supported_platforms'] if platform['architecture'] == 'CUDA' %}
 {% if platform['operating_systems'] %}if(CMAKE_SYSTEM_NAME MATCHES "{{ platform['operating_systems']|join('|') }}")
 {% endif -%}
 if(OQS_USE_CUPQC)
    cmake_dependent_option(OQS_ENABLE_KEM_{{ family['name'] }}_{{ scheme['scheme'] }}_{{ impl['name']  }} "" ON "OQS_ENABLE_KEM_{{ family['name'] }}_{{ scheme['scheme'] }}" OFF)
 {%- if 'alias_scheme' in scheme %}
    cmake_dependent_option(OQS_ENABLE_KEM_{{ family['name'] }}_{{ scheme['alias_scheme'] }}_{{ impl['name']  }} "" ON "OQS_ENABLE_KEM_{{ family['name'] }}_{{ scheme['alias_scheme'] }}" OFF)
 {%- endif %}
 endif()
 {% if platform['operating_systems'] %}endif()
 {% endif -%}
            {%- endfor -%}
            {%- for platform in impl['supported_platforms'] if platform['architecture'] == 'ARM64_V8' %}
--- a/scripts/copy_from_upstream/copy_from_upstream.py
+++ b/scripts/copy_from_upstream/copy_from_upstream.py
@ -23,7 +23,8 @@ non_upstream_kems = 0
 parser = argparse.ArgumentParser()
 parser.add_argument("-v", "--verbosity", type=int)
-parser.add_argument("-k", "--keep_data", action='store_true')
+parser.add_argument("-k", "--keep_data", action='store_true', help='Keep upstream code in the "repos" folder')
 parser.add_argument("-d", "--delete", action='store_true', help='Delete untracked files from implementation directories')
 parser.add_argument("operation", choices=["copy", "verify", "libjade"])
 args = parser.parse_args()
@ -34,6 +35,8 @@ else:
 keepdata = True if args.keep_data else False
 delete = True if args.delete else False
 if 'LIBOQS_DIR' not in os.environ:
    print("Must set environment variable LIBOQS_DIR")
    exit(1)
@ -197,6 +200,8 @@ def load_instructions(file='copy_from_upstream.yml'):
                scheme['upstream_location'] = family['upstream_location']
            if (not 'arch_specific_upstream_locations' in scheme) and 'arch_specific_upstream_locations' in family:
                scheme['arch_specific_upstream_locations'] = family['arch_specific_upstream_locations']
            if (not 'derandomized_keypair' in scheme) and 'derandomized_keypair' in family:
                scheme['derandomized_keypair'] = family['derandomized_keypair']
            if not 'git_commit' in scheme:
                scheme['git_commit'] = upstreams[scheme['upstream_location']]['git_commit']
            if not 'git_branch' in scheme:
@ -365,7 +370,12 @@ def load_instructions(file='copy_from_upstream.yml'):
                            raise RuntimeError("Found duplicate arch {} in scheme {}".format(arch, scheme))
                        scheme['scheme_paths'][arch] = (os.path.join('repos', location,
                                                                    upstreams[location]['sig_scheme_path'].format_map(scheme)))
            # assume EUF-CMA for schemes that don't specify a security classification
            scheme['metadata']['euf_cma'] = 'true'
            scheme['metadata']['suf_cma'] = 'false'
            if 'claimed-security' in metadata:
                if metadata['claimed-security'] == "SUF-CMA":
                    scheme['metadata']['suf_cma'] = 'true'
            scheme['pqclean_scheme_c'] = scheme['pqclean_scheme'].replace('-', '')
            scheme['scheme_c'] = scheme['scheme'].replace('-', '')
            scheme['default_implementation'] = family['default_implementation']
@ -492,14 +502,25 @@ def handle_implementation(impl, family, scheme, dst_basedir):
        else:
            # determine list of files to copy:
            if 'sources' in i:
-                srcs = i['sources'].split(" ")
+                if i['sources']:
-                for s in srcs:
+                    preserve_folder_structure = ('preserve_folder_structure' in i['upstream']) and i['upstream']['preserve_folder_structure'] == True
-                    # Copy recursively only in case of directories not with plain files to avoid copying over symbolic links
+                    srcs = i['sources'].split(" ")
-                    if os.path.isfile(os.path.join(origfolder, s)):
+                    for s in srcs:
-                        subprocess.run(['cp', os.path.join(origfolder, s), os.path.join(srcfolder, os.path.basename(s))])
+                        # Copy recursively only in case of directories not with plain files to avoid copying over symbolic links
-                    else:
+                        if os.path.isfile(os.path.join(origfolder, s)):
-                        subprocess.run(
+                            if preserve_folder_structure:
-                            ['cp', '-r', os.path.join(origfolder, s), os.path.join(srcfolder, os.path.basename(s))])
+                                subprocess.run(['mkdir', '-p', os.path.join(srcfolder, os.path.dirname(s))])
                                subprocess.run(['cp', os.path.join(origfolder, s), os.path.join(srcfolder, s)])
                            else:
                                subprocess.run(['cp', os.path.join(origfolder, s), os.path.join(srcfolder, os.path.basename(s))])
                        else:
                            if preserve_folder_structure:
                                subprocess.run(
                                    ['cp', '-r', os.path.join(origfolder, s), os.path.join(srcfolder, os.path.dirname(s))])                    
                            else:
                                subprocess.run(
                                    ['cp', '-r', os.path.join(origfolder, s), os.path.join(srcfolder, os.path.basename(s))])
            else:
                subprocess.run(['cp', '-pr', os.path.join(origfolder, '.'), srcfolder])
                # raise Exception("Malformed YML file: No sources listed to copy. Check upstream YML file." )
@ -543,6 +564,20 @@ def process_families(instructions, basedir, with_kat, with_generator, with_libja
        try:
            os.makedirs(os.path.join(basedir, 'src', family['type'], family['name']))
        except:
            if delete:
                # clear out all subdirectories
                with os.scandir(os.path.join(basedir, 'src', family['type'], family['name'])) as ls:
                    for entry in ls:
                        if entry.is_dir(follow_symlinks=False):
                            if with_libjade:
                                if not entry.name.startswith('libjade'):
                                    continue
                            elif entry.name.startswith('libjade'):
                                continue
                            to_rm = os.path.join(basedir, 'src', family['type'], family['name'], entry.name)
                            if DEBUG > 3:
                                print("removing %s" % to_rm)
                            shutil.rmtree(to_rm)
            pass
        if 'common_deps' in family:
            for common_dep in family['common_deps']:
@ -581,14 +616,15 @@ def process_families(instructions, basedir, with_kat, with_generator, with_libja
                            # when provided to the compiler; OQS uses the term ARM_NEON
                            if req['architecture'] == 'arm_8':
                                req['architecture'] = 'ARM64_V8'
-                            if req['architecture'] == 'ARM64_V8' and 'asimd' in req['required_flags']:
+                            if 'required_flags' in req:
-                                req['required_flags'].remove('asimd')
+                                if req['architecture'] == 'ARM64_V8' and 'asimd' in req['required_flags']:
-                                req['required_flags'].append('arm_neon')
+                                    req['required_flags'].remove('asimd')
-                            if req['architecture'] == 'ARM64_V8' and 'sha3' in req['required_flags']:
+                                    req['required_flags'].append('arm_neon')
-                                req['required_flags'].remove('sha3')
+                                if req['architecture'] == 'ARM64_V8' and 'sha3' in req['required_flags']:
-                                req['required_flags'].append('arm_sha3')
+                                    req['required_flags'].remove('sha3')
-                            impl['required_flags'] = req['required_flags']
+                                    req['required_flags'].append('arm_sha3')
-                            family['all_required_flags'].update(req['required_flags'])
+                                impl['required_flags'] = req['required_flags']
                                family['all_required_flags'].update(req['required_flags'])
                    except KeyError as ke:
                        if (impl['name'] != family['default_implementation']):
                            print("No required flags found for %s (KeyError %s on impl %s)" % (
--- a/scripts/copy_from_upstream/copy_from_upstream.yml
+++ b/scripts/copy_from_upstream/copy_from_upstream.yml
@ -15,7 +15,7 @@ upstreams:
    name: pqclean
    git_url: https://github.com/PQClean/PQClean.git
    git_branch: master
-    git_commit: 8e221ae797b229858a0b0d784577a8cb149d5789
+    git_commit: 1eacfdafc15ddc5d5759d0b85b4cef26627df181
    kem_meta_path: 'crypto_kem/{pqclean_scheme}/META.yml'
    sig_meta_path: 'crypto_sign/{pqclean_scheme}/META.yml'
    kem_scheme_path: 'crypto_kem/{pqclean_scheme}'
@ -31,13 +31,21 @@ upstreams:
    kem_scheme_path: '.'
    patches: [pqcrystals-kyber-yml.patch, pqcrystals-kyber-ref-shake-aes.patch, pqcrystals-kyber-avx2-shake-aes.patch]
  -
-    name: pqcrystals-kyber-standard
+    name: mlkem-native
-    git_url: https://github.com/pq-crystals/kyber.git
+    git_url: https://github.com/pq-code-package/mlkem-native.git
    git_branch: v1.0.0
    git_commit: 048fc2a7a7b4ba0ad4c989c1ac82491aa94d5bfa
    kem_meta_path: 'integration/liboqs/{pretty_name_full}_META.yml'
    kem_scheme_path: '.'
    preserve_folder_structure: True
  -
    name: cupqc
    git_url: https://github.com/open-quantum-safe/liboqs-cupqc-meta.git
    git_branch: main
-    git_commit: 10b478fc3cc4ff6215eb0b6a11bd758bf0929cbd
+    git_commit: b026f4e5475cd9c20c2082c7d9bad80e5b0ba89e
    kem_meta_path: '{pretty_name_full}_META.yml'
    kem_scheme_path: '.'
-    patches: [pqcrystals-ml_kem.patch]
+    patches: []
  -
    name: pqcrystals-dilithium
    git_url: https://github.com/pq-crystals/dilithium.git
@ -45,30 +53,44 @@ upstreams:
    git_commit: 3e9b9f1412f6c7435dbeb4e10692ea58f181ee51
    sig_meta_path: '{pretty_name_full}_META.yml'
    sig_scheme_path: '.'
-    patches: [pqcrystals-dilithium-yml.patch, pqcrystals-dilithium-ref-shake-aes.patch, pqcrystals-dilithium-avx2-shake-aes.patch]
+    patches: [pqcrystals-dilithium-yml.patch, pqcrystals-dilithium-ref-shake-aes.patch, pqcrystals-dilithium-avx2-shake-aes.patch, pqcrystals-dilithium-SUF-CMA.patch]
  -
    name: pqcrystals-dilithium-standard
    git_url: https://github.com/pq-crystals/dilithium.git
-    git_branch: standard
+    git_branch: master
-    git_commit: e7bed6258b9a3703ce78d4ec38021c86382ce31c
+    git_commit: 444cdcc84eb36b66fe27b3a2529ee48f6d8150c2
    sig_meta_path: '{pretty_name_full}_META.yml'
    sig_scheme_path: '.'
-    patches: [pqcrystals-ml_dsa_ipd.patch]
+    patches: [pqcrystals-ml_dsa.patch, pqcrystals-ml_dsa-SUF-CMA.patch]
  -
    name: pqmayo
    git_url: https://github.com/PQCMayo/MAYO-C.git
-    git_branch: nibbling-mayo
+    git_branch: main
-    git_commit: cde2675ff404b0ae070e7dbc3d962ea0b026a81e
+    git_commit: 4b7cd94c96b9522864efe40c6ad1fa269584a807
    sig_meta_path: 'META/{pretty_name_full}_META.yml'
    sig_scheme_path: '.'
    patches: [pqmayo-aes.patch, pqmayo-mem.patch]
  -
    name: upcross
-    git_url: https://github.com/rtjk/CROSS-PQClean.git
+    git_url: https://github.com/CROSS-signature/CROSS-lib-oqs.git
    git_branch: master
-    git_commit: 577d7c761c684637923c8648644cf2f4d7b41954
+    git_commit: efd17279e75308b000bda7c7f58866620d652bc1
    sig_meta_path: 'generate/crypto_sign/{pqclean_scheme}/META.yml'
    sig_scheme_path: 'generate/crypto_sign/{pqclean_scheme}'
  -
    name: pqov
    git_url: https://github.com/pqov/pqov.git
    git_branch: main
    git_commit: 7e0832b6732a476119742c4acabd11b7c767aefb
    sig_scheme_path: '.'
    sig_meta_path: 'integration/liboqs/{pretty_name_full}_META.yml'
  -
    name: snova
    git_url: https://github.com/vacuas/SNOVA-OQS
    git_branch: main
    git_commit: 1c3ca6f4f7286c0bde98d7d6f222cf63b9d52bff
    sig_scheme_path: '.'
    sig_meta_path: 'liboqs/META/{pretty_name_full}_META.yml'
 kems:
  -
    name: classic_mceliece
@ -119,6 +141,7 @@ kems:
    name: hqc
    default_implementation: clean
    upstream_location: pqclean
    disable_by_default: True
    schemes:
      -
        scheme: "128"
@ -166,23 +189,25 @@ kems:
  -
    name: ml_kem
    default_implementation: ref
-    upstream_location: pqcrystals-kyber-standard
+    arch_specific_implementations:
                                      cuda: cuda
    arch_specific_upstream_locations:
                                      cuda: cupqc
    upstream_location: mlkem-native
    derandomized_keypair: true
    schemes:
      -
        scheme: "512"
        pqclean_scheme: ml-kem-512
        pretty_name_full: ML-KEM-512
        alias_pretty_name_full: ML-KEM-512
      -
        scheme: "768"
        pqclean_scheme: ml-kem-768
        pretty_name_full: ML-KEM-768
        alias_pretty_name_full: ML-KEM-768
      -
        scheme: "1024"
        pqclean_scheme: ml-kem-1024
        pretty_name_full: ML-KEM-1024
        alias_pretty_name_full: ML-KEM-1024
 sigs:
  -
    name: dilithium
@ -214,26 +239,20 @@ sigs:
    upstream_location: pqcrystals-dilithium-standard
    schemes:
      -
-        scheme: "44_ipd"
+        scheme: "44"
-        pqclean_scheme: ml-dsa-44-ipd
+        pqclean_scheme: ml-dsa-44
-        pretty_name_full: ML-DSA-44-ipd
+        pretty_name_full: ML-DSA-44
        signed_msg_order: sig_then_msg
        alias_scheme: "44"
        alias_pretty_name_full: ML-DSA-44
      -
-        scheme: "65_ipd"
+        scheme: "65"
-        pqclean_scheme: ml-dsa-65-ipd
+        pqclean_scheme: ml-dsa-65
-        pretty_name_full: ML-DSA-65-ipd
+        pretty_name_full: ML-DSA-65
        signed_msg_order: sig_then_msg
        alias_scheme: "65"
        alias_pretty_name_full: ML-DSA-65
      -
-        scheme: "87_ipd"
+        scheme: "87"
-        pqclean_scheme: ml-dsa-87-ipd
+        pqclean_scheme: ml-dsa-87
-        pretty_name_full: ML-DSA-87-ipd
+        pretty_name_full: ML-DSA-87
        signed_msg_order: sig_then_msg
        alias_scheme: "87"
        alias_pretty_name_full: ML-DSA-87
  -
    name: falcon
    default_implementation: clean
@ -443,4 +462,134 @@ sigs:
        scheme: "rsdpg_256_small"
        pqclean_scheme: cross-rsdpg-256-small
        pretty_name_full: cross-rsdpg-256-small
-        signed_msg_order: msg_then_sig
+        signed_msg_order: msg_then_sig
  -
    name: uov
    default_implementation: ref
    upstream_location: pqov
    schemes:
      -
        scheme: "ov_Is"
        pqclean_scheme: ov_Is
        pretty_name_full: OV-Is
        signed_msg_order: msg_then_sig
      -
        scheme: "ov_Ip"
        pqclean_scheme: ov_Ip
        pretty_name_full: OV-Ip
        signed_msg_order: msg_then_sig
      -
        scheme: "ov_III"
        pqclean_scheme: ov_III
        pretty_name_full: OV-III
        signed_msg_order: msg_then_sig
      -
        scheme: "ov_V"
        pqclean_scheme: ov_V
        pretty_name_full: OV-V
        signed_msg_order: msg_then_sig
      -
        scheme: "ov_Is_pkc"
        pqclean_scheme: ov_Is_pkc
        pretty_name_full: OV-Is-pkc
        signed_msg_order: msg_then_sig
      -
        scheme: "ov_Ip_pkc"
        pqclean_scheme: ov_Ip_pkc
        pretty_name_full: OV-Ip-pkc
        signed_msg_order: msg_then_sig
      -
        scheme: "ov_III_pkc"
        pqclean_scheme: ov_III_pkc
        pretty_name_full: OV-III-pkc
        signed_msg_order: msg_then_sig
      -
        scheme: "ov_V_pkc"
        pqclean_scheme: ov_V_pkc
        pretty_name_full: OV-V-pkc
        signed_msg_order: msg_then_sig
      -
        scheme: "ov_Is_pkc_skc"
        pqclean_scheme: ov_Is_pkc_skc
        pretty_name_full: OV-Is-pkc-skc
        signed_msg_order: msg_then_sig
      -
        scheme: "ov_Ip_pkc_skc"
        pqclean_scheme: ov_Ip_pkc_skc
        pretty_name_full: OV-Ip-pkc-skc
        signed_msg_order: msg_then_sig
      -
        scheme: "ov_III_pkc_skc"
        pqclean_scheme: ov_III_pkc_skc
        pretty_name_full: OV-III-pkc-skc
        signed_msg_order: msg_then_sig
      -
        scheme: "ov_V_pkc_skc"
        pqclean_scheme: ov_V_pkc_skc
        pretty_name_full: OV-V-pkc-skc
        signed_msg_order: msg_then_sig
  -
    name: snova
    default_implementation: opt
    upstream_location: snova
    schemes:
      -
        scheme: "SNOVA_24_5_4"
        pqclean_scheme: SNOVA_24_5_4
        pretty_name_full: SNOVA_24_5_4
        signed_msg_order: sig_then_msg
      -
        scheme: "SNOVA_24_5_4_SHAKE"
        pqclean_scheme: SNOVA_24_5_4_SHAKE
        pretty_name_full: SNOVA_24_5_4_SHAKE
        signed_msg_order: sig_then_msg
      -
        scheme: "SNOVA_24_5_4_esk"
        pqclean_scheme: SNOVA_24_5_4_esk
        pretty_name_full: SNOVA_24_5_4_esk
        signed_msg_order: sig_then_msg
      -
        scheme: "SNOVA_24_5_4_SHAKE_esk"
        pqclean_scheme: SNOVA_24_5_4_SHAKE_esk
        pretty_name_full: SNOVA_24_5_4_SHAKE_esk
        signed_msg_order: sig_then_msg
      -
        scheme: "SNOVA_37_17_2"
        pqclean_scheme: SNOVA_37_17_2
        pretty_name_full: SNOVA_37_17_2
        signed_msg_order: sig_then_msg
      -
        scheme: "SNOVA_25_8_3"
        pqclean_scheme: SNOVA_25_8_3
        pretty_name_full: SNOVA_25_8_3
        signed_msg_order: sig_then_msg
      -
        scheme: "SNOVA_56_25_2"
        pqclean_scheme: SNOVA_56_25_2
        pretty_name_full: SNOVA_56_25_2
        signed_msg_order: sig_then_msg
      -
        scheme: "SNOVA_49_11_3"
        pqclean_scheme: SNOVA_49_11_3
        pretty_name_full: SNOVA_49_11_3
        signed_msg_order: sig_then_msg
      -
        scheme: "SNOVA_37_8_4"
        pqclean_scheme: SNOVA_37_8_4
        pretty_name_full: SNOVA_37_8_4
        signed_msg_order: sig_then_msg
      -
        scheme: "SNOVA_24_5_5"
        pqclean_scheme: SNOVA_24_5_5
        pretty_name_full: SNOVA_24_5_5
        signed_msg_order: sig_then_msg
      -
        scheme: "SNOVA_60_10_4"
        pqclean_scheme: SNOVA_60_10_4
        pretty_name_full: SNOVA_60_10_4
        signed_msg_order: sig_then_msg
      -
        scheme: "SNOVA_29_6_5"
        pqclean_scheme: SNOVA_29_6_5
        pretty_name_full: SNOVA_29_6_5
        signed_msg_order: sig_then_msg
--- a/scripts/copy_from_upstream/patches/pqcrystals-dilithium-SUF-CMA.patch
+++ b/scripts/copy_from_upstream/patches/pqcrystals-dilithium-SUF-CMA.patch
@ -0,0 +1,73 @@
 ef30acde710cc1fcb0ed9735af3631761ed0358a
 diff --git a/Dilithium2-AES_META.yml b/Dilithium2-AES_META.yml
 index bad46d3..ce6e854 100644
 --- a/Dilithium2-AES_META.yml
 +++ b/Dilithium2-AES_META.yml
@@ -1,6 +1,7 @@
 name: Dilithium2-AES
 type: signature
 claimed-nist-level: 2
 +claimed-security: SUF-CMA
 length-public-key: 1312
 length-secret-key: 2528
 length-signature: 2420
 diff --git a/Dilithium2_META.yml b/Dilithium2_META.yml
 index f4b7e8f..1b23d3e 100644
 --- a/Dilithium2_META.yml
 +++ b/Dilithium2_META.yml
@@ -1,6 +1,7 @@
 name: Dilithium2
 type: signature
 claimed-nist-level: 2
 +claimed-security: SUF-CMA
 length-public-key: 1312
 length-secret-key: 2528
 length-signature: 2420
 diff --git a/Dilithium3-AES_META.yml b/Dilithium3-AES_META.yml
 index 0269442..5153309 100644
 --- a/Dilithium3-AES_META.yml
 +++ b/Dilithium3-AES_META.yml
@@ -1,6 +1,7 @@
 name: Dilithium3-AES
 type: signature
 claimed-nist-level: 3
 +claimed-security: SUF-CMA
 length-public-key: 1952
 length-secret-key: 4000
 length-signature: 3293
 diff --git a/Dilithium3_META.yml b/Dilithium3_META.yml
 index f45c859..e4fbed2 100644
 --- a/Dilithium3_META.yml
 +++ b/Dilithium3_META.yml
@@ -1,6 +1,7 @@
 name: Dilithium3
 type: signature
 claimed-nist-level: 3
 +claimed-security: SUF-CMA
 length-public-key: 1952
 length-secret-key: 4000
 length-signature: 3293
 diff --git a/Dilithium5-AES_META.yml b/Dilithium5-AES_META.yml
 index 0128a32..e53bd7d 100644
 --- a/Dilithium5-AES_META.yml
 +++ b/Dilithium5-AES_META.yml
@@ -1,6 +1,7 @@
 name: Dilithium5-AES
 type: signature
 claimed-nist-level: 5
 +claimed-security: SUF-CMA
 length-public-key: 2592
 length-secret-key: 4864
 length-signature: 4595
 diff --git a/Dilithium5_META.yml b/Dilithium5_META.yml
 index 618b617..8c1aa5f 100644
 --- a/Dilithium5_META.yml
 +++ b/Dilithium5_META.yml
@@ -1,6 +1,7 @@
 name: Dilithium5
 type: signature
 claimed-nist-level: 5
 +claimed-security: SUF-CMA
 length-public-key: 2592
 length-secret-key: 4864
 length-signature: 4595
--- a/scripts/copy_from_upstream/patches/pqcrystals-ml_dsa-SUF-CMA.patch
+++ b/scripts/copy_from_upstream/patches/pqcrystals-ml_dsa-SUF-CMA.patch
@ -0,0 +1,37 @@
 7bea92142e58c38ec863069a3de2044de4022ac5
 diff --git a/ML-DSA-44_META.yml b/ML-DSA-44_META.yml
 index 2d5686a..98a8376 100644
 --- a/ML-DSA-44_META.yml
 +++ b/ML-DSA-44_META.yml
@@ -1,6 +1,7 @@
 name: ML-DSA-44
 type: signature
 claimed-nist-level: 2
 +claimed-security: SUF-CMA
 length-public-key: 1312
 length-secret-key: 2560
 length-signature: 2420
 diff --git a/ML-DSA-65_META.yml b/ML-DSA-65_META.yml
 index 47a4ba0..747a4ff 100644
 --- a/ML-DSA-65_META.yml
 +++ b/ML-DSA-65_META.yml
@@ -1,6 +1,7 @@
 name: ML-DSA-65
 type: signature
 claimed-nist-level: 3
 +claimed-security: SUF-CMA
 length-public-key: 1952
 length-secret-key: 4032
 length-signature: 3309
 diff --git a/ML-DSA-87_META.yml b/ML-DSA-87_META.yml
 index e9bff1e..632703a 100644
 --- a/ML-DSA-87_META.yml
 +++ b/ML-DSA-87_META.yml
@@ -1,6 +1,7 @@
 name: ML-DSA-87
 type: signature
 claimed-nist-level: 5
 +claimed-security: SUF-CMA
 length-public-key: 2592
 length-secret-key: 4896
 length-signature: 4627
--- a/scripts/copy_from_upstream/patches/pqcrystals-ml_dsa.patch
+++ b/scripts/copy_from_upstream/patches/pqcrystals-ml_dsa.patch
@ -0,0 +1,831 @@
 diff --git a/Dilithium2_META.yml b/Dilithium2_META.yml
 index 122b3ca..2d5686a 100644
 --- a/Dilithium2_META.yml
 +++ b/ML-DSA-44_META.yml
@@ -1,4 +1,4 @@
 -name: Dilithium2
 +name: ML-DSA-44
 type: signature
 claimed-nist-level: 2
 length-public-key: 1312
@@ -18,22 +18,22 @@ auxiliary-submitters:
   - Damien Stehlé
 implementations:
   - name: ref
 -    version: https://github.com/pq-crystals/dilithium/tree/master
 +    version: FIPS204
     folder_name: ref
 -    compile_opts: -DDILITHIUM_MODE=2 -DDILITHIUM_RANDOMIZED_SIGNING
 -    signature_keypair: pqcrystals_dilithium2_ref_keypair
 -    signature_signature: pqcrystals_dilithium2_ref_signature
 -    signature_verify: pqcrystals_dilithium2_ref_verify
 -    sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h fips202.h symmetric-shake.c
 -    common_dep: common_ref
 +    compile_opts: -DDILITHIUM_MODE=2
 +    signature_keypair: pqcrystals_ml_dsa_44_ref_keypair
 +    signature_signature: pqcrystals_ml_dsa_44_ref_signature
 +    signature_verify: pqcrystals_ml_dsa_44_ref_verify
 +    api-with-context-string: true
 +    sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h symmetric-shake.c
   - name: avx2
 -    version: https://github.com/pq-crystals/dilithium/tree/master
 -    compile_opts: -DDILITHIUM_MODE=2 -DDILITHIUM_RANDOMIZED_SIGNING
 -    signature_keypair: pqcrystals_dilithium2_avx2_keypair
 -    signature_signature: pqcrystals_dilithium2_avx2_signature
 -    signature_verify: pqcrystals_dilithium2_avx2_verify
 -    sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h fips202.h fips202x4.h symmetric-shake.c
 -    common_dep: common_avx2
 +    version: FIPS204
 +    compile_opts: -DDILITHIUM_MODE=2
 +    signature_keypair: pqcrystals_ml_dsa_44_avx2_keypair
 +    signature_signature: pqcrystals_ml_dsa_44_avx2_signature
 +    signature_verify: pqcrystals_ml_dsa_44_avx2_verify
 +    api-with-context-string: true
 +    sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h symmetric-shake.c
     supported_platforms:
       - architecture: x86_64
         operating_systems:
 diff --git a/Dilithium3_META.yml b/Dilithium3_META.yml
 index b108b4f..47a4ba0 100644
 --- a/Dilithium3_META.yml
 +++ b/ML-DSA-65_META.yml
@@ -1,4 +1,4 @@
 -name: Dilithium3
 +name: ML-DSA-65
 type: signature
 claimed-nist-level: 3
 length-public-key: 1952
@@ -18,22 +18,22 @@ auxiliary-submitters:
   - Damien Stehlé
 implementations:
   - name: ref
 -    version: https://github.com/pq-crystals/dilithium/tree/master
 +    version: FIPS204
     folder_name: ref
 -    compile_opts: -DDILITHIUM_MODE=3 -DDILITHIUM_RANDOMIZED_SIGNING
 -    signature_keypair: pqcrystals_dilithium3_ref_keypair
 -    signature_signature: pqcrystals_dilithium3_ref_signature
 -    signature_verify: pqcrystals_dilithium3_ref_verify
 -    sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h fips202.h symmetric-shake.c
 -    common_dep: common_ref
 +    compile_opts: -DDILITHIUM_MODE=3
 +    signature_keypair: pqcrystals_ml_dsa_65_ref_keypair
 +    signature_signature: pqcrystals_ml_dsa_65_ref_signature
 +    signature_verify: pqcrystals_ml_dsa_65_ref_verify
 +    api-with-context-string: true
 +    sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h symmetric-shake.c
   - name: avx2
 -    version: https://github.com/pq-crystals/dilithium/tree/master
 -    compile_opts: -DDILITHIUM_MODE=3 -DDILITHIUM_RANDOMIZED_SIGNING
 -    signature_keypair: pqcrystals_dilithium3_avx2_keypair
 -    signature_signature: pqcrystals_dilithium3_avx2_signature
 -    signature_verify: pqcrystals_dilithium3_avx2_verify
 -    sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h fips202.h fips202x4.h symmetric-shake.c
 -    common_dep: common_avx2
 +    version: FIPS204
 +    compile_opts: -DDILITHIUM_MODE=3
 +    signature_keypair: pqcrystals_ml_dsa_65_avx2_keypair
 +    signature_signature: pqcrystals_ml_dsa_65_avx2_signature
 +    signature_verify: pqcrystals_ml_dsa_65_avx2_verify
 +    api-with-context-string: true
 +    sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h symmetric-shake.c
     supported_platforms:
       - architecture: x86_64
         operating_systems:
 diff --git a/Dilithium5_META.yml b/Dilithium5_META.yml
 index 5163526..e9bff1e 100644
 --- a/Dilithium5_META.yml
 +++ b/ML-DSA-87_META.yml
@@ -1,4 +1,4 @@
 -name: Dilithium5
 +name: ML-DSA-87
 type: signature
 claimed-nist-level: 5
 length-public-key: 2592
@@ -18,22 +18,22 @@ auxiliary-submitters:
   - Damien Stehlé
 implementations:
   - name: ref
 -    version: https://github.com/pq-crystals/dilithium/tree/master
 +    version: FIPS204
     folder_name: ref
 -    compile_opts: -DDILITHIUM_MODE=5 -DDILITHIUM_RANDOMIZED_SIGNING
 -    signature_keypair: pqcrystals_dilithium5_ref_keypair
 -    signature_signature: pqcrystals_dilithium5_ref_signature
 -    signature_verify: pqcrystals_dilithium5_ref_verify
 -    sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h fips202.h symmetric-shake.c
 -    common_dep: common_ref
 +    compile_opts: -DDILITHIUM_MODE=5
 +    signature_keypair: pqcrystals_ml_dsa_87_ref_keypair
 +    signature_signature: pqcrystals_ml_dsa_87_ref_signature
 +    signature_verify: pqcrystals_ml_dsa_87_ref_verify
 +    api-with-context-string: true
 +    sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h symmetric-shake.c
   - name: avx2
 -    version: https://github.com/pq-crystals/dilithium/tree/master
 -    compile_opts: -DDILITHIUM_MODE=5 -DDILITHIUM_RANDOMIZED_SIGNING
 -    signature_keypair: pqcrystals_dilithium5_avx2_keypair
 -    signature_signature: pqcrystals_dilithium5_avx2_signature
 -    signature_verify: pqcrystals_dilithium5_avx2_verify
 -    sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h fips202.h fips202x4.h symmetric-shake.c
 -    common_dep: common_avx2
 +    version: FIPS204
 +    compile_opts: -DDILITHIUM_MODE=5
 +    signature_keypair: pqcrystals_ml_dsa_87_avx2_keypair
 +    signature_signature: pqcrystals_ml_dsa_87_avx2_signature
 +    signature_verify: pqcrystals_ml_dsa_87_avx2_verify
 +    api-with-context-string: true
 +    sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h symmetric-shake.c
     supported_platforms:
       - architecture: x86_64
         operating_systems:
 diff --git a/avx2/config.h b/avx2/config.h
 index a9facc0..3944cb4 100644
 --- a/avx2/config.h
 +++ b/avx2/config.h
@@ -11,17 +11,17 @@
 #endif
 #if DILITHIUM_MODE == 2
 -#define CRYPTO_ALGNAME "Dilithium2"
 -#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2_avx2
 -#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium2_avx2_##s
 +#define CRYPTO_ALGNAME "ML-DSA-44"
 +#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_44_avx2
 +#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_44_avx2_##s
 #elif DILITHIUM_MODE == 3
 -#define CRYPTO_ALGNAME "Dilithium3"
 -#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium3_avx2
 -#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium3_avx2_##s
 +#define CRYPTO_ALGNAME "ML-DSA-65"
 +#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_65_avx2
 +#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_65_avx2_##s
 #elif DILITHIUM_MODE == 5
 -#define CRYPTO_ALGNAME "Dilithium5"
 -#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5_avx2
 -#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5_avx2_##s
 +#define CRYPTO_ALGNAME "ML-DSA-87"
 +#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_87_avx2
 +#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_87_avx2_##s
 #endif
 #endif
 diff --git a/avx2/f1600x4.S b/avx2/f1600x4.S
 index 5455129..497b8ca 100644
 --- a/avx2/f1600x4.S
 +++ b/avx2/f1600x4.S
@@ -905,5 +905,3 @@ addq		$32, %rsi
 subq		$1, %rax
 jnz		looptop
 ret
 -
 -.section .note.GNU-stack,"",@progbits
 diff --git a/avx2/invntt.S b/avx2/invntt.S
 index d40ca13..3e9864c 100644
 --- a/avx2/invntt.S
 +++ b/avx2/invntt.S
@@ -236,5 +236,3 @@ levels6t7	2
 levels6t7	3
 ret
 -
 -.section .note.GNU-stack,"",@progbits
 diff --git a/avx2/ntt.S b/avx2/ntt.S
 index 026f057..ebe17d3 100644
 --- a/avx2/ntt.S
 +++ b/avx2/ntt.S
@@ -194,5 +194,3 @@ levels2t7	2
 levels2t7	3
 ret
 -
 -.section .note.GNU-stack,"",@progbits
 diff --git a/avx2/pointwise.S b/avx2/pointwise.S
 index 6b687c7..ae7ff79 100644
 --- a/avx2/pointwise.S
 +++ b/avx2/pointwise.S
@@ -209,5 +209,3 @@ cmp		$16,%eax
 jb _looptop2
 ret
 -
 -.section .note.GNU-stack,"",@progbits
 diff --git a/avx2/poly.c b/avx2/poly.c
 index 340e91d..0a4ecb6 100644
 --- a/avx2/poly.c
 +++ b/avx2/poly.c
@@ -401,6 +401,7 @@ void poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce)
   stream128_state state;
   stream128_init(&state, seed, nonce);
   poly_uniform_preinit(a, &state);
 +  stream128_release(&state);
 }
 void poly_uniform_4x(poly *a0,
@@ -415,7 +416,7 @@ void poly_uniform_4x(poly *a0,
 {
   unsigned int ctr0, ctr1, ctr2, ctr3;
   ALIGNED_UINT8(REJ_UNIFORM_BUFLEN+8) buf[4];
 -  keccakx4_state state;
 +  shake128x4incctx state;
   __m256i f;
   f = _mm256_loadu_si256((__m256i *)seed);
@@ -433,6 +434,7 @@ void poly_uniform_4x(poly *a0,
   buf[3].coeffs[SEEDBYTES+0] = nonce3;
   buf[3].coeffs[SEEDBYTES+1] = nonce3 >> 8;
 +  shake128x4_inc_init(&state);
   shake128x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, SEEDBYTES + 2);
   shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_NBLOCKS, &state);
@@ -449,6 +451,7 @@ void poly_uniform_4x(poly *a0,
     ctr2 += rej_uniform(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE128_RATE);
     ctr3 += rej_uniform(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE128_RATE);
   }
 +  shake128x4_inc_ctx_release(&state);
 }
 /*************************************************
@@ -530,6 +533,7 @@ void poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce)
   stream256_state state;
   stream256_init(&state, seed, nonce);
   poly_uniform_eta_preinit(a, &state);
 +  stream256_release(&state);
 }
 void poly_uniform_eta_4x(poly *a0,
@@ -546,7 +550,7 @@ void poly_uniform_eta_4x(poly *a0,
   ALIGNED_UINT8(REJ_UNIFORM_ETA_BUFLEN) buf[4];
   __m256i f;
 -  keccakx4_state state;
 +  shake256x4incctx state;
   f = _mm256_loadu_si256((__m256i *)&seed[0]);
   _mm256_store_si256(&buf[0].vec[0],f);
@@ -568,6 +572,7 @@ void poly_uniform_eta_4x(poly *a0,
   buf[3].coeffs[64] = nonce3;
   buf[3].coeffs[65] = nonce3 >> 8;
 +  shake256x4_inc_init(&state);
   shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 66);
   shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_ETA_NBLOCKS, &state);
@@ -584,6 +589,7 @@ void poly_uniform_eta_4x(poly *a0,
     ctr2 += rej_eta(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE256_RATE);
     ctr3 += rej_eta(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE256_RATE);
   }
 +  shake256x4_inc_ctx_release(&state);
 }
 /*************************************************
@@ -611,6 +617,7 @@ void poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce)
   stream256_state state;
   stream256_init(&state, seed, nonce);
   poly_uniform_gamma1_preinit(a, &state);
 +  stream256_release(&state);
 }
 void poly_uniform_gamma1_4x(poly *a0,
@@ -624,7 +631,7 @@ void poly_uniform_gamma1_4x(poly *a0,
                             uint16_t nonce3)
 {
   ALIGNED_UINT8(POLY_UNIFORM_GAMMA1_NBLOCKS*STREAM256_BLOCKBYTES+14) buf[4];
 -  keccakx4_state state;
 +  shake256x4incctx state;
   __m256i f;
   f = _mm256_loadu_si256((__m256i *)&seed[0]);
@@ -647,8 +654,10 @@ void poly_uniform_gamma1_4x(poly *a0,
   buf[3].coeffs[64] = nonce3;
   buf[3].coeffs[65] = nonce3 >> 8;
 +  shake256x4_inc_init(&state);
   shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 66);
   shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, POLY_UNIFORM_GAMMA1_NBLOCKS, &state);
 +  shake256x4_inc_ctx_release(&state);
   polyz_unpack(a0, buf[0].coeffs);
   polyz_unpack(a1, buf[1].coeffs);
@@ -670,12 +679,12 @@ void poly_challenge(poly * restrict c, const uint8_t seed[CTILDEBYTES]) {
   unsigned int i, b, pos;
   uint64_t signs;
   ALIGNED_UINT8(SHAKE256_RATE) buf;
 -  keccak_state state;
 +  shake256incctx state;
 -  shake256_init(&state);
 -  shake256_absorb(&state, seed, CTILDEBYTES);
 -  shake256_finalize(&state);
 -  shake256_squeezeblocks(buf.coeffs, 1, &state);
 +  shake256_inc_init(&state);
 +  shake256_inc_absorb(&state, seed, CTILDEBYTES);
 +  shake256_inc_finalize(&state);
 +  shake256_inc_squeeze(buf.coeffs, SHAKE256_RATE, &state);
   memcpy(&signs, buf.coeffs, 8);
   pos = 8;
@@ -695,6 +704,7 @@ void poly_challenge(poly * restrict c, const uint8_t seed[CTILDEBYTES]) {
     c->coeffs[b] = 1 - 2*(signs & 1);
     signs >>= 1;
   }
 +  shake256_inc_ctx_release(&state);
 }
 /*************************************************
 diff --git a/avx2/shuffle.S b/avx2/shuffle.S
 index 08c757c..133e051 100644
 --- a/avx2/shuffle.S
 +++ b/avx2/shuffle.S
@@ -50,5 +50,3 @@ call		nttunpack128_avx
 add		$256,%rdi
 call		nttunpack128_avx
 ret
 -
 -.section .note.GNU-stack,"",@progbits
 diff --git a/avx2/sign.c b/avx2/sign.c
 index efb6ea3..532e37c 100644
 --- a/avx2/sign.c
 +++ b/avx2/sign.c
@@ -168,7 +168,7 @@ int crypto_sign_signature_internal(uint8_t *sig, size_t *siglen, const uint8_t *
     polyvecl y;
     polyveck w0;
   } tmpv;
 -  keccak_state state;
 +  shake256incctx state;
   rho = seedbuf;
   tr = rho + SEEDBYTES;
@@ -178,20 +178,20 @@ int crypto_sign_signature_internal(uint8_t *sig, size_t *siglen, const uint8_t *
   unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
   /* Compute mu = CRH(tr, pre, msg) */
 -  shake256_init(&state);
 -  shake256_absorb(&state, tr, TRBYTES);
 -  shake256_absorb(&state, pre, prelen);
 -  shake256_absorb(&state, m, mlen);
 -  shake256_finalize(&state);
 -  shake256_squeeze(mu, CRHBYTES, &state);
 +  shake256_inc_init(&state);
 +  shake256_inc_absorb(&state, tr, TRBYTES);
 +  shake256_inc_absorb(&state, pre, prelen);
 +  shake256_inc_absorb(&state, m, mlen);
 +  shake256_inc_finalize(&state);
 +  shake256_inc_squeeze(mu, CRHBYTES, &state);
   /* Compute rhoprime = CRH(key, rnd, mu) */
 -  shake256_init(&state);
 -  shake256_absorb(&state, key, SEEDBYTES);
 -  shake256_absorb(&state, rnd, RNDBYTES);
 -  shake256_absorb(&state, mu, CRHBYTES);
 -  shake256_finalize(&state);
 -  shake256_squeeze(rhoprime, CRHBYTES, &state);
 +  shake256_inc_ctx_reset(&state);
 +  shake256_inc_absorb(&state, key, SEEDBYTES);
 +  shake256_inc_absorb(&state, rnd, RNDBYTES);
 +  shake256_inc_absorb(&state, mu, CRHBYTES);
 +  shake256_inc_finalize(&state);
 +  shake256_inc_squeeze(rhoprime, CRHBYTES, &state);
   /* Expand matrix and transform vectors */
   polyvec_matrix_expand(mat, rho);
@@ -231,11 +231,11 @@ rej:
   polyveck_decompose(&w1, &tmpv.w0, &w1);
   polyveck_pack_w1(sig, &w1);
 -  shake256_init(&state);
 -  shake256_absorb(&state, mu, CRHBYTES);
 -  shake256_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
 -  shake256_finalize(&state);
 -  shake256_squeeze(sig, CTILDEBYTES, &state);
 +  shake256_inc_ctx_reset(&state);
 +  shake256_inc_absorb(&state, mu, CRHBYTES);
 +  shake256_inc_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
 +  shake256_inc_finalize(&state);
 +  shake256_inc_squeeze(sig, CTILDEBYTES, &state);
   poly_challenge(&c, sig);
   poly_ntt(&c);
@@ -280,6 +280,7 @@ rej:
     hint[OMEGA + i] = pos = pos + n;
   }
 +  shake256_inc_ctx_release(&state);
   /* Pack z into signature */
   for(i = 0; i < L; i++)
     polyz_pack(sig + CTILDEBYTES + i*POLYZ_PACKEDBYTES, &z.vec[i]);
@@ -384,19 +385,19 @@ int crypto_sign_verify_internal(const uint8_t *sig, size_t siglen, const uint8_t
   polyvecl *row = rowbuf;
   polyvecl z;
   poly c, w1, h;
 -  keccak_state state;
 +  shake256incctx state;
   if(siglen != CRYPTO_BYTES)
     return -1;
   /* Compute CRH(H(rho, t1), pre, msg) */
   shake256(mu, TRBYTES, pk, CRYPTO_PUBLICKEYBYTES);
 -  shake256_init(&state);
 -  shake256_absorb(&state, mu, CRHBYTES);
 -  shake256_absorb(&state, pre, prelen);
 -  shake256_absorb(&state, m, mlen);
 -  shake256_finalize(&state);
 -  shake256_squeeze(mu, CRHBYTES, &state);
 +  shake256_inc_init(&state);
 +  shake256_inc_absorb(&state, mu, CRHBYTES);
 +  shake256_inc_absorb(&state, pre, prelen);
 +  shake256_inc_absorb(&state, m, mlen);
 +  shake256_inc_finalize(&state);
 +  shake256_inc_squeeze(mu, CRHBYTES, &state);
   /* Expand challenge */
   poly_challenge(&c, sig);
@@ -426,12 +427,17 @@ int crypto_sign_verify_internal(const uint8_t *sig, size_t siglen, const uint8_t
     /* Get hint polynomial and reconstruct w1 */
     memset(h.vec, 0, sizeof(poly));
 -    if(hint[OMEGA + i] < pos || hint[OMEGA + i] > OMEGA)
 +    if(hint[OMEGA + i] < pos || hint[OMEGA + i] > OMEGA) {
 +      shake256_inc_ctx_release(&state);
       return -1;
 +    }
     for(j = pos; j < hint[OMEGA + i]; ++j) {
       /* Coefficients are ordered for strong unforgeability */
 -      if(j > pos && hint[j] <= hint[j-1]) return -1;
 +      if(j > pos && hint[j] <= hint[j-1]) {
 +        shake256_inc_ctx_release(&state);
 +        return -1;
 +      }
       h.coeffs[hint[j]] = 1;
     }
     pos = hint[OMEGA + i];
@@ -443,14 +449,18 @@ int crypto_sign_verify_internal(const uint8_t *sig, size_t siglen, const uint8_t
   /* Extra indices are zero for strong unforgeability */
   for(j = pos; j < OMEGA; ++j)
 -    if(hint[j]) return -1;
 +    if(hint[j]) {
 +      shake256_inc_ctx_release(&state);
 +      return -1;
 +    }
   /* Call random oracle and verify challenge */
 -  shake256_init(&state);
 -  shake256_absorb(&state, mu, CRHBYTES);
 -  shake256_absorb(&state, buf.coeffs, K*POLYW1_PACKEDBYTES);
 -  shake256_finalize(&state);
 -  shake256_squeeze(buf.coeffs, CTILDEBYTES, &state);
 +  shake256_inc_ctx_reset(&state);
 +  shake256_inc_absorb(&state, mu, CRHBYTES);
 +  shake256_inc_absorb(&state, buf.coeffs, K*POLYW1_PACKEDBYTES);
 +  shake256_inc_finalize(&state);
 +  shake256_inc_squeeze(buf.coeffs, CTILDEBYTES, &state);
 +  shake256_inc_ctx_release(&state);
   for(i = 0; i < CTILDEBYTES; ++i)
     if(buf.coeffs[i] != sig[i])
       return -1;
 diff --git a/avx2/symmetric.h b/avx2/symmetric.h
 index 8f3c3c5..fa49963 100644
 --- a/avx2/symmetric.h
 +++ b/avx2/symmetric.h
@@ -6,21 +6,23 @@
 #include "fips202.h"
 -typedef keccak_state stream128_state;
 -typedef keccak_state stream256_state;
 +typedef shake128incctx stream128_state;
 +typedef shake256incctx stream256_state;
 #define dilithium_shake128_stream_init DILITHIUM_NAMESPACE(dilithium_shake128_stream_init)
 -void dilithium_shake128_stream_init(keccak_state *state, const uint8_t seed[SEEDBYTES], uint16_t nonce);
 +void dilithium_shake128_stream_init(shake128incctx *state, const uint8_t seed[SEEDBYTES], uint16_t nonce);
 #define dilithium_shake256_stream_init DILITHIUM_NAMESPACE(dilithium_shake256_stream_init)
 -void dilithium_shake256_stream_init(keccak_state *state, const uint8_t seed[CRHBYTES], uint16_t nonce);
 +void dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CRHBYTES], uint16_t nonce);
 #define STREAM128_BLOCKBYTES SHAKE128_RATE
 #define STREAM256_BLOCKBYTES SHAKE256_RATE
 #define stream128_init(STATE, SEED, NONCE) dilithium_shake128_stream_init(STATE, SEED, NONCE)
 #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
 +#define stream128_release(STATE) shake128_inc_ctx_release(STATE)
 #define stream256_init(STATE, SEED, NONCE) dilithium_shake256_stream_init(STATE, SEED, NONCE)
 #define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) shake256_squeezeblocks(OUT, OUTBLOCKS, STATE)
 +#define stream256_release(STATE) shake256_inc_ctx_release(STATE)
 #endif
 diff --git a/ref/config.h b/ref/config.h
 index 98b8ccb..8008e11 100644
 --- a/ref/config.h
 +++ b/ref/config.h
@@ -11,17 +11,17 @@
 #endif
 #if DILITHIUM_MODE == 2
 -#define CRYPTO_ALGNAME "Dilithium2"
 -#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2_ref
 -#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium2_ref_##s
 +#define CRYPTO_ALGNAME "ML-DSA-44"
 +#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_44_ref
 +#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_44_ref_##s
 #elif DILITHIUM_MODE == 3
 -#define CRYPTO_ALGNAME "Dilithium3"
 -#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium3_ref
 -#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium3_ref_##s
 +#define CRYPTO_ALGNAME "ML-DSA-65"
 +#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_65_ref
 +#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_65_ref_##s
 #elif DILITHIUM_MODE == 5
 -#define CRYPTO_ALGNAME "Dilithium5"
 -#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5_ref
 -#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5_ref_##s
 +#define CRYPTO_ALGNAME "ML-DSA-87"
 +#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_87_ref
 +#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_87_ref_##s
 #endif
 #endif
 diff --git a/ref/poly.c b/ref/poly.c
 index 0db4f42..691b5e8 100644
 --- a/ref/poly.c
 +++ b/ref/poly.c
@@ -365,6 +365,7 @@ void poly_uniform(poly *a,
     buflen = STREAM128_BLOCKBYTES + off;
     ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf, buflen);
   }
 +  stream128_release(&state);
 }
 /*************************************************
@@ -450,6 +451,7 @@ void poly_uniform_eta(poly *a,
     stream256_squeezeblocks(buf, 1, &state);
     ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM256_BLOCKBYTES);
   }
 +  stream256_release(&state);
 }
 /*************************************************
@@ -473,6 +475,7 @@ void poly_uniform_gamma1(poly *a,
   stream256_init(&state, seed, nonce);
   stream256_squeezeblocks(buf, POLY_UNIFORM_GAMMA1_NBLOCKS, &state);
 +  stream256_release(&state);
   polyz_unpack(a, buf);
 }
@@ -490,11 +493,11 @@ void poly_challenge(poly *c, const uint8_t seed[CTILDEBYTES]) {
   unsigned int i, b, pos;
   uint64_t signs;
   uint8_t buf[SHAKE256_RATE];
 -  keccak_state state;
 +  shake256incctx state;
 -  shake256_init(&state);
 -  shake256_absorb(&state, seed, CTILDEBYTES);
 -  shake256_finalize(&state);
 +  shake256_inc_init(&state);
 +  shake256_inc_absorb(&state, seed, CTILDEBYTES);
 +  shake256_inc_finalize(&state);
   shake256_squeezeblocks(buf, 1, &state);
   signs = 0;
@@ -518,6 +521,7 @@ void poly_challenge(poly *c, const uint8_t seed[CTILDEBYTES]) {
     c->coeffs[b] = 1 - 2*(signs & 1);
     signs >>= 1;
   }
 +  shake256_inc_ctx_release(&state);
 }
 /*************************************************
 diff --git a/ref/sign.c b/ref/sign.c
 index 7d3f882..abb033c 100644
 --- a/ref/sign.c
 +++ b/ref/sign.c
@@ -98,7 +98,7 @@ int crypto_sign_signature_internal(uint8_t *sig,
   polyvecl mat[K], s1, y, z;
   polyveck t0, s2, w1, w0, h;
   poly cp;
 -  keccak_state state;
 +  shake256incctx state;
   rho = seedbuf;
   tr = rho + SEEDBYTES;
@@ -108,20 +108,20 @@ int crypto_sign_signature_internal(uint8_t *sig,
   unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
   /* Compute mu = CRH(tr, pre, msg) */
 -  shake256_init(&state);
 -  shake256_absorb(&state, tr, TRBYTES);
 -  shake256_absorb(&state, pre, prelen);
 -  shake256_absorb(&state, m, mlen);
 -  shake256_finalize(&state);
 -  shake256_squeeze(mu, CRHBYTES, &state);
 +  shake256_inc_init(&state);
 +  shake256_inc_absorb(&state, tr, TRBYTES);
 +  shake256_inc_absorb(&state, pre, prelen);
 +  shake256_inc_absorb(&state, m, mlen);
 +  shake256_inc_finalize(&state);
 +  shake256_inc_squeeze(mu, CRHBYTES, &state);
   /* Compute rhoprime = CRH(key, rnd, mu) */
 -  shake256_init(&state);
 -  shake256_absorb(&state, key, SEEDBYTES);
 -  shake256_absorb(&state, rnd, RNDBYTES);
 -  shake256_absorb(&state, mu, CRHBYTES);
 -  shake256_finalize(&state);
 -  shake256_squeeze(rhoprime, CRHBYTES, &state);
 +  shake256_inc_ctx_reset(&state);
 +  shake256_inc_absorb(&state, key, SEEDBYTES);
 +  shake256_inc_absorb(&state, rnd, RNDBYTES);
 +  shake256_inc_absorb(&state, mu, CRHBYTES);
 +  shake256_inc_finalize(&state);
 +  shake256_inc_squeeze(rhoprime, CRHBYTES, &state);
   /* Expand matrix and transform vectors */
   polyvec_matrix_expand(mat, rho);
@@ -145,11 +145,11 @@ rej:
   polyveck_decompose(&w1, &w0, &w1);
   polyveck_pack_w1(sig, &w1);
 -  shake256_init(&state);
 -  shake256_absorb(&state, mu, CRHBYTES);
 -  shake256_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
 -  shake256_finalize(&state);
 -  shake256_squeeze(sig, CTILDEBYTES, &state);
 +  shake256_inc_ctx_reset(&state);
 +  shake256_inc_absorb(&state, mu, CRHBYTES);
 +  shake256_inc_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
 +  shake256_inc_finalize(&state);
 +  shake256_inc_squeeze(sig, CTILDEBYTES, &state);
   poly_challenge(&cp, sig);
   poly_ntt(&cp);
@@ -182,6 +182,8 @@ rej:
   if(n > OMEGA)
     goto rej;
 +  shake256_inc_ctx_release(&state);
 +
   /* Write signature */
   pack_sig(sig, sig, &z, &h);
   *siglen = CRYPTO_BYTES;
@@ -303,7 +305,7 @@ int crypto_sign_verify_internal(const uint8_t *sig,
   poly cp;
   polyvecl mat[K], z;
   polyveck t1, w1, h;
 -  keccak_state state;
 +  shake256incctx state;
   if(siglen != CRYPTO_BYTES)
     return -1;
@@ -316,12 +318,12 @@ int crypto_sign_verify_internal(const uint8_t *sig,
   /* Compute CRH(H(rho, t1), pre, msg) */
   shake256(mu, TRBYTES, pk, CRYPTO_PUBLICKEYBYTES);
 -  shake256_init(&state);
 -  shake256_absorb(&state, mu, TRBYTES);
 -  shake256_absorb(&state, pre, prelen);
 -  shake256_absorb(&state, m, mlen);
 -  shake256_finalize(&state);
 -  shake256_squeeze(mu, CRHBYTES, &state);
 +  shake256_inc_init(&state);
 +  shake256_inc_absorb(&state, mu, TRBYTES);
 +  shake256_inc_absorb(&state, pre, prelen);
 +  shake256_inc_absorb(&state, m, mlen);
 +  shake256_inc_finalize(&state);
 +  shake256_inc_squeeze(mu, CRHBYTES, &state);
   /* Matrix-vector multiplication; compute Az - c2^dt1 */
   poly_challenge(&cp, c);
@@ -345,11 +347,12 @@ int crypto_sign_verify_internal(const uint8_t *sig,
   polyveck_pack_w1(buf, &w1);
   /* Call random oracle and verify challenge */
 -  shake256_init(&state);
 -  shake256_absorb(&state, mu, CRHBYTES);
 -  shake256_absorb(&state, buf, K*POLYW1_PACKEDBYTES);
 -  shake256_finalize(&state);
 -  shake256_squeeze(c2, CTILDEBYTES, &state);
 +  shake256_inc_ctx_reset(&state);
 +  shake256_inc_absorb(&state, mu, CRHBYTES);
 +  shake256_inc_absorb(&state, buf, K*POLYW1_PACKEDBYTES);
 +  shake256_inc_finalize(&state);
 +  shake256_inc_squeeze(c2, CTILDEBYTES, &state);
 +  shake256_inc_ctx_release(&state);
   for(i = 0; i < CTILDEBYTES; ++i)
     if(c[i] != c2[i])
       return -1;
 diff --git a/ref/sign.h b/ref/sign.h
 index 2741e8f..0b5f74a 100644
 --- a/ref/sign.h
 +++ b/ref/sign.h
@@ -1,6 +1,8 @@
 #ifndef SIGN_H
 #define SIGN_H
 +#include <oqs/oqs.h>
 +
 #include <stddef.h>
 #include <stdint.h>
 #include "params.h"
@@ -11,7 +13,7 @@
 int crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
 #define crypto_sign_signature_internal DILITHIUM_NAMESPACE(signature_internal)
 -int crypto_sign_signature_internal(uint8_t *sig,
 +OQS_API int crypto_sign_signature_internal(uint8_t *sig,
                                    size_t *siglen,
                                    const uint8_t *m,
                                    size_t mlen,
@@ -33,7 +35,7 @@ int crypto_sign(uint8_t *sm, size_t *smlen,
                 const uint8_t *sk);
 #define crypto_sign_verify_internal DILITHIUM_NAMESPACE(verify_internal)
 -int crypto_sign_verify_internal(const uint8_t *sig,
 +OQS_API int crypto_sign_verify_internal(const uint8_t *sig,
                                 size_t siglen,
                                 const uint8_t *m,
                                 size_t mlen,
 diff --git a/ref/symmetric-shake.c b/ref/symmetric-shake.c
 index 11ec09c..963f649 100644
 --- a/ref/symmetric-shake.c
 +++ b/ref/symmetric-shake.c
@@ -3,26 +3,26 @@
 #include "symmetric.h"
 #include "fips202.h"
 -void dilithium_shake128_stream_init(keccak_state *state, const uint8_t seed[SEEDBYTES], uint16_t nonce)
 +void dilithium_shake128_stream_init(shake128incctx *state, const uint8_t seed[SEEDBYTES], uint16_t nonce)
 {
   uint8_t t[2];
   t[0] = nonce;
   t[1] = nonce >> 8;
 -  shake128_init(state);
 -  shake128_absorb(state, seed, SEEDBYTES);
 -  shake128_absorb(state, t, 2);
 -  shake128_finalize(state);
 +  shake128_inc_init(state);
 +  shake128_inc_absorb(state, seed, SEEDBYTES);
 +  shake128_inc_absorb(state, t, 2);
 +  shake128_inc_finalize(state);
 }
 -void dilithium_shake256_stream_init(keccak_state *state, const uint8_t seed[CRHBYTES], uint16_t nonce)
 +void dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CRHBYTES], uint16_t nonce)
 {
   uint8_t t[2];
   t[0] = nonce;
   t[1] = nonce >> 8;
 -  shake256_init(state);
 -  shake256_absorb(state, seed, CRHBYTES);
 -  shake256_absorb(state, t, 2);
 -  shake256_finalize(state);
 +  shake256_inc_init(state);
 +  shake256_inc_absorb(state, seed, CRHBYTES);
 +  shake256_inc_absorb(state, t, 2);
 +  shake256_inc_finalize(state);
 }
 diff --git a/ref/symmetric.h b/ref/symmetric.h
 index cba12d1..211de3b 100644
 --- a/ref/symmetric.h
 +++ b/ref/symmetric.h
@@ -6,16 +6,16 @@
 #include "fips202.h"
 -typedef keccak_state stream128_state;
 -typedef keccak_state stream256_state;
 +typedef shake128incctx stream128_state;
 +typedef shake256incctx stream256_state;
 #define dilithium_shake128_stream_init DILITHIUM_NAMESPACE(dilithium_shake128_stream_init)
 -void dilithium_shake128_stream_init(keccak_state *state,
 +void dilithium_shake128_stream_init(shake128incctx *state,
                                     const uint8_t seed[SEEDBYTES],
                                     uint16_t nonce);
 #define dilithium_shake256_stream_init DILITHIUM_NAMESPACE(dilithium_shake256_stream_init)
 -void dilithium_shake256_stream_init(keccak_state *state,
 +void dilithium_shake256_stream_init(shake256incctx *state,
                                     const uint8_t seed[CRHBYTES],
                                     uint16_t nonce);
@@ -26,9 +26,11 @@ void dilithium_shake256_stream_init(keccak_state *state,
         dilithium_shake128_stream_init(STATE, SEED, NONCE)
 #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \
         shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
 +#define stream128_release(STATE) shake128_inc_ctx_release(STATE)
 #define stream256_init(STATE, SEED, NONCE) \
         dilithium_shake256_stream_init(STATE, SEED, NONCE)
 #define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) \
         shake256_squeezeblocks(OUT, OUTBLOCKS, STATE)
 +#define stream256_release(STATE) shake256_inc_ctx_release(STATE)
 #endif
--- a/scripts/copy_from_upstream/patches/pqcrystals-ml_dsa_ipd.patch
+++ b/scripts/copy_from_upstream/patches/pqcrystals-ml_dsa_ipd.patch
@ -1,842 +0,0 @@
 diff --git a/Dilithium2_META.yml b/ML-DSA-44-ipd_META.yml
 index 0e2e6fc..d99edb5 100644
 --- a/Dilithium2_META.yml
 +++ b/ML-DSA-44-ipd_META.yml
@@ -1,11 +1,11 @@
 -name: Dilithium2
 +name: ML-DSA-44-ipd
 type: signature
 claimed-nist-level: 2
 length-public-key: 1312
 -length-secret-key: 2528
 +length-secret-key: 2560
 length-signature: 2420
 -nistkat-sha256: 26ae9c1224171e957dbe38672942d31edb7dffbe700825e0cb52128cdb45280a
 -testvectors-sha256: b56155479f5643a3cb3d73260ba2b1fd7e772a49b6f4cebcf742cd860fbf6879
 +nistkat-sha256: e6f3ec4dc0b02dd3bcbbc6b105190e1890ca0bb3f802e2b571f0d70f3993a2e1
 +testvectors-sha256: aff4dbcb0c5ad52c840036907661efd2cafd6c1cba95ed052184f45adf30f365
 principal-submitters:
   - Vadim Lyubashevsky
 auxiliary-submitters:
@@ -18,22 +18,20 @@ auxiliary-submitters:
   - Damien Stehlé
 implementations:
   - name: ref
 -    version: https://github.com/pq-crystals/dilithium/commit/d9c885d3f2e11c05529eeeb7d70d808c972b8409
 +    version: https://github.com/pq-crystals/dilithium/tree/standard
     folder_name: ref
 -    compile_opts: -DDILITHIUM_MODE=2 -DDILITHIUM_RANDOMIZED_SIGNING
 -    signature_keypair: pqcrystals_dilithium2_ref_keypair
 -    signature_signature: pqcrystals_dilithium2_ref_signature
 -    signature_verify: pqcrystals_dilithium2_ref_verify
 -    sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h fips202.h symmetric-shake.c
 -    common_dep: common_ref
 +    compile_opts: -DDILITHIUM_MODE=2
 +    signature_keypair: pqcrystals_ml_dsa_44_ipd_ref_keypair
 +    signature_signature: pqcrystals_ml_dsa_44_ipd_ref_signature
 +    signature_verify: pqcrystals_ml_dsa_44_ipd_ref_verify
 +    sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h symmetric-shake.c
   - name: avx2
 -    version: https://github.com/pq-crystals/dilithium/commit/d9c885d3f2e11c05529eeeb7d70d808c972b8409
 -    compile_opts: -DDILITHIUM_MODE=2 -DDILITHIUM_RANDOMIZED_SIGNING
 -    signature_keypair: pqcrystals_dilithium2_avx2_keypair
 -    signature_signature: pqcrystals_dilithium2_avx2_signature
 -    signature_verify: pqcrystals_dilithium2_avx2_verify
 -    sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h fips202.h fips202x4.h symmetric-shake.c
 -    common_dep: common_avx2
 +    version: https://github.com/pq-crystals/dilithium/tree/standard
 +    compile_opts: -DDILITHIUM_MODE=2
 +    signature_keypair: pqcrystals_ml_dsa_44_ipd_avx2_keypair
 +    signature_signature: pqcrystals_ml_dsa_44_ipd_avx2_signature
 +    signature_verify: pqcrystals_ml_dsa_44_ipd_avx2_verify
 +    sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h symmetric-shake.c
     supported_platforms:
       - architecture: x86_64
         operating_systems:
 diff --git a/Dilithium3_META.yml b/ML-DSA-65-ipd_META.yml
 index d1bca64..72a43e7 100644
 --- a/Dilithium3_META.yml
 +++ b/ML-DSA-65-ipd_META.yml
@@ -1,11 +1,11 @@
 -name: Dilithium3
 +name: ML-DSA-65-ipd
 type: signature
 claimed-nist-level: 3
 length-public-key: 1952
 -length-secret-key: 4000
 -length-signature: 3293
 -nistkat-sha256: eea584803c3d6991a4acbf9f117147bbdd246faf822cfb1a17effe20b2052ba9
 -testvectors-sha256: a237032c7840a0d2f922951f806c2199f8f86b8a8947f6f6f1b856c925222958
 +length-secret-key: 4032
 +length-signature: 3309
 +nistkat-sha256: 7225c4531086d88c9b7fa18101b0f78dda2d38df88812c65ddc1ae94fe3c01a7
 +testvectors-sha256: e0a98c0a29137dcbeb12104ccaa6a0555a9bdb4dcfbc2b0fc9a959dd8b6c8699
 principal-submitters:
   - Vadim Lyubashevsky
 auxiliary-submitters:
@@ -18,22 +18,20 @@ auxiliary-submitters:
   - Damien Stehlé
 implementations:
   - name: ref
 -    version: https://github.com/pq-crystals/dilithium/commit/d9c885d3f2e11c05529eeeb7d70d808c972b8409
 +    version: https://github.com/pq-crystals/dilithium/tree/standard
     folder_name: ref
 -    compile_opts: -DDILITHIUM_MODE=3 -DDILITHIUM_RANDOMIZED_SIGNING
 -    signature_keypair: pqcrystals_dilithium3_ref_keypair
 -    signature_signature: pqcrystals_dilithium3_ref_signature
 -    signature_verify: pqcrystals_dilithium3_ref_verify
 -    sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h fips202.h symmetric-shake.c
 -    common_dep: common_ref
 +    compile_opts: -DDILITHIUM_MODE=3
 +    signature_keypair: pqcrystals_ml_dsa_65_ipd_ref_keypair
 +    signature_signature: pqcrystals_ml_dsa_65_ipd_ref_signature
 +    signature_verify: pqcrystals_ml_dsa_65_ipd_ref_verify
 +    sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h symmetric-shake.c
   - name: avx2
 -    version: https://github.com/pq-crystals/dilithium/commit/d9c885d3f2e11c05529eeeb7d70d808c972b8409
 -    compile_opts: -DDILITHIUM_MODE=3 -DDILITHIUM_RANDOMIZED_SIGNING
 -    signature_keypair: pqcrystals_dilithium3_avx2_keypair
 -    signature_signature: pqcrystals_dilithium3_avx2_signature
 -    signature_verify: pqcrystals_dilithium3_avx2_verify
 -    sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h fips202.h fips202x4.h symmetric-shake.c
 -    common_dep: common_avx2
 +    version: https://github.com/pq-crystals/dilithium/tree/standard
 +    compile_opts: -DDILITHIUM_MODE=3
 +    signature_keypair: pqcrystals_ml_dsa_65_ipd_avx2_keypair
 +    signature_signature: pqcrystals_ml_dsa_65_ipd_avx2_signature
 +    signature_verify: pqcrystals_ml_dsa_65_ipd_avx2_verify
 +    sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h symmetric-shake.c
     supported_platforms:
       - architecture: x86_64
         operating_systems:
 diff --git a/Dilithium5_META.yml b/ML-DSA-87-ipd_META.yml
 index a4dbdbf..bf68590 100644
 --- a/Dilithium5_META.yml
 +++ b/ML-DSA-87-ipd_META.yml
@@ -1,11 +1,11 @@
 -name: Dilithium5
 +name: ML-DSA-87-ipd
 type: signature
 claimed-nist-level: 5
 length-public-key: 2592
 -length-secret-key: 4864
 -length-signature: 4595
 -nistkat-sha256: 3f6e58603a38be57cf08d79b01fcfd0ccc1129a09e14a6122c6fe22c906ddc3b
 -testvectors-sha256: ddeb95f4a743562010bce527ea7c99fed4ce1234bafd5ed6f44eea0f065ba49c
 +length-secret-key: 4896
 +length-signature: 4627
 +nistkat-sha256: f5cb5ed44a261a4118f9cfd5d55b4210939cb5b8531968a10c37060551a8927f
 +testvectors-sha256: 9a1985c10b13efefee50067edf3432ed8ab48a62965743feb45a317485980883
 principal-submitters:
   - Vadim Lyubashevsky
 auxiliary-submitters:
@@ -18,22 +18,20 @@ auxiliary-submitters:
   - Damien Stehlé
 implementations:
   - name: ref
 -    version: https://github.com/pq-crystals/dilithium/commit/d9c885d3f2e11c05529eeeb7d70d808c972b8409
 +    version: https://github.com/pq-crystals/dilithium/tree/standard
     folder_name: ref
 -    compile_opts: -DDILITHIUM_MODE=5 -DDILITHIUM_RANDOMIZED_SIGNING
 -    signature_keypair: pqcrystals_dilithium5_ref_keypair
 -    signature_signature: pqcrystals_dilithium5_ref_signature
 -    signature_verify: pqcrystals_dilithium5_ref_verify
 -    sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h fips202.h symmetric-shake.c
 -    common_dep: common_ref
 +    compile_opts: -DDILITHIUM_MODE=5
 +    signature_keypair: pqcrystals_ml_dsa_87_ipd_ref_keypair
 +    signature_signature: pqcrystals_ml_dsa_87_ipd_ref_signature
 +    signature_verify: pqcrystals_ml_dsa_87_ipd_ref_verify
 +    sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h symmetric-shake.c
   - name: avx2
 -    version: https://github.com/pq-crystals/dilithium/commit/d9c885d3f2e11c05529eeeb7d70d808c972b8409
 -    compile_opts: -DDILITHIUM_MODE=5 -DDILITHIUM_RANDOMIZED_SIGNING
 -    signature_keypair: pqcrystals_dilithium5_avx2_keypair
 -    signature_signature: pqcrystals_dilithium5_avx2_signature
 -    signature_verify: pqcrystals_dilithium5_avx2_verify
 -    sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h fips202.h fips202x4.h symmetric-shake.c
 -    common_dep: common_avx2
 +    version: https://github.com/pq-crystals/dilithium/tree/standard
 +    compile_opts: -DDILITHIUM_MODE=5
 +    signature_keypair: pqcrystals_ml_dsa_87_ipd_avx2_keypair
 +    signature_signature: pqcrystals_ml_dsa_87_ipd_avx2_signature
 +    signature_verify: pqcrystals_ml_dsa_87_ipd_avx2_verify
 +    sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h symmetric-shake.c
     supported_platforms:
       - architecture: x86_64
         operating_systems:
 diff --git a/README.md b/README.md
 index 5a5d48d..d6b337a 100644
 --- a/README.md
 +++ b/README.md
@@ -18,9 +18,9 @@ brew install openssl
 ```
 Then, run
 ```sh
 -export CFLAGS="-I/usr/local/opt/openssl@1.1/include"
 -export NISTFLAGS="-I/usr/local/opt/openssl@1.1/include"
 -export LDFLAGS="-L/usr/local/opt/openssl@1.1/lib"
 +export CFLAGS="-I/opt/homebrew/opt/openssl@1.1/include"
 +export NISTFLAGS="-I/opt/homebrew/opt/openssl@1.1/include"
 +export LDFLAGS="-L/opt/homebrew/opt/openssl@1.1/lib"
 ```
 before compilation to add the OpenSSL header and library locations to the respective search paths.
@@ -60,11 +60,11 @@ Our Dilithium implementations are contained in the [SUPERCOP](https://bench.cr.y
 ## Randomized signing
 -By default our code implements Dilithium's deterministic signing mode. To change this to the randomized signing mode, define the `DILITHIUM_RANDOMIZED_SIGNING` preprocessor macro at compilation by either uncommenting the line
 +By default our code implements Dilithium's randomized signing mode. To change this to the deterministic signing mode, undefine the `DILITHIUM_RANDOMIZED_SIGNING` preprocessor macro at compilation by commenting the line
 ```sh
 -//#define DILITHIUM_RANDOMIZED_SIGNING
 +#define DILITHIUM_RANDOMIZED_SIGNING
 ```
 -in config.h, or adding `-DDILITHIUM_RANDOMIZED_SIGNING` to the compiler flags in the environment variable `CFLAGS`.
 +in config.h.
 ## Shared libraries
 diff --git a/avx2/api.h b/avx2/api.h
 index 1948a96..55b6376 100644
 --- a/avx2/api.h
 +++ b/avx2/api.h
@@ -5,7 +5,7 @@
 #include <stdint.h>
 #define pqcrystals_dilithium2_PUBLICKEYBYTES 1312
 -#define pqcrystals_dilithium2_SECRETKEYBYTES 2528
 +#define pqcrystals_dilithium2_SECRETKEYBYTES 2560
 #define pqcrystals_dilithium2_BYTES 2420
 #define pqcrystals_dilithium2_avx2_PUBLICKEYBYTES pqcrystals_dilithium2_PUBLICKEYBYTES
@@ -32,8 +32,8 @@ int pqcrystals_dilithium2_avx2_open(uint8_t *m, size_t *mlen,
 #define pqcrystals_dilithium3_PUBLICKEYBYTES 1952
 -#define pqcrystals_dilithium3_SECRETKEYBYTES 4000
 -#define pqcrystals_dilithium3_BYTES 3293
 +#define pqcrystals_dilithium3_SECRETKEYBYTES 4032
 +#define pqcrystals_dilithium3_BYTES 3309
 #define pqcrystals_dilithium3_avx2_PUBLICKEYBYTES pqcrystals_dilithium3_PUBLICKEYBYTES
 #define pqcrystals_dilithium3_avx2_SECRETKEYBYTES pqcrystals_dilithium3_SECRETKEYBYTES
@@ -59,8 +59,8 @@ int pqcrystals_dilithium3_avx2_open(uint8_t *m, size_t *mlen,
 #define pqcrystals_dilithium5_PUBLICKEYBYTES 2592
 -#define pqcrystals_dilithium5_SECRETKEYBYTES 4864
 -#define pqcrystals_dilithium5_BYTES 4595
 +#define pqcrystals_dilithium5_SECRETKEYBYTES 4896
 +#define pqcrystals_dilithium5_BYTES 4627
 #define pqcrystals_dilithium5_avx2_PUBLICKEYBYTES pqcrystals_dilithium5_PUBLICKEYBYTES
 #define pqcrystals_dilithium5_avx2_SECRETKEYBYTES pqcrystals_dilithium5_SECRETKEYBYTES
 diff --git a/avx2/config.h b/avx2/config.h
 index ba5caa8..e59f81a 100644
 --- a/avx2/config.h
 +++ b/avx2/config.h
@@ -2,7 +2,7 @@
 #define CONFIG_H
 //#define DILITHIUM_MODE 2
 -//#define DILITHIUM_RANDOMIZED_SIGNING
 +#define DILITHIUM_RANDOMIZED_SIGNING
 //#define USE_RDPMC
 //#define DBENCH
@@ -11,17 +11,17 @@
 #endif
 #if DILITHIUM_MODE == 2
 -#define CRYPTO_ALGNAME "Dilithium2"
 -#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2_avx2
 -#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium2_avx2_##s
 +#define CRYPTO_ALGNAME "ML-DSA-44-ipd"
 +#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_44_ipd_avx2
 +#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_44_ipd_avx2_##s
 #elif DILITHIUM_MODE == 3
 -#define CRYPTO_ALGNAME "Dilithium3"
 -#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium3_avx2
 -#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium3_avx2_##s
 +#define CRYPTO_ALGNAME "ML-DSA-65-ipd"
 +#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_65_ipd_avx2
 +#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_65_ipd_avx2_##s
 #elif DILITHIUM_MODE == 5
 -#define CRYPTO_ALGNAME "Dilithium5"
 -#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5_avx2
 -#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5_avx2_##s
 +#define CRYPTO_ALGNAME "ML-DSA-87-ipd"
 +#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_87_ipd_avx2
 +#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_87_ipd_avx2_##s
 #endif
 #endif
 diff --git a/avx2/poly.c b/avx2/poly.c
 index c1b21c1..25d3682 100644
 --- a/avx2/poly.c
 +++ b/avx2/poly.c
@@ -401,6 +401,7 @@ void poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce)
   stream128_state state;
   stream128_init(&state, seed, nonce);
   poly_uniform_preinit(a, &state);
 +  stream128_release(&state);
 }
 void poly_uniform_4x(poly *a0,
@@ -415,7 +416,7 @@ void poly_uniform_4x(poly *a0,
 {
   unsigned int ctr0, ctr1, ctr2, ctr3;
   ALIGNED_UINT8(REJ_UNIFORM_BUFLEN+8) buf[4];
 -  keccakx4_state state;
 +  shake128x4incctx state;
   __m256i f;
   f = _mm256_loadu_si256((__m256i *)seed);
@@ -433,6 +434,7 @@ void poly_uniform_4x(poly *a0,
   buf[3].coeffs[SEEDBYTES+0] = nonce3;
   buf[3].coeffs[SEEDBYTES+1] = nonce3 >> 8;
 +  shake128x4_inc_init(&state);
   shake128x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, SEEDBYTES + 2);
   shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_NBLOCKS, &state);
@@ -449,6 +451,7 @@ void poly_uniform_4x(poly *a0,
     ctr2 += rej_uniform(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE128_RATE);
     ctr3 += rej_uniform(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE128_RATE);
   }
 +  shake128x4_inc_ctx_release(&state);
 }
 /*************************************************
@@ -530,6 +533,7 @@ void poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce)
   stream256_state state;
   stream256_init(&state, seed, nonce);
   poly_uniform_eta_preinit(a, &state);
 +  stream256_release(&state);
 }
 void poly_uniform_eta_4x(poly *a0,
@@ -546,7 +550,7 @@ void poly_uniform_eta_4x(poly *a0,
   ALIGNED_UINT8(REJ_UNIFORM_ETA_BUFLEN) buf[4];
   __m256i f;
 -  keccakx4_state state;
 +  shake256x4incctx state;
   f = _mm256_loadu_si256((__m256i *)&seed[0]);
   _mm256_store_si256(&buf[0].vec[0],f);
@@ -568,6 +572,7 @@ void poly_uniform_eta_4x(poly *a0,
   buf[3].coeffs[64] = nonce3;
   buf[3].coeffs[65] = nonce3 >> 8;
 +  shake256x4_inc_init(&state);
   shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 66);
   shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_ETA_NBLOCKS, &state);
@@ -584,6 +589,7 @@ void poly_uniform_eta_4x(poly *a0,
     ctr2 += rej_eta(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE256_RATE);
     ctr3 += rej_eta(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE256_RATE);
   }
 +  shake256x4_inc_ctx_release(&state);
 }
 /*************************************************
@@ -611,6 +617,7 @@ void poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce)
   stream256_state state;
   stream256_init(&state, seed, nonce);
   poly_uniform_gamma1_preinit(a, &state);
 +  stream256_release(&state);
 }
 void poly_uniform_gamma1_4x(poly *a0,
@@ -624,7 +631,7 @@ void poly_uniform_gamma1_4x(poly *a0,
                             uint16_t nonce3)
 {
   ALIGNED_UINT8(POLY_UNIFORM_GAMMA1_NBLOCKS*STREAM256_BLOCKBYTES+14) buf[4];
 -  keccakx4_state state;
 +  shake256x4incctx state;
   __m256i f;
   f = _mm256_loadu_si256((__m256i *)&seed[0]);
@@ -647,8 +654,10 @@ void poly_uniform_gamma1_4x(poly *a0,
   buf[3].coeffs[64] = nonce3;
   buf[3].coeffs[65] = nonce3 >> 8;
 +  shake256x4_inc_init(&state);
   shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 66);
   shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, POLY_UNIFORM_GAMMA1_NBLOCKS, &state);
 +  shake256x4_inc_ctx_release(&state);
   polyz_unpack(a0, buf[0].coeffs);
   polyz_unpack(a1, buf[1].coeffs);
@@ -670,12 +679,12 @@ void poly_challenge(poly * restrict c, const uint8_t seed[SEEDBYTES]) {
   unsigned int i, b, pos;
   uint64_t signs;
   ALIGNED_UINT8(SHAKE256_RATE) buf;
 -  keccak_state state;
 +  shake256incctx state;
 -  shake256_init(&state);
 -  shake256_absorb(&state, seed, SEEDBYTES);
 -  shake256_finalize(&state);
 -  shake256_squeezeblocks(buf.coeffs, 1, &state);
 +  shake256_inc_init(&state);
 +  shake256_inc_absorb(&state, seed, SEEDBYTES);
 +  shake256_inc_finalize(&state);
 +  shake256_inc_squeeze(buf.coeffs, SHAKE256_RATE, &state);
   memcpy(&signs, buf.coeffs, 8);
   pos = 8;
@@ -695,6 +704,7 @@ void poly_challenge(poly * restrict c, const uint8_t seed[SEEDBYTES]) {
     c->coeffs[b] = 1 - 2*(signs & 1);
     signs >>= 1;
   }
 +  shake256_inc_ctx_release(&state);
 }
 /*************************************************
 diff --git a/avx2/sign.c b/avx2/sign.c
 index c8f2398..a39f851 100644
 --- a/avx2/sign.c
 +++ b/avx2/sign.c
@@ -161,7 +161,7 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
     polyvecl y;
     polyveck w0;
   } tmpv;
 -  keccak_state state;
 +  shake256incctx state;
   rho = seedbuf;
   tr = rho + SEEDBYTES;
@@ -172,11 +172,11 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
   unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
   /* Compute CRH(tr, msg) */
 -  shake256_init(&state);
 -  shake256_absorb(&state, tr, TRBYTES);
 -  shake256_absorb(&state, m, mlen);
 -  shake256_finalize(&state);
 -  shake256_squeeze(mu, CRHBYTES, &state);
 +  shake256_inc_init(&state);
 +  shake256_inc_absorb(&state, tr, TRBYTES);
 +  shake256_inc_absorb(&state, m, mlen);
 +  shake256_inc_finalize(&state);
 +  shake256_inc_squeeze(mu, CRHBYTES, &state);
 #ifdef DILITHIUM_RANDOMIZED_SIGNING
   randombytes(rnd, RNDBYTES);
@@ -223,11 +223,11 @@ rej:
   polyveck_decompose(&w1, &tmpv.w0, &w1);
   polyveck_pack_w1(sig, &w1);
 -  shake256_init(&state);
 -  shake256_absorb(&state, mu, CRHBYTES);
 -  shake256_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
 -  shake256_finalize(&state);
 -  shake256_squeeze(sig, CTILDEBYTES, &state);
 +  shake256_inc_ctx_reset(&state);
 +  shake256_inc_absorb(&state, mu, CRHBYTES);
 +  shake256_inc_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
 +  shake256_inc_finalize(&state);
 +  shake256_inc_squeeze(sig, CTILDEBYTES, &state);
   poly_challenge(&c, sig);
   poly_ntt(&c);
@@ -272,6 +272,7 @@ rej:
     hint[OMEGA + i] = pos = pos + n;
   }
 +  shake256_inc_ctx_release(&state);
   /* Pack z into signature */
   for(i = 0; i < L; i++)
     polyz_pack(sig + CTILDEBYTES + i*POLYZ_PACKEDBYTES, &z.vec[i]);
@@ -329,18 +330,19 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
   polyvecl *row = rowbuf;
   polyvecl z;
   poly c, w1, h;
 -  keccak_state state;
 +  shake256incctx state;
   if(siglen != CRYPTO_BYTES)
     return -1;
   /* Compute CRH(H(rho, t1), msg) */
   shake256(mu, CRHBYTES, pk, CRYPTO_PUBLICKEYBYTES);
 -  shake256_init(&state);
 -  shake256_absorb(&state, mu, CRHBYTES);
 -  shake256_absorb(&state, m, mlen);
 -  shake256_finalize(&state);
 -  shake256_squeeze(mu, CRHBYTES, &state);
 +  shake256_inc_init(&state);
 +  shake256_inc_absorb(&state, mu, CRHBYTES);
 +  shake256_inc_absorb(&state, m, mlen);
 +  shake256_inc_finalize(&state);
 +  shake256_inc_squeeze(mu, CRHBYTES, &state);
 +  shake256_inc_ctx_release(&state);
   /* Expand challenge */
   poly_challenge(&c, sig);
@@ -390,11 +392,12 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
     if(hint[j]) return -1;
   /* Call random oracle and verify challenge */
 -  shake256_init(&state);
 -  shake256_absorb(&state, mu, CRHBYTES);
 -  shake256_absorb(&state, buf.coeffs, K*POLYW1_PACKEDBYTES);
 -  shake256_finalize(&state);
 -  shake256_squeeze(buf.coeffs, CTILDEBYTES, &state);
 +  shake256_inc_init(&state);
 +  shake256_inc_absorb(&state, mu, CRHBYTES);
 +  shake256_inc_absorb(&state, buf.coeffs, K*POLYW1_PACKEDBYTES);
 +  shake256_inc_finalize(&state);
 +  shake256_inc_squeeze(buf.coeffs, CTILDEBYTES, &state);
 +  shake256_inc_ctx_release(&state);
   for(i = 0; i < CTILDEBYTES; ++i)
     if(buf.coeffs[i] != sig[i])
       return -1;
 diff --git a/avx2/symmetric.h b/avx2/symmetric.h
 index 8f3c3c5..fa49963 100644
 --- a/avx2/symmetric.h
 +++ b/avx2/symmetric.h
@@ -6,21 +6,23 @@
 #include "fips202.h"
 -typedef keccak_state stream128_state;
 -typedef keccak_state stream256_state;
 +typedef shake128incctx stream128_state;
 +typedef shake256incctx stream256_state;
 #define dilithium_shake128_stream_init DILITHIUM_NAMESPACE(dilithium_shake128_stream_init)
 -void dilithium_shake128_stream_init(keccak_state *state, const uint8_t seed[SEEDBYTES], uint16_t nonce);
 +void dilithium_shake128_stream_init(shake128incctx *state, const uint8_t seed[SEEDBYTES], uint16_t nonce);
 #define dilithium_shake256_stream_init DILITHIUM_NAMESPACE(dilithium_shake256_stream_init)
 -void dilithium_shake256_stream_init(keccak_state *state, const uint8_t seed[CRHBYTES], uint16_t nonce);
 +void dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CRHBYTES], uint16_t nonce);
 #define STREAM128_BLOCKBYTES SHAKE128_RATE
 #define STREAM256_BLOCKBYTES SHAKE256_RATE
 #define stream128_init(STATE, SEED, NONCE) dilithium_shake128_stream_init(STATE, SEED, NONCE)
 #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
 +#define stream128_release(STATE) shake128_inc_ctx_release(STATE)
 #define stream256_init(STATE, SEED, NONCE) dilithium_shake256_stream_init(STATE, SEED, NONCE)
 #define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) shake256_squeezeblocks(OUT, OUTBLOCKS, STATE)
 +#define stream256_release(STATE) shake256_inc_ctx_release(STATE)
 #endif
 diff --git a/ref/api.h b/ref/api.h
 index cc5c6fe..78caa5c 100644
 --- a/ref/api.h
 +++ b/ref/api.h
@@ -33,7 +33,7 @@ int pqcrystals_dilithium2_ref_open(uint8_t *m, size_t *mlen,
 #define pqcrystals_dilithium3_PUBLICKEYBYTES 1952
 #define pqcrystals_dilithium3_SECRETKEYBYTES 4032
 -#define pqcrystals_dilithium3_BYTES 3293
 +#define pqcrystals_dilithium3_BYTES 3309
 #define pqcrystals_dilithium3_ref_PUBLICKEYBYTES pqcrystals_dilithium3_PUBLICKEYBYTES
 #define pqcrystals_dilithium3_ref_SECRETKEYBYTES pqcrystals_dilithium3_SECRETKEYBYTES
@@ -60,7 +60,7 @@ int pqcrystals_dilithium3_ref_open(uint8_t *m, size_t *mlen,
 #define pqcrystals_dilithium5_PUBLICKEYBYTES 2592
 #define pqcrystals_dilithium5_SECRETKEYBYTES 4896
 -#define pqcrystals_dilithium5_BYTES 4595
 +#define pqcrystals_dilithium5_BYTES 4627
 #define pqcrystals_dilithium5_ref_PUBLICKEYBYTES pqcrystals_dilithium5_PUBLICKEYBYTES
 #define pqcrystals_dilithium5_ref_SECRETKEYBYTES pqcrystals_dilithium5_SECRETKEYBYTES
 diff --git a/ref/config.h b/ref/config.h
 index 5ddcd8c..eddf13f 100644
 --- a/ref/config.h
 +++ b/ref/config.h
@@ -2,7 +2,7 @@
 #define CONFIG_H
 //#define DILITHIUM_MODE 2
 -//#define DILITHIUM_RANDOMIZED_SIGNING
 +#define DILITHIUM_RANDOMIZED_SIGNING
 //#define USE_RDPMC
 //#define DBENCH
@@ -11,17 +11,17 @@
 #endif
 #if DILITHIUM_MODE == 2
 -#define CRYPTO_ALGNAME "Dilithium2"
 -#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2_ref
 -#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium2_ref_##s
 +#define CRYPTO_ALGNAME "ML-DSA-44-ipd"
 +#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_44_ipd_ref
 +#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_44_ipd_ref_##s
 #elif DILITHIUM_MODE == 3
 -#define CRYPTO_ALGNAME "Dilithium3"
 -#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium3_ref
 -#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium3_ref_##s
 +#define CRYPTO_ALGNAME "ML-DSA-65-ipd"
 +#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_65_ipd_ref
 +#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_65_ipd_ref_##s
 #elif DILITHIUM_MODE == 5
 -#define CRYPTO_ALGNAME "Dilithium5"
 -#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5_ref
 -#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5_ref_##s
 +#define CRYPTO_ALGNAME "ML-DSA-87-ipd"
 +#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_87_ipd_ref
 +#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_87_ipd_ref_##s
 #endif
 #endif
 diff --git a/ref/packing.h b/ref/packing.h
 index 1e8e9e7..8e47728 100644
 --- a/ref/packing.h
 +++ b/ref/packing.h
@@ -18,7 +18,7 @@ void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
              const polyveck *s2);
 #define pack_sig DILITHIUM_NAMESPACE(pack_sig)
 -void pack_sig(uint8_t sig[CRYPTO_BYTES], const uint8_t c[SEEDBYTES], const polyvecl *z, const polyveck *h);
 +void pack_sig(uint8_t sig[CRYPTO_BYTES], const uint8_t c[CTILDEBYTES], const polyvecl *z, const polyveck *h);
 #define unpack_pk DILITHIUM_NAMESPACE(unpack_pk)
 void unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[CRYPTO_PUBLICKEYBYTES]);
@@ -33,6 +33,6 @@ void unpack_sk(uint8_t rho[SEEDBYTES],
                const uint8_t sk[CRYPTO_SECRETKEYBYTES]);
 #define unpack_sig DILITHIUM_NAMESPACE(unpack_sig)
 -int unpack_sig(uint8_t c[SEEDBYTES], polyvecl *z, polyveck *h, const uint8_t sig[CRYPTO_BYTES]);
 +int unpack_sig(uint8_t c[CTILDEBYTES], polyvecl *z, polyveck *h, const uint8_t sig[CRYPTO_BYTES]);
 #endif
 diff --git a/ref/poly.c b/ref/poly.c
 index fe3b787..7983aac 100644
 --- a/ref/poly.c
 +++ b/ref/poly.c
@@ -365,6 +365,7 @@ void poly_uniform(poly *a,
     buflen = STREAM128_BLOCKBYTES + off;
     ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf, buflen);
   }
 +  stream128_release(&state);
 }
 /*************************************************
@@ -450,6 +451,7 @@ void poly_uniform_eta(poly *a,
     stream256_squeezeblocks(buf, 1, &state);
     ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM256_BLOCKBYTES);
   }
 +  stream256_release(&state);
 }
 /*************************************************
@@ -473,6 +475,7 @@ void poly_uniform_gamma1(poly *a,
   stream256_init(&state, seed, nonce);
   stream256_squeezeblocks(buf, POLY_UNIFORM_GAMMA1_NBLOCKS, &state);
 +  stream256_release(&state);
   polyz_unpack(a, buf);
 }
@@ -490,11 +493,11 @@ void poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]) {
   unsigned int i, b, pos;
   uint64_t signs;
   uint8_t buf[SHAKE256_RATE];
 -  keccak_state state;
 +  shake256incctx state;
 -  shake256_init(&state);
 -  shake256_absorb(&state, seed, SEEDBYTES);
 -  shake256_finalize(&state);
 +  shake256_inc_init(&state);
 +  shake256_inc_absorb(&state, seed, SEEDBYTES);
 +  shake256_inc_finalize(&state);
   shake256_squeezeblocks(buf, 1, &state);
   signs = 0;
@@ -518,6 +521,7 @@ void poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]) {
     c->coeffs[b] = 1 - 2*(signs & 1);
     signs >>= 1;
   }
 +  shake256_inc_ctx_release(&state);
 }
 /*************************************************
 diff --git a/ref/sign.c b/ref/sign.c
 index d25a399..9298ad2 100644
 --- a/ref/sign.c
 +++ b/ref/sign.c
@@ -90,7 +90,7 @@ int crypto_sign_signature(uint8_t *sig,
   polyvecl mat[K], s1, y, z;
   polyveck t0, s2, w1, w0, h;
   poly cp;
 -  keccak_state state;
 +  shake256incctx state;
   rho = seedbuf;
   tr = rho + SEEDBYTES;
@@ -102,11 +102,11 @@ int crypto_sign_signature(uint8_t *sig,
   /* Compute mu = CRH(tr, msg) */
 -  shake256_init(&state);
 -  shake256_absorb(&state, tr, TRBYTES);
 -  shake256_absorb(&state, m, mlen);
 -  shake256_finalize(&state);
 -  shake256_squeeze(mu, CRHBYTES, &state);
 +  shake256_inc_init(&state);
 +  shake256_inc_absorb(&state, tr, TRBYTES);
 +  shake256_inc_absorb(&state, m, mlen);
 +  shake256_inc_finalize(&state);
 +  shake256_inc_squeeze(mu, CRHBYTES, &state);
 #ifdef DILITHIUM_RANDOMIZED_SIGNING
   randombytes(rnd, RNDBYTES);
@@ -138,11 +138,11 @@ rej:
   polyveck_decompose(&w1, &w0, &w1);
   polyveck_pack_w1(sig, &w1);
 -  shake256_init(&state);
 -  shake256_absorb(&state, mu, CRHBYTES);
 -  shake256_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
 -  shake256_finalize(&state);
 -  shake256_squeeze(sig, CTILDEBYTES, &state);
 +  shake256_inc_ctx_reset(&state);
 +  shake256_inc_absorb(&state, mu, CRHBYTES);
 +  shake256_inc_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
 +  shake256_inc_finalize(&state);
 +  shake256_inc_squeeze(sig, CTILDEBYTES, &state);
   poly_challenge(&cp, sig); /* uses only the first SEEDBYTES bytes of sig */
   poly_ntt(&cp);
@@ -175,6 +175,8 @@ rej:
   if(n > OMEGA)
     goto rej;
 +  shake256_inc_ctx_release(&state);
 +
   /* Write signature */
   pack_sig(sig, sig, &z, &h);
   *siglen = CRYPTO_BYTES;
@@ -240,7 +242,7 @@ int crypto_sign_verify(const uint8_t *sig,
   poly cp;
   polyvecl mat[K], z;
   polyveck t1, w1, h;
 -  keccak_state state;
 +  shake256incctx state;
   if(siglen != CRYPTO_BYTES)
     return -1;
@@ -253,11 +255,11 @@ int crypto_sign_verify(const uint8_t *sig,
   /* Compute CRH(H(rho, t1), msg) */
   shake256(mu, CRHBYTES, pk, CRYPTO_PUBLICKEYBYTES);
 -  shake256_init(&state);
 -  shake256_absorb(&state, mu, CRHBYTES);
 -  shake256_absorb(&state, m, mlen);
 -  shake256_finalize(&state);
 -  shake256_squeeze(mu, CRHBYTES, &state);
 +  shake256_inc_init(&state);
 +  shake256_inc_absorb(&state, mu, CRHBYTES);
 +  shake256_inc_absorb(&state, m, mlen);
 +  shake256_inc_finalize(&state);
 +  shake256_inc_squeeze(mu, CRHBYTES, &state);
   /* Matrix-vector multiplication; compute Az - c2^dt1 */
   poly_challenge(&cp, c); /* uses only the first SEEDBYTES bytes of c */
@@ -281,11 +283,12 @@ int crypto_sign_verify(const uint8_t *sig,
   polyveck_pack_w1(buf, &w1);
   /* Call random oracle and verify challenge */
 -  shake256_init(&state);
 -  shake256_absorb(&state, mu, CRHBYTES);
 -  shake256_absorb(&state, buf, K*POLYW1_PACKEDBYTES);
 -  shake256_finalize(&state);
 -  shake256_squeeze(c2, CTILDEBYTES, &state);
 +  shake256_inc_ctx_reset(&state);
 +  shake256_inc_absorb(&state, mu, CRHBYTES);
 +  shake256_inc_absorb(&state, buf, K*POLYW1_PACKEDBYTES);
 +  shake256_inc_finalize(&state);
 +  shake256_inc_squeeze(c2, CTILDEBYTES, &state);
 +  shake256_inc_ctx_release(&state);
   for(i = 0; i < CTILDEBYTES; ++i)
     if(c[i] != c2[i])
       return -1;
 diff --git a/ref/symmetric-shake.c b/ref/symmetric-shake.c
 index 11ec09c..963f649 100644
 --- a/ref/symmetric-shake.c
 +++ b/ref/symmetric-shake.c
@@ -3,26 +3,26 @@
 #include "symmetric.h"
 #include "fips202.h"
 -void dilithium_shake128_stream_init(keccak_state *state, const uint8_t seed[SEEDBYTES], uint16_t nonce)
 +void dilithium_shake128_stream_init(shake128incctx *state, const uint8_t seed[SEEDBYTES], uint16_t nonce)
 {
   uint8_t t[2];
   t[0] = nonce;
   t[1] = nonce >> 8;
 -  shake128_init(state);
 -  shake128_absorb(state, seed, SEEDBYTES);
 -  shake128_absorb(state, t, 2);
 -  shake128_finalize(state);
 +  shake128_inc_init(state);
 +  shake128_inc_absorb(state, seed, SEEDBYTES);
 +  shake128_inc_absorb(state, t, 2);
 +  shake128_inc_finalize(state);
 }
 -void dilithium_shake256_stream_init(keccak_state *state, const uint8_t seed[CRHBYTES], uint16_t nonce)
 +void dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CRHBYTES], uint16_t nonce)
 {
   uint8_t t[2];
   t[0] = nonce;
   t[1] = nonce >> 8;
 -  shake256_init(state);
 -  shake256_absorb(state, seed, CRHBYTES);
 -  shake256_absorb(state, t, 2);
 -  shake256_finalize(state);
 +  shake256_inc_init(state);
 +  shake256_inc_absorb(state, seed, CRHBYTES);
 +  shake256_inc_absorb(state, t, 2);
 +  shake256_inc_finalize(state);
 }
 diff --git a/ref/symmetric.h b/ref/symmetric.h
 index cba12d1..211de3b 100644
 --- a/ref/symmetric.h
 +++ b/ref/symmetric.h
@@ -6,16 +6,16 @@
 #include "fips202.h"
 -typedef keccak_state stream128_state;
 -typedef keccak_state stream256_state;
 +typedef shake128incctx stream128_state;
 +typedef shake256incctx stream256_state;
 #define dilithium_shake128_stream_init DILITHIUM_NAMESPACE(dilithium_shake128_stream_init)
 -void dilithium_shake128_stream_init(keccak_state *state,
 +void dilithium_shake128_stream_init(shake128incctx *state,
                                     const uint8_t seed[SEEDBYTES],
                                     uint16_t nonce);
 #define dilithium_shake256_stream_init DILITHIUM_NAMESPACE(dilithium_shake256_stream_init)
 -void dilithium_shake256_stream_init(keccak_state *state,
 +void dilithium_shake256_stream_init(shake256incctx *state,
                                     const uint8_t seed[CRHBYTES],
                                     uint16_t nonce);
@@ -26,9 +26,11 @@ void dilithium_shake256_stream_init(keccak_state *state,
         dilithium_shake128_stream_init(STATE, SEED, NONCE)
 #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \
         shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
 +#define stream128_release(STATE) shake128_inc_ctx_release(STATE)
 #define stream256_init(STATE, SEED, NONCE) \
         dilithium_shake256_stream_init(STATE, SEED, NONCE)
 #define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) \
         shake256_squeezeblocks(OUT, OUTBLOCKS, STATE)
 +#define stream256_release(STATE) shake256_inc_ctx_release(STATE)
 #endif
--- a/scripts/copy_from_upstream/patches/pqcrystals-ml_kem.patch
+++ b/scripts/copy_from_upstream/patches/pqcrystals-ml_kem.patch
@ -1,457 +0,0 @@
 diff --git a/Kyber1024_META.yml b/ML-KEM-1024_META.yml
 similarity index 55%
 rename from Kyber1024_META.yml
 rename to ML-KEM-1024_META.yml
 index baa5ca3..fdfc298 100644
 --- a/Kyber1024_META.yml
 +++ b/ML-KEM-1024_META.yml
@@ -1,4 +1,4 @@
 -name: Kyber1024
 +name: ML-KEM-1024
 type: kem
 claimed-nist-level: 5
 claimed-security: IND-CCA2
@@ -6,8 +6,8 @@ length-public-key: 1568
 length-ciphertext: 1568
 length-secret-key: 3168
 length-shared-secret: 32
 -nistkat-sha256: 5afcf2a568ad32d49b55105b032af1850f03f3888ff9e2a72f4059c58e968f60
 -testvectors-sha256: ff1a854b9b6761a70c65ccae85246fe0596a949e72eae0866a8a2a2d4ea54b10
 +nistkat-sha256: f580d851e5fb27e6876e5e203fa18be4cdbfd49e05d48fec3d3992c8f43a13e6
 +testvectors-sha256: 85ab251d6e749e6b27507a8a6ec473ba2e8419c1aef87d0cd5ec9903c1bb92df
 principal-submitters:
   - Peter Schwabe
 auxiliary-submitters:
@@ -22,22 +22,20 @@ auxiliary-submitters:
   - Damien Stehlé
 implementations:
   - name: ref
 -    version: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
 +    version: https://github.com/pq-crystals/kyber/tree/standard
     folder_name: ref
     compile_opts: -DKYBER_K=4
 -    signature_keypair: pqcrystals_kyber1024_ref_keypair
 -    signature_enc: pqcrystals_kyber1024_ref_enc
 -    signature_dec: pqcrystals_kyber1024_ref_dec
 -    sources: ../LICENSE kem.c indcpa.c polyvec.c poly.c reduce.c ntt.c cbd.c verify.c kem.h params.h api.h indcpa.h polyvec.h poly.h reduce.h ntt.h cbd.h verify.h symmetric.h fips202.h symmetric-shake.c
 -    common_dep: common_ref
 +    signature_keypair: pqcrystals_ml_kem_1024_ref_keypair
 +    signature_enc: pqcrystals_ml_kem_1024_ref_enc
 +    signature_dec: pqcrystals_ml_kem_1024_ref_dec
 +    sources: ../LICENSE kem.c indcpa.c polyvec.c poly.c reduce.c ntt.c cbd.c verify.c kem.h params.h api.h indcpa.h polyvec.h poly.h reduce.h ntt.h cbd.h verify.h symmetric.h symmetric-shake.c
   - name: avx2
 -    version: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
 +    version: https://github.com/pq-crystals/kyber/tree/standard
     compile_opts: -DKYBER_K=4
 -    signature_keypair: pqcrystals_kyber1024_avx2_keypair
 -    signature_enc: pqcrystals_kyber1024_avx2_enc
 -    signature_dec: pqcrystals_kyber1024_avx2_dec
 -    sources: ../LICENSE kem.c indcpa.c polyvec.c poly.c fq.S shuffle.S ntt.S invntt.S basemul.S consts.c rejsample.c cbd.c verify.c align.h kem.h params.h api.h indcpa.h polyvec.h poly.h reduce.h fq.inc shuffle.inc ntt.h consts.h rejsample.h cbd.h verify.h symmetric.h fips202.h fips202x4.h symmetric-shake.c
 -    common_dep: common_avx2 common_keccak4x_avx2
 +    signature_keypair: pqcrystals_ml_kem_1024_avx2_keypair
 +    signature_enc: pqcrystals_ml_kem_1024_avx2_enc
 +    signature_dec: pqcrystals_ml_kem_1024_avx2_dec
 +    sources: ../LICENSE kem.c indcpa.c polyvec.c poly.c fq.S shuffle.S ntt.S invntt.S basemul.S consts.c rejsample.c cbd.c verify.c align.h kem.h params.h api.h indcpa.h polyvec.h poly.h reduce.h fq.inc shuffle.inc ntt.h consts.h rejsample.h cbd.h verify.h symmetric.h symmetric-shake.c
     supported_platforms:
       - architecture: x86_64
         operating_systems:
 diff --git a/Kyber512_META.yml b/ML-KEM-512_META.yml
 similarity index 55%
 rename from Kyber512_META.yml
 rename to ML-KEM-512_META.yml
 index b251701..40440a8 100644
 --- a/Kyber512_META.yml
 +++ b/ML-KEM-512_META.yml
@@ -1,4 +1,4 @@
 -name: Kyber512
 +name: ML-KEM-512
 type: kem
 claimed-nist-level: 1
 claimed-security: IND-CCA2
@@ -6,8 +6,8 @@ length-public-key: 800
 length-ciphertext: 768
 length-secret-key: 1632
 length-shared-secret: 32
 -nistkat-sha256: bb0481d3325d828817900b709d23917cefbc10026fc857f098979451f67bb0ca
 -testvectors-sha256: 6730bb552c22d9d2176ffb5568e48eb30952cf1f065073ec5f9724f6a3c6ea85
 +nistkat-sha256: c70041a761e01cd6426fa60e9fd6a4412c2be817386c8d0f3334898082512782
 +testvectors-sha256: e1ac6fb45e2511f4170a3527c0c50dcd61336f47113df7a299a61ef8394bd669
 principal-submitters:
   - Peter Schwabe
 auxiliary-submitters:
@@ -22,22 +22,20 @@ auxiliary-submitters:
   - Damien Stehlé
 implementations:
   - name: ref
 -    version: https://github.com/pq-crystals/kyber/commit/74cad307858b61e434490c75f812cb9b9ef7279b
 +    version: https://github.com/pq-crystals/kyber/tree/standard
     folder_name: ref
     compile_opts: -DKYBER_K=2 
 -    signature_keypair: pqcrystals_kyber512_ref_keypair
 -    signature_enc: pqcrystals_kyber512_ref_enc
 -    signature_dec: pqcrystals_kyber512_ref_dec
 -    sources: ../LICENSE kem.c indcpa.c polyvec.c poly.c reduce.c ntt.c cbd.c verify.c kem.h params.h api.h indcpa.h polyvec.h poly.h reduce.h ntt.h cbd.h verify.h symmetric.h fips202.h symmetric-shake.c
 -    common_dep: common_ref
 +    signature_keypair: pqcrystals_ml_kem_512_ref_keypair
 +    signature_enc: pqcrystals_ml_kem_512_ref_enc
 +    signature_dec: pqcrystals_ml_kem_512_ref_dec
 +    sources: ../LICENSE kem.c indcpa.c polyvec.c poly.c reduce.c ntt.c cbd.c verify.c kem.h params.h api.h indcpa.h polyvec.h poly.h reduce.h ntt.h cbd.h verify.h symmetric.h symmetric-shake.c
   - name: avx2
 -    version: https://github.com/pq-crystals/kyber/commit/36414d64fc1890ed58d1ca8b1e0cab23635d1ac2
 +    version: https://github.com/pq-crystals/kyber/tree/standard
     compile_opts: -DKYBER_K=2 
 -    signature_keypair: pqcrystals_kyber512_avx2_keypair
 -    signature_enc: pqcrystals_kyber512_avx2_enc
 -    signature_dec: pqcrystals_kyber512_avx2_dec
 -    sources: ../LICENSE kem.c indcpa.c polyvec.c poly.c fq.S shuffle.S ntt.S invntt.S basemul.S consts.c rejsample.c cbd.c verify.c align.h kem.h params.h api.h indcpa.h polyvec.h poly.h reduce.h fq.inc shuffle.inc ntt.h consts.h rejsample.h cbd.h verify.h symmetric.h fips202.h fips202x4.h symmetric-shake.c
 -    common_dep: common_avx2 common_keccak4x_avx2
 +    signature_keypair: pqcrystals_ml_kem_512_avx2_keypair
 +    signature_enc: pqcrystals_ml_kem_512_avx2_enc
 +    signature_dec: pqcrystals_ml_kem_512_avx2_dec
 +    sources: ../LICENSE kem.c indcpa.c polyvec.c poly.c fq.S shuffle.S ntt.S invntt.S basemul.S consts.c rejsample.c cbd.c verify.c align.h kem.h params.h api.h indcpa.h polyvec.h poly.h reduce.h fq.inc shuffle.inc ntt.h consts.h rejsample.h cbd.h verify.h symmetric.h symmetric-shake.c
     supported_platforms:
       - architecture: x86_64
         operating_systems:
 diff --git a/Kyber768_META.yml b/ML-KEM-768_META.yml
 similarity index 55%
 rename from Kyber768_META.yml
 rename to ML-KEM-768_META.yml
 index 7a0cc3d..4277df3 100644
 --- a/Kyber768_META.yml
 +++ b/ML-KEM-768_META.yml
@@ -1,4 +1,4 @@
 -name: Kyber768
 +name: ML-KEM-768
 type: kem
 claimed-nist-level: 3
 claimed-security: IND-CCA2
@@ -6,8 +6,8 @@ length-public-key: 1184
 length-ciphertext: 1088
 length-secret-key: 2400
 length-shared-secret: 32
 -nistkat-sha256: 89e82a5bf2d4ddb2c6444e10409e6d9ca65dafbca67d1a0db2c9b54920a29172
 -testvectors-sha256: 667c8ca2ca93729c0df6ff24588460bad1bbdbfb64ece0fe8563852a7ff348c6
 +nistkat-sha256: 5352539586b6c3df58be6158a6250aeff402bd73060b0a3de68850ac074c17c3
 +testvectors-sha256: 2586721a714c439f6fef26e29ee1c4c67c6207186f810617f278e6ce3e67ea0d
 principal-submitters:
   - Peter Schwabe
 auxiliary-submitters:
@@ -22,22 +22,20 @@ auxiliary-submitters:
   - Damien Stehlé
 implementations:
   - name: ref
 -    version: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
 +    version: https://github.com/pq-crystals/kyber/tree/standard
     folder_name: ref
     compile_opts: -DKYBER_K=3
 -    signature_keypair: pqcrystals_kyber768_ref_keypair
 -    signature_enc: pqcrystals_kyber768_ref_enc
 -    signature_dec: pqcrystals_kyber768_ref_dec
 -    sources: ../LICENSE kem.c indcpa.c polyvec.c poly.c reduce.c ntt.c cbd.c verify.c kem.h params.h api.h indcpa.h polyvec.h poly.h reduce.h ntt.h cbd.h verify.h symmetric.h fips202.h symmetric-shake.c
 -    common_dep: common_ref
 +    signature_keypair: pqcrystals_ml_kem_768_ref_keypair
 +    signature_enc: pqcrystals_ml_kem_768_ref_enc
 +    signature_dec: pqcrystals_ml_kem_768_ref_dec
 +    sources: ../LICENSE kem.c indcpa.c polyvec.c poly.c reduce.c ntt.c cbd.c verify.c kem.h params.h api.h indcpa.h polyvec.h poly.h reduce.h ntt.h cbd.h verify.h symmetric.h symmetric-shake.c
   - name: avx2
 -    version: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
 +    version: https://github.com/pq-crystals/kyber/tree/standard
     compile_opts: -DKYBER_K=3
 -    signature_keypair: pqcrystals_kyber768_avx2_keypair
 -    signature_enc: pqcrystals_kyber768_avx2_enc
 -    signature_dec: pqcrystals_kyber768_avx2_dec
 -    sources: ../LICENSE kem.c indcpa.c polyvec.c poly.c fq.S shuffle.S ntt.S invntt.S basemul.S consts.c rejsample.c cbd.c verify.c align.h kem.h params.h api.h indcpa.h polyvec.h poly.h reduce.h fq.inc shuffle.inc ntt.h consts.h rejsample.h cbd.h verify.h symmetric.h fips202.h fips202x4.h symmetric-shake.c
 -    common_dep: common_avx2 common_keccak4x_avx2
 +    signature_keypair: pqcrystals_ml_kem_768_avx2_keypair
 +    signature_enc: pqcrystals_ml_kem_768_avx2_enc
 +    signature_dec: pqcrystals_ml_kem_768_avx2_dec
 +    sources: ../LICENSE kem.c indcpa.c polyvec.c poly.c fq.S shuffle.S ntt.S invntt.S basemul.S consts.c rejsample.c cbd.c verify.c align.h kem.h params.h api.h indcpa.h polyvec.h poly.h reduce.h fq.inc shuffle.inc ntt.h consts.h rejsample.h cbd.h verify.h symmetric.h symmetric-shake.c
     supported_platforms:
       - architecture: x86_64
         operating_systems:
 diff --git a/avx2/indcpa.c b/avx2/indcpa.c
 index 18b9d08..c4b2b3a 100644
 --- a/avx2/indcpa.c
 +++ b/avx2/indcpa.c
@@ -175,7 +175,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
   unsigned int ctr0, ctr1, ctr2, ctr3;
   ALIGNED_UINT8(REJ_UNIFORM_AVX_NBLOCKS*SHAKE128_RATE) buf[4];
   __m256i f;
 -  keccakx4_state state;
 +  shake128x4incctx state;
   f = _mm256_loadu_si256((__m256i *)seed);
   _mm256_store_si256(buf[0].vec, f);
@@ -204,6 +204,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
     buf[3].coeffs[33] = 1;
   }
 +  shake128x4_inc_init(&state);
   shake128x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 34);
   shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_AVX_NBLOCKS, &state);
@@ -225,6 +226,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
   poly_nttunpack(&a[0].vec[1]);
   poly_nttunpack(&a[1].vec[0]);
   poly_nttunpack(&a[1].vec[1]);
 +  shake128x4_inc_ctx_release(&state);
 }
 #elif KYBER_K == 3
 void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
@@ -232,8 +234,8 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
   unsigned int ctr0, ctr1, ctr2, ctr3;
   ALIGNED_UINT8(REJ_UNIFORM_AVX_NBLOCKS*SHAKE128_RATE) buf[4];
   __m256i f;
 -  keccakx4_state state;
 -  keccak_state state1x;
 +  shake128x4incctx state;
 +  shake128incctx state1x;
   f = _mm256_loadu_si256((__m256i *)seed);
   _mm256_store_si256(buf[0].vec, f);
@@ -262,6 +264,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
     buf[3].coeffs[33] = 1;
   }
 +  shake128x4_inc_init(&state);
   shake128x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 34);
   shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_AVX_NBLOCKS, &state);
@@ -327,6 +330,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
     ctr2 += rej_uniform(a[2].vec[0].coeffs + ctr2, KYBER_N - ctr2, buf[2].coeffs, SHAKE128_RATE);
     ctr3 += rej_uniform(a[2].vec[1].coeffs + ctr3, KYBER_N - ctr3, buf[3].coeffs, SHAKE128_RATE);
   }
 +  shake128x4_inc_ctx_release(&state);
   poly_nttunpack(&a[1].vec[1]);
   poly_nttunpack(&a[1].vec[2]);
@@ -337,6 +341,8 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
   _mm256_store_si256(buf[0].vec, f);
   buf[0].coeffs[32] = 2;
   buf[0].coeffs[33] = 2;
 +
 +  shake128_inc_init(&state1x);
   shake128_absorb_once(&state1x, buf[0].coeffs, 34);
   shake128_squeezeblocks(buf[0].coeffs, REJ_UNIFORM_AVX_NBLOCKS, &state1x);
   ctr0 = rej_uniform_avx(a[2].vec[2].coeffs, buf[0].coeffs);
@@ -344,6 +350,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
     shake128_squeezeblocks(buf[0].coeffs, 1, &state1x);
     ctr0 += rej_uniform(a[2].vec[2].coeffs + ctr0, KYBER_N - ctr0, buf[0].coeffs, SHAKE128_RATE);
   }
 +  shake128_inc_ctx_release(&state1x);
   poly_nttunpack(&a[2].vec[2]);
 }
@@ -353,7 +360,8 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
   unsigned int i, ctr0, ctr1, ctr2, ctr3;
   ALIGNED_UINT8(REJ_UNIFORM_AVX_NBLOCKS*SHAKE128_RATE) buf[4];
   __m256i f;
 -  keccakx4_state state;
 +  shake128x4incctx state;
 +  shake128x4_inc_init(&state);
   for(i=0;i<4;i++) {
     f = _mm256_loadu_si256((__m256i *)seed);
@@ -405,6 +413,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
     poly_nttunpack(&a[i].vec[2]);
     poly_nttunpack(&a[i].vec[3]);
   }
 +  shake128x4_inc_ctx_release(&state);
 }
 #endif
 diff --git a/avx2/params.h b/avx2/params.h
 index bc70ebf..fdc688e 100644
 --- a/avx2/params.h
 +++ b/avx2/params.h
@@ -12,19 +12,19 @@
 #ifdef KYBER_90S
 #define KYBER_NAMESPACE(s) pqcrystals_kyber512_90s_avx2_##s
 #else
 -#define KYBER_NAMESPACE(s) pqcrystals_kyber512_avx2_##s
 +#define KYBER_NAMESPACE(s) pqcrystals_ml_kem_512_avx2_##s
 #endif
 #elif (KYBER_K == 3)
 #ifdef KYBER_90S
 #define KYBER_NAMESPACE(s) pqcrystals_kyber768_90s_avx2_##s
 #else
 -#define KYBER_NAMESPACE(s) pqcrystals_kyber768_avx2_##s
 +#define KYBER_NAMESPACE(s) pqcrystals_ml_kem_768_avx2_##s
 #endif
 #elif (KYBER_K == 4)
 #ifdef KYBER_90S
 #define KYBER_NAMESPACE(s) pqcrystals_kyber1024_90s_avx2_##s
 #else
 -#define KYBER_NAMESPACE(s) pqcrystals_kyber1024_avx2_##s
 +#define KYBER_NAMESPACE(s) pqcrystals_ml_kem_1024_avx2_##s
 #endif
 #else
 #error "KYBER_K must be in {2,3,4}"
 diff --git a/avx2/poly.c b/avx2/poly.c
 index 56a5e1e..681fd6d 100644
 --- a/avx2/poly.c
 +++ b/avx2/poly.c
@@ -2,6 +2,7 @@
 #include <immintrin.h>
 #include <string.h>
 #include "align.h"
 +#include "fips202x4.h"
 #include "params.h"
 #include "poly.h"
 #include "ntt.h"
@@ -325,7 +326,7 @@ void poly_getnoise_eta1_4x(poly *r0,
 {
   ALIGNED_UINT8(NOISE_NBLOCKS*SHAKE256_RATE) buf[4];
   __m256i f;
 -  keccakx4_state state;
 +  shake256x4incctx state;
   f = _mm256_loadu_si256((__m256i *)seed);
   _mm256_store_si256(buf[0].vec, f);
@@ -338,8 +339,10 @@ void poly_getnoise_eta1_4x(poly *r0,
   buf[2].coeffs[32] = nonce2;
   buf[3].coeffs[32] = nonce3;
 +  shake256x4_inc_init(&state);
   shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 33);
   shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, NOISE_NBLOCKS, &state);
 +  shake256x4_inc_ctx_release(&state);
   poly_cbd_eta1(r0, buf[0].vec);
   poly_cbd_eta1(r1, buf[1].vec);
@@ -360,7 +363,7 @@ void poly_getnoise_eta1122_4x(poly *r0,
 {
   ALIGNED_UINT8(NOISE_NBLOCKS*SHAKE256_RATE) buf[4];
   __m256i f;
 -  keccakx4_state state;
 +  shake256x4incctx state;
   f = _mm256_loadu_si256((__m256i *)seed);
   _mm256_store_si256(buf[0].vec, f);
@@ -373,8 +376,10 @@ void poly_getnoise_eta1122_4x(poly *r0,
   buf[2].coeffs[32] = nonce2;
   buf[3].coeffs[32] = nonce3;
 +  shake256x4_inc_init(&state);
   shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 33);
   shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, NOISE_NBLOCKS, &state);
 +  shake256x4_inc_ctx_release(&state);
   poly_cbd_eta1(r0, buf[0].vec);
   poly_cbd_eta1(r1, buf[1].vec);
 diff --git a/avx2/symmetric.h b/avx2/symmetric.h
 index 627b891..e4941f7 100644
 --- a/avx2/symmetric.h
 +++ b/avx2/symmetric.h
@@ -8,10 +8,10 @@
 #include "fips202.h"
 #include "fips202x4.h"
 -typedef keccak_state xof_state;
 +typedef shake128incctx xof_state;
 #define kyber_shake128_absorb KYBER_NAMESPACE(kyber_shake128_absorb)
 -void kyber_shake128_absorb(keccak_state *s,
 +void kyber_shake128_absorb(shake128incctx *s,
                            const uint8_t seed[KYBER_SYMBYTES],
                            uint8_t x,
                            uint8_t y);
 diff --git a/ref/indcpa.c b/ref/indcpa.c
 index 9a78c09..726cfa9 100644
 --- a/ref/indcpa.c
 +++ b/ref/indcpa.c
@@ -168,6 +168,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed)
   unsigned int buflen;
   uint8_t buf[GEN_MATRIX_NBLOCKS*XOF_BLOCKBYTES];
   xof_state state;
 +  xof_init(&state, seed);
   for(i=0;i<KYBER_K;i++) {
     for(j=0;j<KYBER_K;j++) {
@@ -187,6 +188,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed)
       }
     }
   }
 +  xof_release(&state);
 }
 /*************************************************
 diff --git a/ref/params.h b/ref/params.h
 index 0802c74..36b2b98 100644
 --- a/ref/params.h
 +++ b/ref/params.h
@@ -8,11 +8,11 @@
 /* Don't change parameters below this line */
 #if   (KYBER_K == 2)
 -#define KYBER_NAMESPACE(s) pqcrystals_kyber512_ref_##s
 +#define KYBER_NAMESPACE(s) pqcrystals_ml_kem_512_ref_##s
 #elif (KYBER_K == 3)
 -#define KYBER_NAMESPACE(s) pqcrystals_kyber768_ref_##s
 +#define KYBER_NAMESPACE(s) pqcrystals_ml_kem_768_ref_##s
 #elif (KYBER_K == 4)
 -#define KYBER_NAMESPACE(s) pqcrystals_kyber1024_ref_##s
 +#define KYBER_NAMESPACE(s) pqcrystals_ml_kem_1024_ref_##s
 #else
 #error "KYBER_K must be in {2,3,4}"
 #endif
 diff --git a/ref/symmetric-shake.c b/ref/symmetric-shake.c
 index 6a99071..20f4518 100644
 --- a/ref/symmetric-shake.c
 +++ b/ref/symmetric-shake.c
@@ -15,7 +15,7 @@
 *              - uint8_t i: additional byte of input
 *              - uint8_t j: additional byte of input
 **************************************************/
 -void kyber_shake128_absorb(keccak_state *state,
 +void kyber_shake128_absorb(shake128incctx *state,
                            const uint8_t seed[KYBER_SYMBYTES],
                            uint8_t x,
                            uint8_t y)
@@ -63,11 +63,12 @@ void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYM
 **************************************************/
 void kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t input[KYBER_CIPHERTEXTBYTES])
 {
 -  keccak_state s;
 +  shake256incctx s;
 -  shake256_init(&s);
 -  shake256_absorb(&s, key, KYBER_SYMBYTES);
 -  shake256_absorb(&s, input, KYBER_CIPHERTEXTBYTES);
 -  shake256_finalize(&s);
 -  shake256_squeeze(out, KYBER_SSBYTES, &s);
 +  shake256_inc_init(&s);
 +  shake256_inc_absorb(&s, key, KYBER_SYMBYTES);
 +  shake256_inc_absorb(&s, input, KYBER_CIPHERTEXTBYTES);
 +  shake256_inc_finalize(&s);
 +  shake256_inc_squeeze(out, KYBER_SSBYTES, &s);
 +  shake256_inc_ctx_release(&s);
 }
 diff --git a/ref/symmetric.h b/ref/symmetric.h
 index 58e6ece..2acc66f 100644
 --- a/ref/symmetric.h
 +++ b/ref/symmetric.h
@@ -7,10 +7,10 @@
 #include "fips202.h"
 -typedef keccak_state xof_state;
 +typedef shake128incctx xof_state;
 #define kyber_shake128_absorb KYBER_NAMESPACE(kyber_shake128_absorb)
 -void kyber_shake128_absorb(keccak_state *s,
 +void kyber_shake128_absorb(shake128incctx *s,
                            const uint8_t seed[KYBER_SYMBYTES],
                            uint8_t x,
                            uint8_t y);
@@ -25,8 +25,10 @@ void kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SY
 #define hash_h(OUT, IN, INBYTES) sha3_256(OUT, IN, INBYTES)
 #define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES)
 +#define xof_init(STATE, SEED) shake128_inc_init(STATE)
 #define xof_absorb(STATE, SEED, X, Y) kyber_shake128_absorb(STATE, SEED, X, Y)
 #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
 +#define xof_release(STATE) shake128_inc_ctx_release(STATE)
 #define prf(OUT, OUTBYTES, KEY, NONCE) kyber_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
 #define rkprf(OUT, KEY, INPUT) kyber_shake256_rkprf(OUT, KEY, INPUT)
--- a/scripts/copy_from_upstream/patches/pqmayo-aes.patch
+++ b/scripts/copy_from_upstream/patches/pqmayo-aes.patch
@ -1,10 +1,10 @@
 diff --git a/src/common/aes_ctr.h b/src/common/aes_ctr.h
-index c47c01e..c5fd013 100644
+index fdec519..8d2f429 100644
 --- a/src/common/aes_ctr.h
 +++ b/src/common/aes_ctr.h
-@@ -16,8 +16,14 @@ int AES_128_CTR_4R_NI(unsigned char *output, size_t outputByteLen,
+@@ -23,8 +23,14 @@ int AES_128_CTR_4R_NI(unsigned char *output, size_t outputByteLen,
                       const unsigned char *input, size_t inputByteLen);
- #define AES_128_CTR AES_128_CTR_NI
+ #define AES_128_CTR AES_128_CTR_NEON
 #else
 -int AES_128_CTR(unsigned char *output, size_t outputByteLen,
 -                const unsigned char *input, size_t inputByteLen);
@ -17,6 +17,5 @@ index c47c01e..c5fd013 100644
 +    return (int) outputByteLen;
 +}
 #endif
 #endif
- 
+ 
--- a/scripts/copy_from_upstream/patches/pqmayo-mem.patch
+++ b/scripts/copy_from_upstream/patches/pqmayo-mem.patch
@ -1,10 +1,10 @@
 diff --git a/include/mem.h b/include/mem.h
-index 4695847..dc5172c 100644
+index 87324b8..b84405c 100644
 --- a/include/mem.h
 +++ b/include/mem.h
-@@ -40,13 +40,16 @@ static inline unsigned char ct_compare_8(unsigned char a, unsigned char b) {
+@@ -5,21 +5,24 @@
-     return (int8_t)((-(int32_t)(a ^ b)) >> (8*sizeof(uint32_t)-1));
+ #include <stddef.h>
- }
+ #include <stdint.h>
 +#include <oqs/common.h>
 /**
@ -14,20 +14,20 @@ index 4695847..dc5172c 100644
  * @param size Size of memory to be cleared and freed.
  */
 -void mayo_secure_free(void *mem, size_t size);
 -
 +static inline void mayo_secure_free(void *mem, size_t size) {
 +    OQS_MEM_secure_free(mem, size);
 +}
 /**
  * Clears memory.
-@@ -54,6 +57,8 @@ void mayo_secure_free(void *mem, size_t size);
+  * 
  * @param[out] mem Memory to be cleared.
  * @param size Size of memory to be cleared.
  */
 -void mayo_secure_clear(void *mem, size_t size);
 -
 +static inline void mayo_secure_clear(void *mem, size_t size) {
 +    OQS_MEM_cleanse(mem, size);
 +}
 #endif
-\ No newline at end of file
+ 
--- a/scripts/copy_from_upstream/requirements.in
+++ b/scripts/copy_from_upstream/requirements.in
@ -1,7 +1,7 @@
 attrs==20.3.0
 GitPython==3.1.41
 importlib-metadata==3.7.0
-Jinja2==3.1.4
+Jinja2==3.1.5
 markdown-it-py==2.2.0
 MarkupSafe==2.1.3
 mdit-py-plugins==0.3.4
--- a/scripts/copy_from_upstream/requirements.txt
+++ b/scripts/copy_from_upstream/requirements.txt
@ -20,9 +20,9 @@ importlib-metadata==3.7.0 \
    --hash=sha256:24499ffde1b80be08284100393955842be4a59c7c16bbf2738aad0e464a8e0aa \
    --hash=sha256:c6af5dbf1126cd959c4a8d8efd61d4d3c83bddb0459a17e554284a077574b614
    # via -r requirements.in
-jinja2==3.1.4 \
+jinja2==3.1.5 \
-    --hash=sha256:4a3aee7acbbe7303aede8e9648d13b8bf88a429282aa6122a993f0ac800cb369 \
+    --hash=sha256:8fefff8dc3034e27bb80d67c671eb8a9bc424c0ef4c0826edbff304cceff43bb \
-    --hash=sha256:bc5dd2abb727a5319567b7a813e6a2e7318c39f4f487cfe6c89c6f9c7d25197d
+    --hash=sha256:aba0f4dc9ed8013c424088f68a5c226f7d6097ed89b246d7749c2ec4175c6adb
    # via -r requirements.in
 markdown-it-py==2.2.0 \
    --hash=sha256:5a35f8d1870171d9acc47b99612dc146129b631baf04970128b568f190d0cc30 \
--- a/scripts/copy_from_upstream/src/kem/family/CMakeLists.txt
+++ b/scripts/copy_from_upstream/src/kem/family/CMakeLists.txt
@ -33,11 +33,19 @@ if(OQS_ENABLE_KEM_{{ family }}_{{ scheme['scheme_c'] }}{%- if 'alias_scheme' in
    target_compile_options({{ family }}_{{ scheme['scheme'] }}_{{ impl['name'] }} PUBLIC {{ impl['compile_opts'] }})
           {%- endif -%}
        {%- elif impl['name'] == 'cuda' %}
 if(OQS_ENABLE_KEM_{{ family }}_{{ scheme['scheme_c'] }}_{{ impl['name'] }}{%- if 'alias_scheme' in scheme %} OR OQS_ENABLE_KEM_{{ family }}_{{ scheme['alias_scheme'] }}_{{ impl['name'] }}{%- endif %})
    add_library({{ family }}_{{ scheme['scheme'] }}_{{ impl['name'] }} OBJECT {{ impl['upstream']['name'] }}_{{ scheme['pqclean_scheme'] }}_{{ impl['name'] }}/cupqc_ml-kem.cu)
    target_link_libraries({{ family }}_{{ scheme['scheme'] }}_{{ impl['name'] }} cupqc)
    set_property(TARGET {{ family }}_{{ scheme['scheme'] }}_{{ impl['name'] }} PROPERTY CUDA_ARCHITECTURES OFF)
    target_compile_options({{ family }}_{{ scheme['scheme'] }}_{{ impl['name'] }} PRIVATE {{ impl['compile_opts'] }})
        {%- else %}
 if(OQS_ENABLE_KEM_{{ family }}_{{ scheme['scheme_c'] }}_{{ impl['name'] }}{%- if 'alias_scheme' in scheme %} OR OQS_ENABLE_KEM_{{ family }}_{{ scheme['alias_scheme'] }}_{{ impl['name'] }}{%- endif %})
    add_library({{ family }}_{{ scheme['scheme'] }}_{{ impl['name'] }} OBJECT {% for source_file in impl['sources']|sort -%}{{ impl['upstream']['name'] }}_{{ scheme['pqclean_scheme'] }}_{{ impl['name'] }}/{{ source_file }}{%- if not loop.last %} {% endif -%}{%- endfor -%})
        {%- endif %}
        {%- if impl['name'] != 'cuda' %}
    target_include_directories({{ family }}_{{ scheme['scheme'] }}_{{ impl['name'] }} PRIVATE ${CMAKE_CURRENT_LIST_DIR}/{{ impl['upstream']['name'] }}_{{ scheme['pqclean_scheme'] }}_{{ impl['name'] }})
    target_include_directories({{ family }}_{{ scheme['scheme'] }}_{{ impl['name'] }} PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
        {%- if impl['name'] != scheme['default_implementation'] and impl['required_flags'] -%}
@ -60,6 +68,7 @@ if(OQS_ENABLE_KEM_{{ family }}_{{ scheme['scheme_c'] }}_{{ impl['name'] }}{%- if
        target_compile_definitions({{ family }}_{{ scheme['scheme'] }}_{{ impl['name'] }} PRIVATE old_gas_syntax)
    endif()
    	{%- endif %}
        {%- endif %}{# cupqc #}
    set(_{{ family|upper }}_OBJS ${_{{ family|upper }}_OBJS} $<TARGET_OBJECTS:{{ family }}_{{ scheme['scheme'] }}_{{ impl['name'] }}>)
 endif()
    {%- endfor -%}
--- a/scripts/copy_from_upstream/src/kem/family/kem_family.h
+++ b/scripts/copy_from_upstream/src/kem/family/kem_family.h
@ -11,8 +11,14 @@
 #define OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_length_secret_key {{ scheme['metadata']['length-secret-key'] }}
 #define OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_length_ciphertext {{ scheme['metadata']['length-ciphertext'] }}
 #define OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_length_shared_secret {{ scheme['metadata']['length-shared-secret'] }}
 {%- if scheme['metadata']['length-keypair-seed'] is defined %}
 #define OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_length_keypair_seed {{ scheme['metadata']['length-keypair-seed'] }}
 {%- else %}
 #define OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_length_keypair_seed 0
 {%- endif %}
 OQS_KEM *OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_new(void);
 OQS_API OQS_STATUS OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_keypair(uint8_t *public_key, uint8_t *secret_key);
 OQS_API OQS_STATUS OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_keypair_derand(uint8_t *public_key, uint8_t *secret_key, const uint8_t *seed);
 OQS_API OQS_STATUS OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_encaps(uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key);
 OQS_API OQS_STATUS OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_decaps(uint8_t *shared_secret, const uint8_t *ciphertext, const uint8_t *secret_key);
 {% if 'alias_scheme' in scheme %}
@ -20,7 +26,9 @@ OQS_API OQS_STATUS OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_decaps(uint8_t *s
 #define OQS_KEM_{{ family }}_{{ scheme['alias_scheme'] }}_length_secret_key OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_length_secret_key
 #define OQS_KEM_{{ family }}_{{ scheme['alias_scheme'] }}_length_ciphertext OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_length_ciphertext
 #define OQS_KEM_{{ family }}_{{ scheme['alias_scheme'] }}_length_shared_secret OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_length_shared_secret
 #define OQS_KEM_{{ family }}_{{ scheme['alias_scheme'] }}_length_keypair_seed OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_length_keypair_seed
 OQS_KEM *OQS_KEM_{{ family }}_{{ scheme['alias_scheme'] }}_new(void);
 #define OQS_KEM_{{ family }}_{{ scheme['alias_scheme'] }}_keypair_derand OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_keypair_derand
 #define OQS_KEM_{{ family }}_{{ scheme['alias_scheme'] }}_keypair OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_keypair
 #define OQS_KEM_{{ family }}_{{ scheme['alias_scheme'] }}_encaps OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_encaps
 #define OQS_KEM_{{ family }}_{{ scheme['alias_scheme'] }}_decaps OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_decaps
--- a/scripts/copy_from_upstream/src/kem/family/kem_scheme.c
+++ b/scripts/copy_from_upstream/src/kem/family/kem_scheme.c
@ -11,7 +11,7 @@
 {% endif %}
 OQS_KEM *OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_new(void) {
-	OQS_KEM *kem = malloc(sizeof(OQS_KEM));
+	OQS_KEM *kem = OQS_MEM_malloc(sizeof(OQS_KEM));
 	if (kem == NULL) {
 		return NULL;
 	}
@ -25,8 +25,10 @@ OQS_KEM *OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_new(void) {
 	kem->length_secret_key = OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_length_secret_key;
 	kem->length_ciphertext = OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_length_ciphertext;
 	kem->length_shared_secret = OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_length_shared_secret;
 	kem->length_keypair_seed = OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_length_keypair_seed;
 	kem->keypair = OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_keypair;
 	kem->keypair_derand = OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_keypair_derand;
 	kem->encaps = OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_encaps;
 	kem->decaps = OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_decaps;
@ -42,7 +44,7 @@ OQS_KEM *OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_new(void) {
 /** Alias */
 OQS_KEM *OQS_KEM_{{ family }}_{{ scheme['alias_scheme'] }}_new(void) {
-	OQS_KEM *kem = malloc(sizeof(OQS_KEM));
+	OQS_KEM *kem = OQS_MEM_malloc(sizeof(OQS_KEM));
 	if (kem == NULL) {
 		return NULL;
 	}
@ -56,8 +58,10 @@ OQS_KEM *OQS_KEM_{{ family }}_{{ scheme['alias_scheme'] }}_new(void) {
 	kem->length_secret_key = OQS_KEM_{{ family }}_{{ scheme['alias_scheme'] }}_length_secret_key;
 	kem->length_ciphertext = OQS_KEM_{{ family }}_{{ scheme['alias_scheme'] }}_length_ciphertext;
 	kem->length_shared_secret = OQS_KEM_{{ family }}_{{ scheme['alias_scheme'] }}_length_shared_secret;
 	kem->length_keypair_seed = OQS_KEM_{{ family }}_{{ scheme['alias_scheme'] }}_length_keypair_seed;
 	kem->keypair = OQS_KEM_{{ family }}_{{ scheme['alias_scheme'] }}_keypair;
 	kem->keypair_derand = OQS_KEM_{{ family }}_{{ scheme['alias_scheme'] }}_keypair_derand;
 	kem->encaps = OQS_KEM_{{ family }}_{{ scheme['alias_scheme'] }}_encaps;
 	kem->decaps = OQS_KEM_{{ family }}_{{ scheme['alias_scheme'] }}_decaps;
@ -76,6 +80,11 @@ OQS_KEM *OQS_KEM_{{ family }}_{{ scheme['alias_scheme'] }}_new(void) {
 extern int {{ scheme['metadata']['default_keypair_signature'] }}(uint8_t *pk, uint8_t *sk);
        {%- if impl['signature_keypair_derand'] %}
           {%- set cleankeypairderand = scheme['metadata'].update({'default_keypair_derand_signature': impl['signature_keypair_derand']}) %}
 extern int {{ scheme['metadata']['default_keypair_derand_signature'] }}(uint8_t *pk, uint8_t *sk, const uint8_t *seed);
        {%- endif %}
        {%- if impl['signature_enc'] %}
           {%- set cleanenc = scheme['metadata'].update({'default_enc_signature': impl['signature_enc']}) -%}
        {%- else %}
@ -93,7 +102,9 @@ extern int {{ scheme['metadata']['default_dec_signature']  }}(uint8_t *ss, const
    {%- endfor %}
    {%- for impl in scheme['metadata']['implementations'] if impl['name'] != scheme['default_implementation'] %}
-
+{% if impl['name'] == 'cuda'%}
 #if defined(OQS_USE_CUPQC)
        {%- endif %}
 #if defined(OQS_ENABLE_KEM_{{ family }}_{{ scheme['scheme'] }}_{{ impl['name'] }}) {%- if 'alias_scheme' in scheme %} || defined(OQS_ENABLE_KEM_{{ family }}_{{ scheme['alias_scheme'] }}_{{ impl['name'] }}){%- endif %}
        {%- if impl['signature_keypair'] %}
 extern int {{ impl['signature_keypair'] }}(uint8_t *pk, uint8_t *sk);
@ -101,6 +112,10 @@ extern int {{ impl['signature_keypair'] }}(uint8_t *pk, uint8_t *sk);
 extern int PQCLEAN_{{ scheme['pqclean_scheme_c']|upper }}_{{ impl['name']|upper }}_crypto_kem_keypair(uint8_t *pk, uint8_t *sk);
        {%- endif %}
        {%- if impl['signature_keypair_derand'] %}
 extern int {{ impl['signature_keypair_derand'] }}(uint8_t *pk, uint8_t *sk, const uint8_t *seed);
        {%- endif %}
        {%- if impl['signature_enc'] %}
 extern int {{ impl['signature_enc'] }}(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
        {%- else %}
@ -113,6 +128,9 @@ extern int {{ impl['signature_dec'] }}(uint8_t *ss, const uint8_t *ct, const uin
 extern int PQCLEAN_{{ scheme['pqclean_scheme_c']|upper }}_{{ impl['name']|upper }}_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
        {%- endif %}
 #endif
        {%- if impl['name'] == 'cuda'%}
 #endif /* OQS_USE_CUPQC */
        {%- endif %}
    {%- endfor %}
 {%- if libjade_implementation is defined and scheme['libjade_implementation'] %}
@ -128,6 +146,47 @@ extern int libjade_{{ scheme['pqclean_scheme_c'] }}_{{ impl['name'] }}_dec(uint8
 {% endfor -%}
 {% endif %}
 OQS_API OQS_STATUS OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_keypair_derand(uint8_t *public_key, uint8_t *secret_key, const uint8_t *seed) {
 {%- if scheme['derandomized_keypair'] %}
    {%- for impl in scheme['metadata']['implementations'] if impl['name'] != scheme['default_implementation'] %}
    {%- if loop.first %}
 #if defined(OQS_ENABLE_KEM_{{ family }}_{{ scheme['scheme'] }}_{{ impl['name'] }}) {%- if 'alias_scheme' in scheme %} || defined(OQS_ENABLE_KEM_{{ family }}_{{ scheme['alias_scheme'] }}_{{ impl['name'] }}){%- endif %}
    {%- else %}
 #elif defined(OQS_ENABLE_KEM_{{ family }}_{{ scheme['scheme'] }}_{{ impl['name'] }}) {%- if 'alias_scheme' in scheme %} || defined(OQS_ENABLE_KEM_{{ family }}_{{ scheme['alias_scheme'] }}_{{ impl['name'] }}){%- endif %}
    {%- endif %}
    {%- if 'required_flags' in impl and impl['required_flags'] %}
 #if defined(OQS_DIST_BUILD)
 	if ({%- for flag in impl['required_flags'] -%}OQS_CPU_has_extension(OQS_CPU_EXT_{{ flag|upper }}){%- if not loop.last %} && {% endif -%}{%- endfor -%}) {
 #endif /* OQS_DIST_BUILD */
    {%- endif -%}
        {%- if impl['signature_keypair_derand'] %}
 	{% if 'required_flags' in impl and impl['required_flags'] %}	{% endif -%}return (OQS_STATUS) {{ impl['signature_keypair_derand'] }}(public_key, secret_key, seed);
        {%- else %}
 	{% if 'required_flags' in impl and impl['required_flags'] %}	{% endif -%}return (OQS_STATUS) PQCLEAN_{{ scheme['pqclean_scheme_c']|upper }}_{{ impl['name']|upper }}_crypto_kem_keypair_derand(public_key, secret_key, seed);
        {%- endif %}
    {%- if 'required_flags' in impl and impl['required_flags'] %}
 #if defined(OQS_DIST_BUILD)
 	} else {
 		return (OQS_STATUS) {{ scheme['metadata']['default_keypair_derand_signature'] }}(public_key, secret_key, seed);
 	}
 #endif /* OQS_DIST_BUILD */
    {%- endif -%}
    {%- endfor %}
    {%- if scheme['metadata']['implementations']|rejectattr('name', 'equalto', scheme['default_implementation'])|list %}
 #else
    {%- endif %}
 	return (OQS_STATUS) {{ scheme['metadata']['default_keypair_derand_signature'] }}(public_key, secret_key, seed);
    {%- if scheme['metadata']['implementations']|rejectattr('name', 'equalto', scheme['default_implementation'])|list %}
 #endif
    {%- endif %}
    {%- else %}
 	(void)public_key;
 	(void)secret_key;
 	(void)seed;
 	return OQS_ERROR;
    {%- endif %}
 }
 OQS_API OQS_STATUS OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_keypair(uint8_t *public_key, uint8_t *secret_key) {
 {%- if libjade_implementation is defined and scheme['libjade_implementation'] %}
 #if defined(OQS_LIBJADE_BUILD) && (defined(OQS_ENABLE_LIBJADE_KEM_{{ family }}_{{ scheme['scheme'] }}) {%- if 'alias_scheme' in scheme %} || defined(OQS_ENABLE_LIBJADE_KEM_{{ family }}_{{ scheme['alias_scheme'] }}){%- endif %})
@ -166,7 +225,12 @@ OQS_API OQS_STATUS OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_keypair(uint8_t *
 {% endfor -%}
 #else /*OQS_LIBJADE_BUILD && (OQS_ENABLE_LIBJADE_KEM_{{ family }}_{{ scheme['scheme'] }} {%- if 'alias_scheme' in scheme %} || OQS_ENABLE_LIBJADE_KEM_{{ family }}_{{ scheme['alias_scheme'] }}{%- endif %})*/
 {%- endif %}
-    {%- for impl in scheme['metadata']['implementations'] if impl['name'] != scheme['default_implementation'] %}
+    {%- for impl in scheme['metadata']['implementations'] if impl['name'] == 'cuda' %}
 #if defined(OQS_USE_CUPQC) && defined(OQS_ENABLE_KEM_{{ family }}_{{ scheme['scheme'] }}_{{ impl['name'] }})
 	return (OQS_STATUS) {{ impl['signature_keypair'] }}(public_key, secret_key);
 #endif /* OQS_USE_CUPQC && OQS_ENABLE_KEM_{{ family }}_{{ scheme['scheme'] }}_{{ impl['name'] }} */
    {%- endfor %}
    {%- for impl in scheme['metadata']['implementations'] if (impl['name'] != scheme['default_implementation'] and impl['name'] != 'cuda') %}
    {%- if loop.first %}
 #if defined(OQS_ENABLE_KEM_{{ family }}_{{ scheme['scheme'] }}_{{ impl['name'] }}) {%- if 'alias_scheme' in scheme %} || defined(OQS_ENABLE_KEM_{{ family }}_{{ scheme['alias_scheme'] }}_{{ impl['name'] }}){%- endif %}
    {%- else %}
@ -240,7 +304,12 @@ OQS_API OQS_STATUS OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_encaps(uint8_t *c
 {% endfor -%}
 #else /*OQS_LIBJADE_BUILD && (OQS_ENABLE_LIBJADE_KEM_{{ family }}_{{ scheme['scheme'] }} {%- if 'alias_scheme' in scheme %} || OQS_ENABLE_LIBJADE_KEM_{{ family }}_{{ scheme['alias_scheme'] }}{%- endif %})*/
 {%- endif %}
-    {%- for impl in scheme['metadata']['implementations'] if impl['name'] != scheme['default_implementation'] %}
+    {%- for impl in scheme['metadata']['implementations'] if impl['name'] == 'cuda' %}
 #if defined(OQS_USE_CUPQC) && defined(OQS_ENABLE_KEM_{{ family }}_{{ scheme['scheme'] }}_{{ impl['name'] }})
 	return (OQS_STATUS) {{ impl['signature_enc'] }}(ciphertext, shared_secret, public_key);
 #endif /* OQS_USE_CUPQC && OQS_ENABLE_KEM_{{ family }}_{{ scheme['scheme'] }}_{{ impl['name'] }} */
    {%- endfor %}
    {%- for impl in scheme['metadata']['implementations'] if (impl['name'] != scheme['default_implementation'] and impl['name'] != 'cuda') %}
    {%- if loop.first %}
 #if defined(OQS_ENABLE_KEM_{{ family }}_{{ scheme['scheme'] }}_{{ impl['name'] }}) {%- if 'alias_scheme' in scheme %} || defined(OQS_ENABLE_KEM_{{ family }}_{{ scheme['alias_scheme'] }}_{{ impl['name'] }}){%- endif %}
    {%- else %}
@ -314,7 +383,12 @@ OQS_API OQS_STATUS OQS_KEM_{{ family }}_{{ scheme['scheme'] }}_decaps(uint8_t *s
 {% endfor -%}
 #else /*OQS_LIBJADE_BUILD && (OQS_ENABLE_LIBJADE_KEM_{{ family }}_{{ scheme['scheme'] }} {%- if 'alias_scheme' in scheme %} || OQS_ENABLE_LIBJADE_KEM_{{ family }}_{{ scheme['alias_scheme'] }}{%- endif %})*/
 {%- endif %}
-    {%- for impl in scheme['metadata']['implementations'] if impl['name'] != scheme['default_implementation'] %}
+    {%- for impl in scheme['metadata']['implementations'] if impl['name'] == 'cuda' %}
 #if defined(OQS_USE_CUPQC) && defined(OQS_ENABLE_KEM_{{ family }}_{{ scheme['scheme'] }}_{{ impl['name'] }})
 	return (OQS_STATUS) {{ impl['signature_dec'] }}(shared_secret, ciphertext, secret_key);
 #endif /* OQS_USE_CUPQC && OQS_ENABLE_KEM_{{ family }}_{{ scheme['scheme'] }}_{{ impl['name'] }} */
    {%- endfor %}
    {%- for impl in scheme['metadata']['implementations'] if (impl['name'] != scheme['default_implementation'] and impl['name'] != 'cuda') %}
    {%- if loop.first %}
 #if defined(OQS_ENABLE_KEM_{{ family }}_{{ scheme['scheme'] }}_{{ impl['name'] }}) {%- if 'alias_scheme' in scheme %} || defined(OQS_ENABLE_KEM_{{ family }}_{{ scheme['alias_scheme'] }}_{{ impl['name'] }}){%- endif %}
    {%- else %}
--- a/scripts/copy_from_upstream/src/sig/family/sig_family.h
+++ b/scripts/copy_from_upstream/src/sig/family/sig_family.h
@ -6,6 +6,7 @@
 #include <oqs/oqs.h>
 {% for scheme in schemes -%}
 {%- set default_impl = scheme['metadata']['implementations'] | selectattr("name", "equalto", scheme['default_implementation']) | first -%}
 #if defined(OQS_ENABLE_SIG_{{ family }}_{{ scheme['scheme'] }}) {%- if 'alias_scheme' in scheme %} || defined(OQS_ENABLE_SIG_{{ family }}_{{ scheme['alias_scheme'] }}){%- endif %}
 #define OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_length_public_key {{ scheme['metadata']['length-public-key'] }}
 #define OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_length_secret_key {{ scheme['metadata']['length-secret-key'] }}
@ -15,6 +16,8 @@ OQS_SIG *OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_new(void);
 OQS_API OQS_STATUS OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_keypair(uint8_t *public_key, uint8_t *secret_key);
 OQS_API OQS_STATUS OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_sign(uint8_t *signature, size_t *signature_len, const uint8_t *message, size_t message_len, const uint8_t *secret_key);
 OQS_API OQS_STATUS OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_verify(const uint8_t *message, size_t message_len, const uint8_t *signature, size_t signature_len, const uint8_t *public_key);
 OQS_API OQS_STATUS OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_sign_with_ctx_str(uint8_t *signature, size_t *signature_len, const uint8_t *message, size_t message_len, const uint8_t *ctx, size_t ctxlen, const uint8_t *secret_key);
 OQS_API OQS_STATUS OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_verify_with_ctx_str(const uint8_t *message, size_t message_len, const uint8_t *signature, size_t signature_len, const uint8_t *ctx, size_t ctxlen, const uint8_t *public_key);
 {% if 'alias_scheme' in scheme %}
 #define OQS_SIG_{{ family }}_{{ scheme['alias_scheme'] }}_length_public_key OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_length_public_key
 #define OQS_SIG_{{ family }}_{{ scheme['alias_scheme'] }}_length_secret_key OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_length_secret_key
@ -23,6 +26,10 @@ OQS_SIG *OQS_SIG_{{ family }}_{{ scheme['alias_scheme'] }}_new(void);
 #define OQS_SIG_{{ family }}_{{ scheme['alias_scheme'] }}_keypair OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_keypair
 #define OQS_SIG_{{ family }}_{{ scheme['alias_scheme'] }}_sign OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_sign
 #define OQS_SIG_{{ family }}_{{ scheme['alias_scheme'] }}_verify OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_verify
 {%- if 'api-with-context-string' in default_impl and default_impl['api-with-context-string'] %}
 #define OQS_SIG_{{ family }}_{{ scheme['alias_scheme'] }}_sign_with_ctx_str OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_sign
 #define OQS_SIG_{{ family }}_{{ scheme['alias_scheme'] }}_verify_with_ctx_str OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_verify
 {%- endif %}
 {% endif -%}
 #endif
--- a/scripts/copy_from_upstream/src/sig/family/sig_scheme.c
+++ b/scripts/copy_from_upstream/src/sig/family/sig_scheme.c
@ -9,9 +9,10 @@
 {% if 'alias_scheme' in scheme %}
 #if defined(OQS_ENABLE_SIG_{{ family }}_{{ scheme['scheme'] }})
 {% endif %}
 {%- set default_impl = scheme['metadata']['implementations'] | selectattr("name", "equalto", scheme['default_implementation']) | first -%}
 OQS_SIG *OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_new(void) {
-	OQS_SIG *sig = malloc(sizeof(OQS_SIG));
+	OQS_SIG *sig = OQS_MEM_malloc(sizeof(OQS_SIG));
 	if (sig == NULL) {
 		return NULL;
 	}
@ -20,6 +21,12 @@ OQS_SIG *OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_new(void) {
 	sig->claimed_nist_level = {{ scheme['metadata']['claimed-nist-level'] }};
 	sig->euf_cma = {{ scheme['metadata']['euf_cma'] }};
 	sig->suf_cma = {{ scheme['metadata']['suf_cma'] }};
 	{%- if 'api-with-context-string' in default_impl and default_impl['api-with-context-string'] %}
 	sig->sig_with_ctx_support = true;
 	{%- else %}
 	sig->sig_with_ctx_support = false;
 	{%- endif %}
 	sig->length_public_key = OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_length_public_key;
 	sig->length_secret_key = OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_length_secret_key;
@ -28,6 +35,8 @@ OQS_SIG *OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_new(void) {
 	sig->keypair = OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_keypair;
 	sig->sign = OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_sign;
 	sig->verify = OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_verify;
 	sig->sign_with_ctx_str = OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_sign_with_ctx_str;
 	sig->verify_with_ctx_str = OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_verify_with_ctx_str;
 	return sig;
 }
@ -41,7 +50,7 @@ OQS_SIG *OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_new(void) {
 /** Alias */
 OQS_SIG *OQS_SIG_{{ family }}_{{ scheme['alias_scheme'] }}_new(void) {
-	OQS_SIG *sig = malloc(sizeof(OQS_SIG));
+	OQS_SIG *sig = OQS_MEM_malloc(sizeof(OQS_SIG));
 	if (sig == NULL) {
 		return NULL;
 	}
@ -50,6 +59,7 @@ OQS_SIG *OQS_SIG_{{ family }}_{{ scheme['alias_scheme'] }}_new(void) {
 	sig->claimed_nist_level = {{ scheme['metadata']['claimed-nist-level'] }};
 	sig->euf_cma = {{ scheme['metadata']['euf_cma'] }};
 	sig->suf_cma = {{ scheme['metadata']['suf_cma'] }};
 	sig->length_public_key = OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_length_public_key;
 	sig->length_secret_key = OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_length_secret_key;
@ -58,6 +68,13 @@ OQS_SIG *OQS_SIG_{{ family }}_{{ scheme['alias_scheme'] }}_new(void) {
 	sig->keypair = OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_keypair;
 	sig->sign = OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_sign;
 	sig->verify = OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_verify;
    {%- if 'api-with-context-string' in default_impl and default_impl['api-with-context-string'] %}
 	sig->sign_with_ctx_str = OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_sign_with_ctx_str;
 	sig->verify_with_ctx_str = OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_verify_with_ctx_str;
    {%- else %}
    sig->sign_with_ctx_str = NULL
 	sig->verify_with_ctx_str = NULL;
    {%- endif %}
 	return sig;
 }
@ -79,14 +96,22 @@ extern int {{ scheme['metadata']['default_keypair_signature'] }}(uint8_t *pk, ui
        {%- else %}
           {%- set cleansignature = scheme['metadata'].update({'default_signature_signature': "PQCLEAN_"+scheme['pqclean_scheme_c']|upper+"_"+scheme['default_implementation']|upper+"_crypto_sign_signature"}) -%}
        {%- endif %}
 {%- if 'api-with-context-string' in impl and impl['api-with-context-string'] %}
 extern int {{ scheme['metadata']['default_signature_signature'] }}(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *ctx, size_t ctxlen, const uint8_t *sk);
 {%- else %}
 extern int {{ scheme['metadata']['default_signature_signature'] }}(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk);
 {%- endif %}
        {%- if impl['signature_verify'] %}
           {%- set cleanverify = scheme['metadata'].update({'default_verify_signature': impl['signature_verify']}) -%}
        {%- else %}
           {%- set cleanverify = scheme['metadata'].update({'default_verify_signature': "PQCLEAN_"+scheme['pqclean_scheme_c']|upper+"_"+scheme['default_implementation']|upper+"_crypto_sign_verify"}) -%}
        {%- endif %}
 {%- if 'api-with-context-string' in impl and impl['api-with-context-string'] %}
 extern int {{ scheme['metadata']['default_verify_signature']  }}(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *ctx, size_t ctxlen, const uint8_t *pk);
 {%- else %}
 extern int {{ scheme['metadata']['default_verify_signature']  }}(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk);
 {%- endif %}
    {%- endfor %}
@ -100,13 +125,21 @@ extern int PQCLEAN_{{ scheme['pqclean_scheme_c']|upper }}_{{ impl['name']|upper
        {%- endif %}
        {%- if impl['signature_signature'] %}
 {%- if 'api-with-context-string' in impl and impl['api-with-context-string'] %}
 extern int {{ impl['signature_signature'] }}(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *ctx, size_t ctxlen, const uint8_t *sk);
 {%- else %}
 extern int {{ impl['signature_signature'] }}(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk);
 {%- endif %}
        {%- else %}
 extern int PQCLEAN_{{ scheme['pqclean_scheme_c']|upper }}_{{ impl['name']|upper }}_crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk);
        {%- endif %}
        {%- if impl['signature_verify'] %}
 {%- if 'api-with-context-string' in impl and impl['api-with-context-string'] %}
 extern int {{ impl['signature_verify'] }}(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *ctx, size_t ctxlen, const uint8_t *pk);
 {%- else %}
 extern int {{ impl['signature_verify'] }}(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk);
 {%- endif %}
        {%- else %}
 extern int PQCLEAN_{{ scheme['pqclean_scheme_c']|upper }}_{{ impl['name']|upper }}_crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk);
        {%- endif %}
@ -160,14 +193,22 @@ OQS_API OQS_STATUS OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_sign(uint8_t *sig
 #endif /* OQS_DIST_BUILD */
    {%- endif %}
           {%- if impl['signature_signature'] %}
           {%- if 'api-with-context-string' in impl and impl['api-with-context-string'] %}
 		return (OQS_STATUS) {{ impl['signature_signature'] }}(signature, signature_len, message, message_len, NULL, 0, secret_key);
           {%- else %}
 		return (OQS_STATUS) {{ impl['signature_signature'] }}(signature, signature_len, message, message_len, secret_key);
           {%- endif %}
           {%- else %}
 		return (OQS_STATUS) PQCLEAN_{{ scheme['pqclean_scheme_c']|upper }}_{{ impl['name']|upper }}_crypto_sign_signature(signature, signature_len, message, message_len, secret_key);
           {%- endif %}
    {%- if 'required_flags' in impl and impl['required_flags'] %}
 #if defined(OQS_DIST_BUILD)
 	} else {
        {%- if 'api-with-context-string' in impl and impl['api-with-context-string'] %}
 		return (OQS_STATUS) {{ scheme['metadata']['default_signature_signature'] }}(signature, signature_len, message, message_len, NULL, 0, secret_key);
        {%- else %}
 		return (OQS_STATUS) {{ scheme['metadata']['default_signature_signature'] }}(signature, signature_len, message, message_len, secret_key);
        {%- endif %}
 	}
 #endif /* OQS_DIST_BUILD */
    {%- endif %}
@ -175,7 +216,12 @@ OQS_API OQS_STATUS OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_sign(uint8_t *sig
    {%- if scheme['metadata']['implementations']|rejectattr('name', 'equalto', scheme['default_implementation'])|list %}
 #else
    {%- endif %}
    {%- set default_impl = scheme['metadata']['implementations'] | selectattr("name", "equalto", scheme['default_implementation']) | first -%}
    {%- if 'api-with-context-string' in default_impl and default_impl['api-with-context-string'] %}
 	return (OQS_STATUS) {{ scheme['metadata']['default_signature_signature'] }}(signature, signature_len, message, message_len, NULL, 0, secret_key);
    {%- else %}
 	return (OQS_STATUS) {{ scheme['metadata']['default_signature_signature'] }}(signature, signature_len, message, message_len, secret_key);
    {%- endif %}
    {%- if scheme['metadata']['implementations']|rejectattr('name', 'equalto', scheme['default_implementation'])|list %}
 #endif
    {%- endif %}
@ -194,14 +240,22 @@ OQS_API OQS_STATUS OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_verify(const uint
 #endif /* OQS_DIST_BUILD */
    {%- endif %}
           {%- if impl['signature_verify'] %}
           {%- if 'api-with-context-string' in impl and impl['api-with-context-string'] %}
 		return (OQS_STATUS) {{ impl['signature_verify'] }}(signature, signature_len, message, message_len, NULL, 0, public_key);
           {%- else %}
 		return (OQS_STATUS) {{ impl['signature_verify'] }}(signature, signature_len, message, message_len, public_key);
           {%- endif %}
           {%- else %}
 		return (OQS_STATUS) PQCLEAN_{{ scheme['pqclean_scheme_c']|upper }}_{{ impl['name']|upper }}_crypto_sign_verify(signature, signature_len, message, message_len, public_key);
           {%- endif %}
    {%- if 'required_flags' in impl and impl['required_flags'] %}
 #if defined(OQS_DIST_BUILD)
 	} else {
        {%- if 'api-with-context-string' in impl and impl['api-with-context-string'] %}
 		return (OQS_STATUS) {{ scheme['metadata']['default_verify_signature'] }}(signature, signature_len, message, message_len, NULL, 0, public_key);
        {%- else %}
 		return (OQS_STATUS) {{ scheme['metadata']['default_verify_signature'] }}(signature, signature_len, message, message_len, public_key);
        {%- endif %}
 	}
 #endif /* OQS_DIST_BUILD */
    {%- endif %}
@ -209,11 +263,105 @@ OQS_API OQS_STATUS OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_verify(const uint
    {%- if scheme['metadata']['implementations']|rejectattr('name', 'equalto', scheme['default_implementation'])|list %}
 #else
    {%- endif %}
    {%- set default_impl = scheme['metadata']['implementations'] | selectattr("name", "equalto", scheme['default_implementation']) | first -%}
    {%- if 'api-with-context-string' in default_impl and default_impl['api-with-context-string'] %}
 	return (OQS_STATUS) {{ scheme['metadata']['default_verify_signature'] }}(signature, signature_len, message, message_len, NULL, 0, public_key);
    {%- else %}
 	return (OQS_STATUS) {{ scheme['metadata']['default_verify_signature'] }}(signature, signature_len, message, message_len, public_key);
    {%- endif %}
    {%- if scheme['metadata']['implementations']|rejectattr('name', 'equalto', scheme['default_implementation'])|list %}
 #endif
    {%- endif %}
 }
 {%- set default_impl = scheme['metadata']['implementations'] | selectattr("name", "equalto", scheme['default_implementation']) | first %}
 {%- if 'api-with-context-string' in default_impl and default_impl['api-with-context-string'] %}
 OQS_API OQS_STATUS OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_sign_with_ctx_str(uint8_t *signature, size_t *signature_len, const uint8_t *message, size_t message_len, const uint8_t *ctx_str, size_t ctx_str_len, const uint8_t *secret_key) {
    {%- for impl in scheme['metadata']['implementations'] if impl['name'] != scheme['default_implementation'] %}
    {%- if loop.first %}
 #if defined(OQS_ENABLE_SIG_{{ family }}_{{ scheme['scheme'] }}_{{ impl['name'] }}) {%- if 'alias_scheme' in scheme %} || defined(OQS_ENABLE_SIG_{{ family }}_{{ scheme['alias_scheme'] }}_{{ impl['name'] }}){%- endif %}
    {%- else %}
 #elif defined(OQS_ENABLE_SIG_{{ family }}_{{ scheme['scheme'] }}_{{ impl['name'] }}) {%- if 'alias_scheme' in scheme %} || defined(OQS_ENABLE_SIG_{{ family }}_{{ scheme['alias_scheme'] }}_{{ impl['name'] }}){%- endif %}
    {%- endif %}
    {%- if 'required_flags' in impl and impl['required_flags'] %}
 #if defined(OQS_DIST_BUILD)
 	if ({%- for flag in impl['required_flags'] -%}OQS_CPU_has_extension(OQS_CPU_EXT_{{ flag|upper }}){%- if not loop.last %} && {% endif -%}{%- endfor -%}) {
 #endif /* OQS_DIST_BUILD */
    {%- endif %}
           {%- if impl['signature_signature'] %}
 		return (OQS_STATUS) {{ impl['signature_signature'] }}(signature, signature_len, message, message_len, ctx_str, ctx_str_len, secret_key);
           {%- else %}
 		return (OQS_STATUS) PQCLEAN_{{ scheme['pqclean_scheme_c']|upper }}_{{ impl['name']|upper }}_crypto_sign_signature(signature, signature_len, message, message_len, ctx_str, ctx_str_len, secret_key);
           {%- endif %}
    {%- if 'required_flags' in impl and impl['required_flags'] %}
 #if defined(OQS_DIST_BUILD)
 	} else {
 		return (OQS_STATUS) {{ scheme['metadata']['default_signature_signature'] }}(signature, signature_len, message, message_len, ctx_str, ctx_str_len, secret_key);
 	}
 #endif /* OQS_DIST_BUILD */
    {%- endif %}
    {%- endfor %}
    {%- if scheme['metadata']['implementations']|rejectattr('name', 'equalto', scheme['default_implementation'])|list %}
 #else
    {%- endif %}
    {%- set default_impl = scheme['metadata']['implementations'] | selectattr("name", "equalto", scheme['default_implementation']) | first %}
 	return (OQS_STATUS) {{ scheme['metadata']['default_signature_signature'] }}(signature, signature_len, message, message_len, ctx_str, ctx_str_len, secret_key);
    {%- if scheme['metadata']['implementations']|rejectattr('name', 'equalto', scheme['default_implementation'])|list %}
 #endif
    {%- endif %}
 }
 OQS_API OQS_STATUS OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_verify_with_ctx_str(const uint8_t *message, size_t message_len, const uint8_t *signature, size_t signature_len, const uint8_t *ctx_str, size_t ctx_str_len, const uint8_t *public_key) {
    {%- for impl in scheme['metadata']['implementations'] if impl['name'] != scheme['default_implementation'] %}
    {%- if loop.first %}
 #if defined(OQS_ENABLE_SIG_{{ family }}_{{ scheme['scheme'] }}_{{ impl['name'] }}) {%- if 'alias_scheme' in scheme %} || defined(OQS_ENABLE_SIG_{{ family }}_{{ scheme['alias_scheme'] }}_{{ impl['name'] }}){%- endif %}
    {%- else %}
 #elif defined(OQS_ENABLE_SIG_{{ family }}_{{ scheme['scheme'] }}_{{ impl['name'] }}) {%- if 'alias_scheme' in scheme %} || defined(OQS_ENABLE_SIG_{{ family }}_{{ scheme['alias_scheme'] }}_{{ impl['name'] }}){%- endif %}
    {%- endif %}
    {%- if 'required_flags' in impl and impl['required_flags'] %}
 #if defined(OQS_DIST_BUILD)
 	if ({%- for flag in impl['required_flags'] -%}OQS_CPU_has_extension(OQS_CPU_EXT_{{ flag|upper }}){%- if not loop.last %} && {% endif -%}{%- endfor -%}) {
 #endif /* OQS_DIST_BUILD */
    {%- endif %}
           {%- if impl['signature_verify'] %}
 		return (OQS_STATUS) {{ impl['signature_verify'] }}(signature, signature_len, message, message_len, ctx_str, ctx_str_len, public_key);
           {%- else %}
 		return (OQS_STATUS) PQCLEAN_{{ scheme['pqclean_scheme_c']|upper }}_{{ impl['name']|upper }}_crypto_sign_verify(signature, signature_len, message, message_len, ctx_str, ctx_str_len, public_key);
           {%- endif %}
    {%- if 'required_flags' in impl and impl['required_flags'] %}
 #if defined(OQS_DIST_BUILD)
 	} else {
 		return (OQS_STATUS) {{ scheme['metadata']['default_verify_signature'] }}(signature, signature_len, message, message_len, ctx_str, ctx_str_len, public_key);
 	}
 #endif /* OQS_DIST_BUILD */
    {%- endif %}
    {%- endfor %}
    {%- if scheme['metadata']['implementations']|rejectattr('name', 'equalto', scheme['default_implementation'])|list %}
 #else
    {%- endif %}
    {%- set default_impl = scheme['metadata']['implementations'] | selectattr("name", "equalto", scheme['default_implementation']) | first %}
 	return (OQS_STATUS) {{ scheme['metadata']['default_verify_signature'] }}(signature, signature_len, message, message_len, ctx_str, ctx_str_len, public_key);
    {%- if scheme['metadata']['implementations']|rejectattr('name', 'equalto', scheme['default_implementation'])|list %}
 #endif
    {%- endif %}
 }
 {%- else %}
 OQS_API OQS_STATUS OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_sign_with_ctx_str(uint8_t *signature, size_t *signature_len, const uint8_t *message, size_t message_len, const uint8_t *ctx_str, size_t ctx_str_len, const uint8_t *secret_key) {
 	if (ctx_str == NULL && ctx_str_len == 0) {
 		return OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_sign(signature, signature_len, message, message_len, secret_key);
 	} else {
 		return OQS_ERROR;
 	}
 }
 OQS_API OQS_STATUS OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_verify_with_ctx_str(const uint8_t *message, size_t message_len, const uint8_t *signature, size_t signature_len, const uint8_t *ctx_str, size_t ctx_str_len, const uint8_t *public_key) {
 	if (ctx_str == NULL && ctx_str_len == 0) {
 		return OQS_SIG_{{ family }}_{{ scheme['scheme'] }}_verify(message, message_len, signature, signature_len, public_key);
 	} else {
 		return OQS_ERROR;
 	}
 }
 {%- endif %}
 #endif
 {% endfor -%}
--- a/scripts/copy_from_upstream/tests/kat_sig.c/combine_message_signature.fragment
+++ b/scripts/copy_from_upstream/tests/kat_sig.c/combine_message_signature.fragment
@ -3,7 +3,7 @@
 {%- if scheme['signed_msg_order'] == 'sig_then_msg' %}
 		// signed_msg = signature || msg
 		*signed_msg_len = signature_len + msg_len;
-		*signed_msg = malloc(*signed_msg_len);
+		*signed_msg = OQS_MEM_malloc(*signed_msg_len);
 		if (*signed_msg == NULL) {
 			return OQS_ERROR;
 		}
@ -13,7 +13,7 @@
 {%- elif scheme['signed_msg_order'] == 'msg_then_sig' %}
 		// signed_msg = msg || signature
 		*signed_msg_len = msg_len + signature_len;
-		*signed_msg = malloc(*signed_msg_len);
+		*signed_msg = OQS_MEM_malloc(*signed_msg_len);
 		if (*signed_msg == NULL) {
 			return OQS_ERROR;
 		}
@ -24,7 +24,7 @@
 		// signed_msg = sig_len (2 bytes, big endian) || nonce (40 bytes) || msg || 0x29 || sig
 		const uint16_t signature_len_uint16 = (uint16_t)signature_len;
 		*signed_msg_len = 2 + signature_len_uint16 + msg_len;
-		*signed_msg = malloc(*signed_msg_len);
+		*signed_msg = OQS_MEM_malloc(*signed_msg_len);
 		if (*signed_msg == NULL) {
 			return OQS_ERROR;
 		}
@ -44,7 +44,7 @@
 		// signed_msg = sig_len (2 bytes, big endian) || nonce (40 bytes) || msg || 0x2A || sig
 		const uint16_t signature_len_uint16 = (uint16_t)signature_len;
 		*signed_msg_len = 2 + signature_len + msg_len;
-		*signed_msg = malloc(*signed_msg_len);
+		*signed_msg = OQS_MEM_malloc(*signed_msg_len);
 		if (*signed_msg == NULL) {
 			return OQS_ERROR;
 		}
--- a/scripts/copy_from_upstream/update_upstream_alg_docs.py
+++ b/scripts/copy_from_upstream/update_upstream_alg_docs.py
@ -95,8 +95,43 @@ def update_upstream_kem_alg_docs(liboqs_root, kems, upstream_info, write_changes
            oqs_yaml_path = os.path.join(liboqs_root, 'docs', 'algorithms', 'kem', '{}.yml'.format(kem['name']))
            if os.path.isfile(oqs_yaml_path):
               oqs_yaml = load_yaml(oqs_yaml_path)
            upstream_base_url = ui['git_url'][:-len(".git")]
            # upstream is special: We will take the upstream git commit information 
            # (possibly with added patch comment) as it is what drove the update
            # Need to check if yml is of old format. If so, update to new format
            if 'primary-upstream' not in oqs_yaml:
                print("Updating format of {}. Please double check ordering of yaml file".format(scheme['pretty_name_full']))
                lhs = oqs_yaml['upstream']
                oqs_yaml['primary-upstream'] = dict()
                oqs_yaml['primary-upstream']['spdx-license-identifier'] = oqs_yaml['spdx-license-identifier']
                for i in range(len(oqs_yaml['parameter-sets'])):
                    for j in range(len(oqs_yaml['parameter-sets'][i]['implementations'])):
                        oqs_yaml['parameter-sets'][i]['implementations'][j]['upstream'] = 'primary-upstream'
            else:
-                continue
+                lhs = oqs_yaml['primary-upstream']['source']
            oqs_yaml['primary-upstream']['source'] = rhs_if_not_equal(lhs, ("{}/commit/{}"+patches_done).format(upstream_base_url, ui['git_commit']), "primary-upstream")
            if 'upstream' in oqs_yaml:
                del oqs_yaml['upstream']
                del oqs_yaml['spdx-license-identifier']
            if ouis:
                for upstream in ouis:
                    optimized_upstream_base_url = ouis[upstream]['git_url'][:-len(".git")]
                    optimized_patches_done=""
                    if 'patches' in ouis[upstream]:
                        for patchfilename in ouis[upstream]['patches']:
                            if kem['name'] in patchfilename:
                                optimized_patches_done=" with copy_from_upstream patches"
                    if 'optimized-upstreams' in oqs_yaml and upstream in oqs_yaml['optimized-upstreams']:
                        lhs = oqs_yaml['optimized-upstreams'][upstream]['source']
                    else:
                        lhs = ''
                        oqs_yaml['optimized-upstreams'] = oqs_yaml.get('optimized-upstreams', dict())
                        oqs_yaml['optimized-upstreams'][upstream] = oqs_yaml['optimized-upstreams'].get(upstream, dict())
                    git_commit = ouis[upstream]['git_commit']
                    oqs_yaml['optimized-upstreams'][upstream]['source'] = rhs_if_not_equal(lhs, ("{}/commit/{}"+optimized_patches_done).format(optimized_upstream_base_url, git_commit), "optimized-upstreams")
            # We cannot assume that the ordering of "parameter-sets"
            # in the OQS YAML files matches that of copy_from_upstream.yml
@ -111,45 +146,6 @@ def update_upstream_kem_alg_docs(liboqs_root, kems, upstream_info, write_changes
                oqs_yaml['type'] = rhs_if_not_equal(oqs_yaml['type'], upstream_yaml['type'], "type")
                oqs_yaml['principal-submitters'] = rhs_if_not_equal(oqs_yaml['principal-submitters'], upstream_yaml['principal-submitters'], "principal-submitters")
                upstream_base_url = ui['git_url'][:-len(".git")]
                # upstream is special: We will take the upstream git commit information 
                # (possibly with added patch comment) as it is what drove the update
                # Need to check if yml is of old format. If so, update to new format
                if 'primary-upstream' not in oqs_yaml:
                    print("Updating format of {}. Please double check ordering of yaml file".format(scheme['pretty_name_full']))
                    lhs = oqs_yaml['upstream']
                    oqs_yaml['primary-upstream'] = dict()
                    oqs_yaml['primary-upstream']['spdx-license-identifier'] = oqs_yaml['spdx-license-identifier']
                    for i in range(len(oqs_yaml['parameter-sets'])):
                        for j in range(len(oqs_yaml['parameter-sets'][i]['implementations'])):
                            oqs_yaml['parameter-sets'][i]['implementations'][j]['upstream'] = 'primary-upstream'
                else:
                    lhs = oqs_yaml['primary-upstream']['source']
                oqs_yaml['primary-upstream']['source'] = rhs_if_not_equal(lhs, ("{}/commit/{}"+patches_done).format(upstream_base_url, ui['git_commit']), "primary-upstream")
                if 'upstream' in oqs_yaml:
                    del oqs_yaml['upstream']
                    del oqs_yaml['spdx-license-identifier']
                if ouis:
                    for upstream in ouis:
                        optimized_upstream_base_url = ouis[upstream]['git_url'][:-len(".git")]
                        for patchfilename in ouis[upstream]['patches']:
                            if kem['name'] in patchfilename:
                                patches_done=" with copy_from_upstream patches"
                        patches_done=""
                        if 'patches' in ouis[upstream]:
                            for patchfilename in ouis[upstream]['patches']:
                                if kem['name'] in patchfilename:
                                    patches_done=" with copy_from_upstream patches"
                        if 'optimized-upstreams' in oqs_yaml and upstream in oqs_yaml['optimized-upstreams']:
                            lhs = oqs_yaml['optimized-upstreams'][upstream]['source']
                        else:
                            lhs = ''
                        git_commit = ouis[upstream]['git_commit']
                        oqs_yaml['optimized-upstreams'][upstream]['source'] = rhs_if_not_equal(lhs, ("{}/commit/{}"+patches_done).format(optimized_upstream_base_url, git_commit), "optimized-upstreams")
                if 'auxiliary-submitters' in upstream_yaml:
                        oqs_yaml['auxiliary-submitters'] = rhs_if_not_equal(oqs_yaml['auxiliary-submitters'] if 'auxiliary-submitters' in oqs_yaml else '', upstream_yaml['auxiliary-submitters'], "auxiliary-submitters")
@ -169,6 +165,9 @@ def update_upstream_kem_alg_docs(liboqs_root, kems, upstream_info, write_changes
                oqs_scheme_yaml['length-secret-key'] = rhs_if_not_equal(oqs_scheme_yaml['length-secret-key'], upstream_yaml['length-secret-key'], "legnth-secret-key")
                oqs_scheme_yaml['length-shared-secret'] = rhs_if_not_equal(oqs_scheme_yaml['length-shared-secret'], upstream_yaml['length-shared-secret'], "length-shared-secret")
                if "length-keypair-seed" in oqs_scheme_yaml:
                    oqs_scheme_yaml['length-keypair-seed'] = rhs_if_not_equal(oqs_scheme_yaml['length-keypair-seed'], upstream_yaml['length-keypair-seed'], "length-keypair-seed")
                _upstream_yaml = upstream_yaml
                for impl_index, impl in enumerate(oqs_scheme_yaml['implementations']):
                    if impl['upstream'] != 'libjade':
@ -204,7 +203,7 @@ def update_upstream_kem_alg_docs(liboqs_root, kems, upstream_info, write_changes
                                    upstream_impl['supported_platforms'][i]['architecture'] = 'ARM64_V8'
                                    if 'asimd' in upstream_impl['supported_platforms'][i]['required_flags']:
                                        upstream_impl['supported_platforms'][i]['required_flags'].remove('asimd')
-                                if not upstream_impl['supported_platforms'][i]['required_flags']:
+                                if 'required_flags' in upstream_impl['supported_platforms'][i] and not upstream_impl['supported_platforms'][i]['required_flags']:
                                    del upstream_impl['supported_platforms'][i]['required_flags']
                            impl['supported-platforms'] = rhs_if_not_equal(impl['supported-platforms'], upstream_impl['supported_platforms'], "supported-platforms")
@ -383,7 +382,8 @@ def update_upstream_sig_alg_docs(liboqs_root, sigs, upstream_info, write_changes
                    oqs_scheme_yaml['name'] = rhs_if_not_equal(oqs_scheme_yaml['name'], upstream_yaml['name'], "scheme pretty name")
                oqs_scheme_yaml['claimed-nist-level'] = rhs_if_not_equal(oqs_scheme_yaml['claimed-nist-level'], upstream_yaml['claimed-nist-level'], "claimed-nist-level")
-                oqs_scheme_yaml['claimed-security'] = rhs_if_not_equal(oqs_scheme_yaml['claimed-security'], 'EUF-CMA', "claimed-security")
+                if oqs_scheme_yaml['claimed-security'] not in ["EUF-CMA", "SUF-CMA"]:
                    oqs_scheme_yaml['claimed-security'] = rhs_if_not_equal(oqs_scheme_yaml['claimed-security'], 'EUF-CMA', "claimed-security")
                oqs_scheme_yaml['length-public-key'] = rhs_if_not_equal(oqs_scheme_yaml['length-public-key'], upstream_yaml['length-public-key'], "length-public-key")
                oqs_scheme_yaml['length-secret-key'] = rhs_if_not_equal(oqs_scheme_yaml['length-secret-key'], upstream_yaml['length-secret-key'], "legnth-secret-key")
                oqs_scheme_yaml['length-signature'] = rhs_if_not_equal(oqs_scheme_yaml['length-signature'], upstream_yaml['length-signature'], "length-signature")
--- a/scripts/noregress.sh
+++ b/scripts/noregress.sh
@ -15,7 +15,18 @@ fi
 # Approach: Check out $1 into tmp folder, build, run speed_kem|sig and compare results
-mkdir tmp && cd tmp && git clone --depth 1 --branch $1 https://github.com/open-quantum-safe/liboqs && cd liboqs && mkdir build && cd build && cmake $2 .. && $MAKECMD && ./tests/speed_kem > ../../speed_kem.log && ./tests/speed_sig > ../../speed_sig.log && cd ../../..
+mkdir tmp && \
 cd tmp && \
 git clone --depth 1 --branch $1 https://github.com/open-quantum-safe/liboqs && \
 cd liboqs && \
 mkdir build && \
 cd build && \
 cmake $2 .. && \
 $MAKECMD && \
 ./tests/speed_kem > ../../speed_kem.log && \
 ./tests/speed_sig > ../../speed_sig.log && \
 ./tests/speed_sig_stfl --limit10 > ../../speed_sig_stfl.log && \
 cd ../../..
 if [ $? -ne 0 ]; then
   echo "Build and test of baseline $1 failed. Exiting."
@ -24,7 +35,13 @@ fi
 # transform results into JSON files for simple comparison
-cd tmp && git clone --depth 1 https://github.com/open-quantum-safe/profiling.git && cd profiling/perf/scripts && python3 parse_liboqs_speed.py ../../../speed_kem.log && python3 parse_liboqs_speed.py ../../../speed_sig.log && cd ../../../..
+cd tmp && \
 git clone --depth 1 https://github.com/open-quantum-safe/profiling.git && \
 cd profiling/perf/scripts && \
 python3 parse_liboqs_speed.py ../../../speed_kem.log && \
 python3 parse_liboqs_speed.py ../../../speed_sig.log && \
 python3 parse_liboqs_speed.py ../../../speed_sig_stfl.log && \
 cd ../../../..
 if [ $? -ne 0 ]; then
   echo "Failure converting results. Exiting."
@ -32,7 +49,19 @@ if [ $? -ne 0 ]; then
 fi
 # obtain current base speed results
-rm -rf build && mkdir build && cd build && cmake $2 .. && $MAKECMD && ./tests/speed_kem > speed_kem.log && ./tests/speed_sig > speed_sig.log && cd ../tmp/profiling/perf/scripts && python3 parse_liboqs_speed.py ../../../../build/speed_kem.log && python3 parse_liboqs_speed.py ../../../../build/speed_sig.log && cd ../../../..
+rm -rf build && \
 mkdir build && \
 cd build && \
 cmake $2 .. && \
 $MAKECMD && \
 ./tests/speed_kem > speed_kem.log && \
 ./tests/speed_sig > speed_sig.log && \
 ./tests/speed_sig_stfl --limit10 > speed_sig_stfl.log && \
 cd ../tmp/profiling/perf/scripts && \
 python3 parse_liboqs_speed.py ../../../../build/speed_kem.log && \
 python3 parse_liboqs_speed.py ../../../../build/speed_sig.log && \
 python3 parse_liboqs_speed.py ../../../../build/speed_sig_stfl.log && \
 cd ../../../..
 if [ $? -ne 0 ]; then
   echo "Failure creating current results. Exiting."
@ -40,4 +69,6 @@ if [ $? -ne 0 ]; then
 fi
 # now compare results using old/tmp runs as baseline (for list of algorithms)
-python3 scripts/noregress.py tmp/speed_kem.json build/speed_kem.json && python3 scripts/noregress.py tmp/speed_sig.json build/speed_sig.json
+python3 scripts/noregress.py tmp/speed_kem.json build/speed_kem.json && \
 python3 scripts/noregress.py tmp/speed_sig.json build/speed_sig.json && \
 python3 scripts/noregress.py tmp/speed_sig_stfl.json build/speed_sig_stfl.json
--- a/scripts/parse_liboqs_speed.py
+++ b/scripts/parse_liboqs_speed.py
@ -0,0 +1,71 @@
 # SPDX-License-Identifier: MIT
 import json
 import re
 import argparse
 from enum import Enum
 class State(Enum):
   starting=0
   config=1
   parsing=2
 data=[]
 # Parse command-line arguments
 parser = argparse.ArgumentParser(description="Parse speed_kem output and extract cycles.")
 parser.add_argument("logfile", help="Log file to parse")
 parser.add_argument("--algorithm", help="Algorithm name (e.g., BIKE-L1)", required=True)
 args = parser.parse_args()
 fn = args.logfile
 alg = args.algorithm
 state = State.starting
 config = ''
 with open(fn) as fp: 
   while True:
      line = fp.readline() 
      if not line: 
         break 
      # Remove newlines
      line = line.rstrip()
      if state==State.starting:
         if line.startswith("Configuration info"):
            state=State.config
            fp.readline()
      elif state==State.config:
         if line=="\n": # Skip forward
            fp.readline()
            fp.readline()
         if line.startswith("-------"):
            state=State.parsing
         elif line.startswith("Started at"):
            fp.readline()
         elif ":" in line:
            config = config + line[:line.index(":")] + ": " + line[line.index(":")+1:].lstrip() + " | " # Retrieve build configuration
      elif state==State.parsing:
         if line.startswith("Ended"): # Finish
            break
         else:
            alg = line[:line.index(" ")]
            p = re.compile('\S+\s*\|')
            for i in 0,1,2: # Iterate through the different operations under each algorithm
               x=p.findall(fp.readline().rstrip())
               tag = x[0][:x[0].index(" ")] # keygen, encaps, decaps
               iterations = float(x[1][:x[1].index(" ")]) # Iterations
               total_t = float(x[2][:x[2].index(" ")]) # Total time
               mean_t = float(x[3][:x[3].index(" ")]) # Mean time in microseconds
               cycles = int(x[5][:x[5].index(" ")]) # Cycles
               val = iterations/total_t # Number of iterations per second
               data.append({"name": alg + " " + tag, "value": cycles, "unit": "cycles", "extra": config})
      else:
         print("Unknown state: %s" % (line))
 # Dump data
 output_file = f"{alg}_formatted.json"
 with open(output_file, 'w') as outfile:
    json.dump(data, outfile)
--- a/scripts/run_doxygen.sh
+++ b/scripts/run_doxygen.sh
@ -8,10 +8,11 @@ if [ "$#" -ne 3 ]; then
 fi
 # Doxygen can't handle Github Markdown so we temporarily reformat it
-cp README.md README.md-orig
+for file in README.md CONFIGURE.md SECURITY.md
-python3 scripts/doxyfy.py README.md-orig README.md
+do
-cp CONFIGURE.md CONFIGURE.md-orig
+	cp $file $file-orig
-python3 scripts/doxyfy.py CONFIGURE.md-orig CONFIGURE.md
+	python3 scripts/doxyfy.py $file-orig $file
 done
 # run doxygen:
 mkdir -p "$3/docs"
@ -19,7 +20,9 @@ env DOXYGEN_DESTIONATION_DIR="$3/docs" "$1" "$2"
 EXITCODE=$?
 # undo the Github Markdown reformatting
-mv README.md-orig README.md
+for file in README.md CONFIGURE.md SECURITY.md
-mv CONFIGURE.md-orig CONFIGURE.md
+do
 	mv $file-orig $file
 done
-exit ${EXITCODE}
+exit ${EXITCODE}
--- a/scripts/update_cbom.py
+++ b/scripts/update_cbom.py
@ -12,7 +12,7 @@ import os
 import json
 import git
 import uuid
-from datetime import datetime
+import datetime
 import copy
 cbom_json_file = "cbom.json"
@ -38,28 +38,26 @@ bom_algs_use_dependencies = {}
 ## Common crypto components: aes, sha3
 common_crypto_component_aes = {
-      "type": "crypto-asset",
+      "type": "cryptographic-asset",
      "bom-ref": "alg:aes",
      "name": "aes",
      "cryptoProperties": {
        "assetType": "algorithm",
        "algorithmProperties": {
-          "variant": "aes",
+          "primitive": "block-cipher",
-          "primitive": "blockcipher",
+          "executionEnvironment": "software-plain-ram"
          "implementationLevel": "softwarePlainRam"
        }
      }
    }
 common_crypto_component_sha3 = {
-      "type": "crypto-asset",
+      "type": "cryptographic-asset",
      "bom-ref": "alg:sha3",
      "name": "sha3",
      "cryptoProperties": {
        "assetType": "algorithm",
        "algorithmProperties": {
          "variant": "sha3",
          "primitive": "hash",
-          "implementationLevel": "softwarePlainRam"
+          "executionEnvironment": "software-plain-ram"
        }
      }
    }
@ -68,24 +66,24 @@ def add_cbom_component(out, kem_yaml, parameter_set):
    primitive = kem_yaml['type']
    component = {}
-    component['type'] = "crypto-asset"
+    component['type'] = "cryptographic-asset"
    component['bom-ref'] = "alg:" + parameter_set['name']
    component['name'] = kem_yaml['name']
    algorithmProperties = {}
-    algorithmProperties['variant'] = parameter_set['name']
+    algorithmProperties['parameterSetIdentifier'] = parameter_set['name']
    algorithmProperties['primitive'] = primitive
-    algorithmProperties['implementationLevel'] = "softwarePlainRam"
+    algorithmProperties['executionEnvironment'] = "software-plain-ram"
    if primitive == 'kem':
        algorithmProperties['cryptoFunctions'] = ["keygen", "encapsulate", "decapsulate"]
    elif primitive == 'signature':
        algorithmProperties['cryptoFunctions'] = ["keygen", "sign", "verify"]
    algorithmProperties['nistQuantumSecurityLevel'] = parameter_set['claimed-nist-level']
    cryptoProperties = {}
    cryptoProperties['assetType'] = "algorithm"
    cryptoProperties['algorithmProperties'] = algorithmProperties
    cryptoProperties['nistQuantumSecurityLevel'] = parameter_set['claimed-nist-level']
    component['cryptoProperties'] = cryptoProperties
@ -164,7 +162,7 @@ def build_cbom(liboqs_root, liboqs_version):
    cbom_components.insert(0, liboqs_component)
    metadata = {}
-    metadata['timestamp'] = datetime.now().isoformat()
+    metadata['timestamp'] = datetime.datetime.now(datetime.timezone.utc).isoformat()
    metadata['component'] = liboqs_component
    ## Dependencies
@ -172,21 +170,20 @@ def build_cbom(liboqs_root, liboqs_version):
    dependencies = []
    dependencies.append({
        "ref": liboqs_component['bom-ref'],
-        "dependsOn": bom_algs_bomrefs,
+        "provides": bom_algs_bomrefs
        "dependencyType": "implements"
    })
    for usedep in bom_algs_use_dependencies.keys():
        dependencies.append({
            "ref": usedep,
-            "dependsOn": bom_algs_use_dependencies[usedep],
+            "dependsOn": bom_algs_use_dependencies[usedep]
            "dependencyType": "uses"
        })
    ## CBOM
    cbom = {}
-    cbom['bomFormat'] = "CBOM"
+    cbom['$schema'] = "https://raw.githubusercontent.com/CycloneDX/specification/1.6/schema/bom-1.6.schema.json"
-    cbom['specVersion'] = "1.4-cbom-1.0"
+    cbom['bomFormat'] = "CycloneDX"
    cbom['specVersion'] = "1.6"
    cbom['serialNumber'] = "urn:uuid:" + str(uuid.uuid4())
    cbom['version'] = 1
    cbom['metadata'] = metadata
--- a/scripts/update_docs_from_yaml.py
+++ b/scripts/update_docs_from_yaml.py
@ -75,7 +75,8 @@ def do_it(liboqs_root):
                      'Public key size (bytes)',
                      'Secret key size (bytes)',
                      'Ciphertext size (bytes)',
-                      'Shared secret size (bytes)']]
+                      'Shared secret size (bytes)',
                      'Keypair seed size (bytes)']]
            for parameter_set in kem_yaml['parameter-sets']:
                table.append([parameter_set['name'],
                              parameter_set['alias'] if 'alias' in parameter_set else "NA",
@ -84,7 +85,8 @@ def do_it(liboqs_root):
                              parameter_set['length-public-key'],
                              parameter_set['length-secret-key'],
                              parameter_set['length-ciphertext'],
-                              parameter_set['length-shared-secret']])
+                              parameter_set['length-shared-secret'],
                              parameter_set['length-keypair-seed'] if 'length-keypair-seed' in parameter_set else "NA"])
            out_md.write(tabulate.tabulate(table, tablefmt="pipe", headers="firstrow", colalign=("center",)))
            out_md.write('\n')
@ -393,7 +395,23 @@ def do_it(liboqs_root):
    with open(readme_path, mode='w', encoding='utf-8') as readme:
        readme.write(preamble + identifier_start + '\n')
-        for sig_yaml in sig_yamls[:-1]: # SPHINCS is last in this sorted list and requires special handling.
+        for sig_yaml in sig_yamls:
            # SPHINCS requires special handling.
            if "SPHINCS" in sig_yaml["name"]:
                for hash_func in ['SHA2', 'SHAKE']:
                    parameter_sets = [pset for pset in sig_yaml['parameter-sets'] if hash_func in pset['name']]
                    if any(impl['large-stack-usage'] for impl in parameter_sets[0]['implementations']):
                        readme.write('- **SPHINCS+-{}**: {}†'.format(hash_func, parameter_sets[0]['name'].replace('_','\\_')))
                    else:
                        readme.write('- **SPHINCS+-{}**: {}'.format(hash_func, parameter_sets[0]['name'].replace('_','\\_')))
                    for parameter_set in parameter_sets[1:]:
                        if any(impl['large-stack-usage'] for impl in parameter_set['implementations']):
                            readme.write(', {}†'.format(parameter_set['name'].replace('_', '\\_')))
                        else:
                            readme.write(', {}'.format(parameter_set['name'].replace('_', '\\_')))
                    readme.write('\n')
                continue
            parameter_sets = sig_yaml['parameter-sets']
            if any(impl['large-stack-usage'] for impl in parameter_sets[0]['implementations']):
                readme.write('- **{}**: {}†'.format(sig_yaml['name'], parameter_sets[0]['name'].replace('_','\\_')))
@ -414,19 +432,6 @@ def do_it(liboqs_root):
                        readme.write(' (alias: {})'.format(parameter_set['alias']).replace('_','\\_'))
            readme.write('\n')
        sphincs_yml = sig_yamls[-1]
        for hash_func in ['SHA2', 'SHAKE']:
            parameter_sets = [pset for pset in sphincs_yml['parameter-sets'] if hash_func in pset['name']]
            if any(impl['large-stack-usage'] for impl in parameter_sets[0]['implementations']):
                readme.write('- **SPHINCS+-{}**: {}†'.format(hash_func, parameter_sets[0]['name'].replace('_','\\_')))
            else:
                readme.write('- **SPHINCS+-{}**: {}'.format(hash_func, parameter_sets[0]['name'].replace('_','\\_')))
            for parameter_set in parameter_sets[1:]:
                if any(impl['large-stack-usage'] for impl in parameter_set['implementations']):
                    readme.write(', {}†'.format(parameter_set['name'].replace('_', '\\_')))
                else:
                    readme.write(', {}'.format(parameter_set['name'].replace('_', '\\_')))
            readme.write('\n')
        readme.write(postamble)
--- a/scripts/validate_cbom.sh
+++ b/scripts/validate_cbom.sh
@ -2,7 +2,7 @@
 # SPDX-License-Identifier: MIT
 cd "$(dirname "$0")"
-wget -nc https://raw.githubusercontent.com/IBM/CBOM/main/bom-1.4-cbom-1.0.schema.json
+wget -nc https://raw.githubusercontent.com/CycloneDX/specification/1.6/schema/bom-1.6.schema.json
-wget -nc https://raw.githubusercontent.com/IBM/CBOM/main/spdx.schema.json
+wget -nc https://raw.githubusercontent.com/CycloneDX/specification/1.6/schema/spdx.schema.json
-wget -nc https://raw.githubusercontent.com/IBM/CBOM/main/jsf-0.82.schema.json
+wget -nc https://raw.githubusercontent.com/CycloneDX/specification/1.6/schema/jsf-0.82.schema.json
-ajv validate --spec=draft7 --validate-formats=false -r spdx.schema.json -r jsf-0.82.schema.json --strict=false -s bom-1.4-cbom-1.0.schema.json -d ../docs/cbom.json
+ajv validate --spec=draft7 --validate-formats=false -r spdx.schema.json -r jsf-0.82.schema.json --strict=false -s bom-1.6.schema.json -d ../docs/cbom.json
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@ -63,6 +63,14 @@ if(OQS_ENABLE_SIG_CROSS)
    add_subdirectory(sig/cross)
    set(SIG_OBJS ${SIG_OBJS} ${CROSS_OBJS})
 endif()
 if(OQS_ENABLE_SIG_UOV)
    add_subdirectory(sig/uov)
    set(SIG_OBJS ${SIG_OBJS} ${UOV_OBJS})
 endif()
 if(OQS_ENABLE_SIG_SNOVA)
    add_subdirectory(sig/snova)
    set(SIG_OBJS ${SIG_OBJS} ${SNOVA_OBJS})
 endif()
 ##### OQS_COPY_FROM_UPSTREAM_FRAGMENT_ADD_ALG_OBJECTS_END
 if(OQS_ENABLE_SIG_STFL_XMSS)
@ -99,6 +107,11 @@ if(${OQS_USE_OPENSSL})
    target_link_libraries(oqs-internal PRIVATE ${OPENSSL_CRYPTO_LIBRARY})
  endif()
 endif()
 if(${OQS_USE_CUPQC})
    set_property(TARGET oqs PROPERTY CUDA_RESOLVE_DEVICE_SYMBOLS ON)
    target_link_libraries(oqs PRIVATE cupqc)
    target_link_options(oqs PRIVATE $<DEVICE_LINK: -dlto>)
 endif()
 target_include_directories(oqs
                           PUBLIC
@ -121,7 +134,7 @@ set_target_properties(oqs
    ARCHIVE_OUTPUT_DIRECTORY "${PROJECT_BINARY_DIR}/lib"
    LIBRARY_OUTPUT_DIRECTORY "${PROJECT_BINARY_DIR}/lib"
    VERSION ${OQS_VERSION_TEXT}
-    SOVERSION 5
+    SOVERSION 7
    # For Windows DLLs
    RUNTIME_OUTPUT_DIRECTORY "${PROJECT_BINARY_DIR}/bin")
@ -185,6 +198,6 @@ install(FILES ${PUBLIC_HEADERS}
        DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/oqs)
 export(EXPORT liboqsTargets
-       FILE "${CMAKE_CURRENT_BINARY_DIR}/cmake/liboqsTargets.cmake"
+       FILE "${CMAKE_CURRENT_BINARY_DIR}/liboqsTargets.cmake"
       NAMESPACE OQS::
 )
--- a/src/common/CMakeLists.txt
+++ b/src/common/CMakeLists.txt
@ -61,14 +61,19 @@ else()
 endif()
 if(${OQS_USE_SHA3_OPENSSL})
-  if (${OQS_ENABLE_SHA3_xkcp_low})
+    if (${OQS_ENABLE_SHA3_xkcp_low})
-    add_subdirectory(sha3/xkcp_low)
+        add_subdirectory(sha3/xkcp_low)
-  endif()
+    endif()
    set(SHA3_IMPL sha3/ossl_sha3.c sha3/ossl_sha3x4.c)
    set(OSSL_HELPERS ossl_helpers.c)
 else() # using XKCP
    add_subdirectory(sha3/xkcp_low)
    set(SHA3_IMPL sha3/xkcp_sha3.c sha3/xkcp_sha3x4.c)
    if(OQS_USE_SHA3_AVX512VL)
      # also build avx512vl modules
      add_subdirectory(sha3/avx512vl_low)
      list(APPEND SHA3_IMPL sha3/avx512vl_sha3.c sha3/avx512vl_sha3x4.c)
    endif()
 endif()
 if ((OQS_LIBJADE_BUILD STREQUAL "ON"))
@ -100,8 +105,9 @@ if(${OQS_USE_OPENSSL})
    target_include_directories(common PRIVATE ${OPENSSL_INCLUDE_DIR})
    target_include_directories(internal PRIVATE ${OPENSSL_INCLUDE_DIR})
 else()
-    check_symbol_exists(getentropy "unistd.h;sys/random.h" CMAKE_HAVE_GETENTROPY)
+    check_symbol_exists(getentropy "unistd.h" CMAKE_UNISTD_HAVE_GETENTROPY)
-    if(${CMAKE_HAVE_GETENTROPY})
+    check_symbol_exists(getentropy "sys/random.h" CMAKE_SYS_RANDOM_HAVE_GETENTROPY)
    if("${CMAKE_UNISTD_HAVE_GETENTROPY}" OR "${CMAKE_SYS_RANDOM_HAVE_GETENTROPY}")
        target_compile_definitions(common PRIVATE OQS_HAVE_GETENTROPY)
        target_compile_definitions(internal PRIVATE OQS_HAVE_GETENTROPY)
    endif()
@ -156,6 +162,11 @@ if(${OQS_ENABLE_SHA3_xkcp_low}) # using XKCP
    set(_INTERNAL_OBJS ${_INTERNAL_OBJS} ${XKCP_LOW_OBJS})
 endif()
 if(${OQS_USE_SHA3_AVX512VL})
    set(_COMMON_OBJS ${_COMMON_OBJS} ${SHA3_AVX512VL_LOW_OBJS})
    set(_INTERNAL_OBJS ${_INTERNAL_OBJS} ${SHA3_AVX512VL_LOW_OBJS})
 endif()
 set(_COMMON_OBJS ${_COMMON_OBJS} $<TARGET_OBJECTS:common>)
 set(COMMON_OBJS ${_COMMON_OBJS} PARENT_SCOPE)
 set(_INTERNAL_OBJS ${_INTERNAL_OBJS} $<TARGET_OBJECTS:internal>)
--- a/src/common/aes/aes128_ni.c
+++ b/src/common/aes/aes128_ni.c
@ -49,7 +49,7 @@ static inline void aes128ni_setkey_encrypt(const unsigned char *key, __m128i rke
 }
 void oqs_aes128_load_schedule_ni(const uint8_t *key, void **_schedule) {
-	*_schedule = malloc(sizeof(aes128ctx));
+	*_schedule = OQS_MEM_malloc(sizeof(aes128ctx));
 	OQS_EXIT_IF_NULLPTR(*_schedule, "AES");
 	assert(*_schedule != NULL);
 	__m128i *schedule = ((aes128ctx *) *_schedule)->sk_exp;
--- a/src/common/aes/aes256_ni.c
+++ b/src/common/aes/aes256_ni.c
@ -76,7 +76,7 @@ static inline void aes256ni_setkey_encrypt(const unsigned char *key, __m128i rke
 }
 void oqs_aes256_load_schedule_ni(const uint8_t *key, void **_schedule) {
-	*_schedule = malloc(sizeof(aes256ctx));
+	*_schedule = OQS_MEM_malloc(sizeof(aes256ctx));
 	OQS_EXIT_IF_NULLPTR(*_schedule, "AES");
 	assert(*_schedule != NULL);
 	__m128i *schedule = ((aes256ctx *) *_schedule)->sk_exp;
--- a/src/common/aes/aes_c.c
+++ b/src/common/aes/aes_c.c
@ -676,7 +676,7 @@ static void aes_ctr(unsigned char *out, size_t outlen, const unsigned char *iv,
 }
 void oqs_aes128_load_schedule_c(const uint8_t *key, void **_schedule) {
-	*_schedule = malloc(sizeof(aes128ctx));
+	*_schedule = OQS_MEM_malloc(sizeof(aes128ctx));
 	OQS_EXIT_IF_NULLPTR(*_schedule, "AES");
 	aes128ctx *ctx = (aes128ctx *) *_schedule;
 	uint64_t skey[22];
@ -685,7 +685,7 @@ void oqs_aes128_load_schedule_c(const uint8_t *key, void **_schedule) {
 }
 void oqs_aes256_load_schedule_c(const uint8_t *key, void **_schedule) {
-	*_schedule = malloc(sizeof(aes256ctx));
+	*_schedule = OQS_MEM_malloc(sizeof(aes256ctx));
 	OQS_EXIT_IF_NULLPTR(*_schedule, "AES");
 	aes256ctx *ctx = (aes256ctx *) *_schedule;
 	uint64_t skey[30];
@ -719,7 +719,7 @@ static void aes_keysched_no_bitslice(uint32_t *skey, const unsigned char *key, u
 }
 void oqs_aes256_load_schedule_no_bitslice(const uint8_t *key, void **_schedule) {
-	*_schedule = malloc(sizeof(aes256ctx_nobitslice));
+	*_schedule = OQS_MEM_malloc(sizeof(aes256ctx_nobitslice));
 	assert(*_schedule != NULL);
 	uint32_t *schedule = ((aes256ctx_nobitslice *) *_schedule)->sk_exp;
 	aes_keysched_no_bitslice(schedule, (const unsigned char *) key, 32);
@ -752,7 +752,7 @@ void oqs_aes256_load_iv_u64_c(uint64_t iv, void *schedule) {
 }
 void oqs_aes128_load_schedule_no_bitslice(const uint8_t *key, void **_schedule) {
-	*_schedule = malloc(44 * sizeof(int));
+	*_schedule = OQS_MEM_malloc(44 * sizeof(int));
 	assert(*_schedule != NULL);
 	uint32_t *schedule = (uint32_t *) *_schedule;
 	aes_keysched_no_bitslice(schedule, (const unsigned char *) key, 16);
--- a/src/common/aes/aes_ossl.c
+++ b/src/common/aes/aes_ossl.c
@ -28,7 +28,7 @@ static inline void br_enc64be(unsigned char *dst, uint64_t x) {
 }
 static void AES128_ECB_load_schedule(const uint8_t *key, void **schedule) {
-	*schedule = malloc(sizeof(struct key_schedule));
+	*schedule = OQS_MEM_malloc(sizeof(struct key_schedule));
 	OQS_EXIT_IF_NULLPTR(*schedule, "OpenSSL");
 	struct key_schedule *ks = (struct key_schedule *) *schedule;
 	ks->for_ECB = 1;
@ -93,7 +93,7 @@ static void AES128_CTR_inc_stream_iv(const uint8_t *iv, size_t iv_len, const voi
 }
 static void AES128_CTR_inc_init(const uint8_t *key, void **schedule) {
-	*schedule = malloc(sizeof(struct key_schedule));
+	*schedule = OQS_MEM_malloc(sizeof(struct key_schedule));
 	OQS_EXIT_IF_NULLPTR(*schedule, "OpenSSL");
 	struct key_schedule *ks = (struct key_schedule *) *schedule;
@ -128,7 +128,7 @@ static void AES128_CTR_inc_ivu64(uint64_t iv, void *schedule) {
 }
 static void AES256_ECB_load_schedule(const uint8_t *key, void **schedule) {
-	*schedule = malloc(sizeof(struct key_schedule));
+	*schedule = OQS_MEM_malloc(sizeof(struct key_schedule));
 	OQS_EXIT_IF_NULLPTR(*schedule, "OpenSSL");
 	struct key_schedule *ks = (struct key_schedule *) *schedule;
 	ks->for_ECB = 1;
@ -139,7 +139,7 @@ static void AES256_ECB_load_schedule(const uint8_t *key, void **schedule) {
 }
 static void AES256_CTR_inc_init(const uint8_t *key, void **schedule) {
-	*schedule = malloc(sizeof(struct key_schedule));
+	*schedule = OQS_MEM_malloc(sizeof(struct key_schedule));
 	OQS_EXIT_IF_NULLPTR(*schedule, "OpenSSL");
 	struct key_schedule *ks = (struct key_schedule *) *schedule;
--- a/src/common/common.c
+++ b/src/common/common.c
@ -11,7 +11,9 @@
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <stddef.h>
 #include <string.h>
 #include <stddef.h>
 #if defined(OQS_DIST_BUILD) && defined(OQS_USE_PTHREADS)
 #include <pthread.h>
@ -204,6 +206,11 @@ static void set_available_cpu_extensions(void) {
 	/* mark that this function has been called */
 	cpu_ext_data[OQS_CPU_EXT_INIT] = 1;
 }
 #elif defined(OQS_DIST_LOONGARCH64_BUILD)
 static void set_available_cpu_extensions(void) {
 	/* mark that this function has been called */
 	cpu_ext_data[OQS_CPU_EXT_INIT] = 1;
 }
 #elif defined(OQS_DIST_BUILD)
 static void set_available_cpu_extensions(void) {
 }
@ -233,6 +240,12 @@ OQS_API void OQS_init(void) {
 #endif
 }
 OQS_API void OQS_thread_stop(void) {
 #if defined(OQS_USE_OPENSSL)
 	oqs_thread_stop();
 #endif
 }
 OQS_API const char *OQS_version(void) {
 	return OQS_VERSION_TEXT;
 }
@ -256,6 +269,9 @@ OQS_API int OQS_MEM_secure_bcmp(const void *a, const void *b, size_t len) {
 }
 OQS_API void OQS_MEM_cleanse(void *ptr, size_t len) {
 	if (ptr == NULL) {
 		return;
 	}
 #if defined(OQS_USE_OPENSSL)
 	OSSL_FUNC(OPENSSL_cleanse)(ptr, len);
 #elif defined(_WIN32)
@ -275,39 +291,44 @@ OQS_API void OQS_MEM_cleanse(void *ptr, size_t len) {
 #endif
 }
 void *OQS_MEM_checked_malloc(size_t len) {
 	void *ptr = malloc(len);
 	if (ptr == NULL) {
 		fprintf(stderr, "Memory allocation failed\n");
 		abort();
 	}
 	return ptr;
 }
 void *OQS_MEM_checked_aligned_alloc(size_t alignment, size_t size) {
 	void *ptr = OQS_MEM_aligned_alloc(alignment, size);
 	if (ptr == NULL) {
 		fprintf(stderr, "Memory allocation failed\n");
 		abort();
 	}
 	return ptr;
 }
 OQS_API void OQS_MEM_secure_free(void *ptr, size_t len) {
 	if (ptr != NULL) {
 		OQS_MEM_cleanse(ptr, len);
-		free(ptr); // IGNORE free-check
+		OQS_MEM_insecure_free(ptr);
 	}
 }
 OQS_API void OQS_MEM_insecure_free(void *ptr) {
-	free(ptr); // IGNORE free-check
+#if defined(OQS_USE_OPENSSL) && defined(OPENSSL_VERSION_NUMBER)
 	OSSL_FUNC(CRYPTO_free)(ptr, OPENSSL_FILE, OPENSSL_LINE);
 #else
 	free(ptr); // IGNORE memory-check
 #endif
 }
 void *OQS_MEM_aligned_alloc(size_t alignment, size_t size) {
-#if defined(OQS_HAVE_ALIGNED_ALLOC) // glibc and other implementations providing aligned_alloc
+#if defined(OQS_USE_OPENSSL)
 	// Use OpenSSL's memory allocation functions
 	if (!size) {
 		return NULL;
 	}
 	const size_t offset = alignment - 1 + sizeof(uint8_t);
 	uint8_t *buffer = OSSL_FUNC(CRYPTO_malloc)(size + offset, OPENSSL_FILE, OPENSSL_LINE);
 	if (!buffer) {
 		return NULL;
 	}
 	uint8_t *ptr = (uint8_t *)(((uintptr_t)(buffer) + offset) & ~(alignment - 1));
 	ptrdiff_t diff = ptr - buffer;
 	if (diff > UINT8_MAX) {
 		// Free and return NULL if alignment is too large
 		OSSL_FUNC(CRYPTO_free)(buffer, OPENSSL_FILE, OPENSSL_LINE);
 		errno = EINVAL;
 		return NULL;
 	}
 	// Store the difference so that the free function can use it
 	ptr[-1] = (uint8_t)diff;
 	return ptr;
 #elif defined(OQS_HAVE_ALIGNED_ALLOC) // glibc and other implementations providing aligned_alloc
 	return aligned_alloc(alignment, size);
 #else
 	// Check alignment (power of 2, and >= sizeof(void*)) and size (multiple of alignment)
@ -346,7 +367,7 @@ void *OQS_MEM_aligned_alloc(size_t alignment, size_t size) {
 	//            |
 	//       diff = ptr - buffer
 	const size_t offset = alignment - 1 + sizeof(uint8_t);
-	uint8_t *buffer = malloc(size + offset);
+	uint8_t *buffer = malloc(size + offset); // IGNORE memory-check
 	if (!buffer) {
 		return NULL;
 	}
@ -356,7 +377,7 @@ void *OQS_MEM_aligned_alloc(size_t alignment, size_t size) {
 	ptrdiff_t diff = ptr - buffer;
 	if (diff > UINT8_MAX) {
 		// This should never happen in our code, but just to be safe
-		free(buffer); // IGNORE free-check
+		free(buffer); // IGNORE memory-check
 		errno = EINVAL;
 		return NULL;
 	}
@ -369,18 +390,53 @@ void *OQS_MEM_aligned_alloc(size_t alignment, size_t size) {
 }
 void OQS_MEM_aligned_free(void *ptr) {
-#if defined(OQS_HAVE_ALIGNED_ALLOC) || defined(OQS_HAVE_POSIX_MEMALIGN) || defined(OQS_HAVE_MEMALIGN)
+	if (ptr == NULL) {
-	free(ptr); // IGNORE free-check
+		return;
 	}
 #if defined(OQS_USE_OPENSSL)
 	// Use OpenSSL's free function
 	uint8_t *u8ptr = ptr;
 	OSSL_FUNC(CRYPTO_free)(u8ptr - u8ptr[-1], OPENSSL_FILE, OPENSSL_LINE);
 #elif defined(OQS_HAVE_ALIGNED_ALLOC) || defined(OQS_HAVE_POSIX_MEMALIGN) || defined(OQS_HAVE_MEMALIGN)
 	free(ptr); // IGNORE memory-check
 #elif defined(__MINGW32__) || defined(__MINGW64__)
 	__mingw_aligned_free(ptr);
 #elif defined(_MSC_VER)
 	_aligned_free(ptr);
 #else
-	if (ptr) {
+	// Reconstruct the pointer returned from malloc using the difference
-		// Reconstruct the pointer returned from malloc using the difference
+	// stored one byte ahead of ptr.
-		// stored one byte ahead of ptr.
+	uint8_t *u8ptr = ptr;
-		uint8_t *u8ptr = ptr;
+	free(u8ptr - u8ptr[-1]); // IGNORE memory-check
-		free(u8ptr - u8ptr[-1]); // IGNORE free-check
+#endif
-	}
+}
 void OQS_MEM_aligned_secure_free(void *ptr, size_t len) {
 	OQS_MEM_cleanse(ptr, len);
 	OQS_MEM_aligned_free(ptr);
 }
 OQS_API void *OQS_MEM_malloc(size_t size) {
 #if defined(OQS_USE_OPENSSL)
 	return OSSL_FUNC(CRYPTO_malloc)(size, OPENSSL_FILE, OPENSSL_LINE);
 #else
 	return malloc(size); // IGNORE memory-check
 #endif
 }
 OQS_API void *OQS_MEM_calloc(size_t num_elements, size_t element_size) {
 #if defined(OQS_USE_OPENSSL)
 	return OSSL_FUNC(CRYPTO_zalloc)(num_elements * element_size,
 	                                OPENSSL_FILE, OPENSSL_LINE);
 #else
 	return calloc(num_elements, element_size); // IGNORE memory-check
 #endif
 }
 OQS_API char *OQS_MEM_strdup(const char *str) {
 #if defined(OQS_USE_OPENSSL)
 	return OSSL_FUNC(CRYPTO_strdup)(str, OPENSSL_FILE, OPENSSL_LINE);
 #else
 	return strdup(str); // IGNORE memory-check
 #endif
 }
--- a/src/common/common.h
+++ b/src/common/common.h
@ -5,14 +5,13 @@
 * SPDX-License-Identifier: MIT
 */
 #ifndef OQS_COMMON_H
 #define OQS_COMMON_H
 #include <limits.h>
 #include <stdint.h>
 #include <stdlib.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <oqs/oqsconfig.h>
@ -24,13 +23,14 @@ extern "C" {
 * Macro for terminating the program if x is
 * a null pointer.
 */
-#define OQS_EXIT_IF_NULLPTR(x, loc)                                                   \
+#define OQS_EXIT_IF_NULLPTR(x, loc)                                            \
-    do {                                                                              \
+  do {                                                                         \
-        if ( (x) == (void*)0 ) {                                                      \
+    if ((x) == (void *)0) {                                                    \
-            fprintf(stderr, "Unexpected NULL returned from %s API. Exiting.\n", loc); \
+      fprintf(stderr, "Unexpected NULL returned from %s API. Exiting.\n",      \
-            exit(EXIT_FAILURE);                                                       \
+              loc);                                                            \
-        }                                                                             \
+      exit(EXIT_FAILURE);                                                      \
-    } while (0)
+    }                                                                          \
  } while (0)
 /**
 * This macro is intended to replace those assert()s
@ -45,22 +45,24 @@ extern "C" {
 */
 #ifdef OQS_USE_OPENSSL
 #ifdef OPENSSL_NO_STDIO
-#define OQS_OPENSSL_GUARD(x)                                                           \
+#define OQS_OPENSSL_GUARD(x)                                                   \
-    do {                                                                               \
+  do {                                                                         \
-        if( 1 != (x) ) {                                                               \
+    if (1 != (x)) {                                                            \
-            fprintf(stderr, "Error return value from OpenSSL API: %d. Exiting.\n", x); \
+      fprintf(stderr, "Error return value from OpenSSL API: %d. Exiting.\n",   \
-            exit(EXIT_FAILURE);                                                        \
+              x);                                                              \
-        }                                                                              \
+      exit(EXIT_FAILURE);                                                      \
-    } while (0)
+    }                                                                          \
  } while (0)
 #else // OPENSSL_NO_STDIO
-#define OQS_OPENSSL_GUARD(x)                                                           \
+#define OQS_OPENSSL_GUARD(x)                                                   \
-    do {                                                                               \
+  do {                                                                         \
-        if( 1 != (x) ) {                                                               \
+    if (1 != (x)) {                                                            \
-            fprintf(stderr, "Error return value from OpenSSL API: %d. Exiting.\n", x); \
+      fprintf(stderr, "Error return value from OpenSSL API: %d. Exiting.\n",   \
-            OSSL_FUNC(ERR_print_errors_fp)(stderr);                                    \
+              x);                                                              \
-            exit(EXIT_FAILURE);                                                        \
+      OSSL_FUNC(ERR_print_errors_fp)(stderr);                                  \
-        }                                                                              \
+      exit(EXIT_FAILURE);                                                      \
-    } while (0)
+    }                                                                          \
  } while (0)
 #endif // OPENSSL_NO_STDIO
 #endif // OQS_USE_OPENSSL
@ -70,13 +72,13 @@ extern "C" {
 * only handle values up to INT_MAX for those parameters.
 * This macro is a temporary workaround for such functions.
 */
-#define SIZE_T_TO_INT_OR_EXIT(size_t_var_name, int_var_name)  \
+#define SIZE_T_TO_INT_OR_EXIT(size_t_var_name, int_var_name)                   \
-    int int_var_name = 0;                                     \
+  int int_var_name = 0;                                                        \
-    if (size_t_var_name <= INT_MAX) {                         \
+  if (size_t_var_name <= INT_MAX) {                                            \
-        int_var_name = (int)size_t_var_name;                  \
+    int_var_name = (int)size_t_var_name;                                       \
-    } else {                                                  \
+  } else {                                                                     \
-        exit(EXIT_FAILURE);                                   \
+    exit(EXIT_FAILURE);                                                        \
-    }
+  }
 /**
 * Defines which functions should be exposed outside the LibOQS library
@ -160,6 +162,14 @@ OQS_API int OQS_CPU_has_extension(OQS_CPU_EXT ext);
 */
 OQS_API void OQS_init(void);
 /**
 * This function stops OpenSSL threads, which allows resources
 * to be cleaned up in the correct order.
 * @note When liboqs is used in a multithreaded application,
 * each thread should call this function prior to stopping.
 */
 OQS_API void OQS_thread_stop(void);
 /**
 * This function frees prefetched OpenSSL objects
 */
@ -170,6 +180,36 @@ OQS_API void OQS_destroy(void);
 */
 OQS_API const char *OQS_version(void);
 /**
 * @brief Memory allocation and deallocation functions.
 *
 * These functions provide a unified interface for memory operations,
 * using OpenSSL functions when OQS_USE_OPENSSL is defined, and
 * standard C library functions otherwise.
 */
 /**
 * Allocates memory of a given size.
 * @param size The size of the memory to be allocated in bytes.
 * @return A pointer to the allocated memory.
 */
 OQS_API void *OQS_MEM_malloc(size_t size);
 /**
 * Allocates memory for an array of elements of a given size.
 * @param num_elements The number of elements to allocate.
 * @param element_size The size of each element in bytes.
 * @return A pointer to the allocated memory.
 */
 OQS_API void *OQS_MEM_calloc(size_t num_elements, size_t element_size);
 /**
 * Duplicates a string.
 * @param str The string to be duplicated.
 * @return A pointer to the newly allocated string.
 */
 OQS_API char *OQS_MEM_strdup(const char *str);
 /**
 * Constant time comparison of byte sequences `a` and `b` of length `len`.
 * Returns 0 if the byte sequences are equal or if `len`=0.
@ -193,59 +233,6 @@ OQS_API int OQS_MEM_secure_bcmp(const void *a, const void *b, size_t len);
 */
 OQS_API void OQS_MEM_cleanse(void *ptr, size_t len);
 /**
 * Allocates memory of a specified size and checks for successful allocation.
 *
 * This function attempts to allocate a block of memory of the specified size.
 * If the allocation is successful, it returns a pointer to the beginning of the
 * memory block. If the allocation fails, it prints an error message to stderr
 * and terminates the program.
 *
 * @param[in] len The size of the memory block to allocate, in bytes.
 *
 * @return A pointer to the allocated memory block if the allocation is successful.
 *
 * @note This function is intended to be used when the allocation must succeed,
 *       and failure to allocate memory is considered a fatal error. As such,
 *       it does not return if the allocation fails, but instead terminates the
 *       program with an exit status indicating failure.
 *
 * @note The memory block returned by this function is not initialized. The caller
 *       is responsible for initializing the memory if required.
 *
 * @note The allocated memory should be freed using the standard `free` function
 *       when it is no longer needed.
 */
 void *OQS_MEM_checked_malloc(size_t len);
 /**
 * Allocates memory of a specified size and alignment and checks for successful allocation.
 *
 * This function attempts to allocate a block of memory with the specified size
 * and alignment. If the allocation is successful, it returns a pointer to the
 * memory block. If the allocation fails, it prints an error message to stderr
 * and terminates the program.
 *
 * Alignment must be a power of two and a multiple of sizeof(void *).
 *
 * @param[in] alignment The alignment of the memory block to allocate.
 * @param[in] size The size of the memory block to allocate, in bytes.
 *
 * @return A pointer to the allocated memory block if the allocation is successful.
 *
 * @note This function is intended to be used when the allocation must succeed,
 *       and failure to allocate memory is considered a fatal error. As such,
 *       it does not return if the allocation fails, but instead terminates the
 *       program with an exit status indicating failure.
 *
 * @note The memory block returned by this function is not initialized. The caller
 *       is responsible for initializing the memory if required.
 *
 * @note The allocated memory should be freed with `OQS_MEM_aligned_free` when it
 *       is no longer needed.
 */
 void *OQS_MEM_checked_aligned_alloc(size_t alignment, size_t size);
 /**
 * Zeros out `len` bytes of memory starting at `ptr`, then frees `ptr`.
 *
@ -277,8 +264,8 @@ OQS_API void OQS_MEM_insecure_free(void *ptr);
 * Allocates size bytes of uninitialized memory with a base pointer that is
 * a multiple of alignment. Alignment must be a power of two and a multiple
 * of sizeof(void *). Size must be a multiple of alignment.
- * @note The allocated memory should be freed with `OQS_MEM_aligned_free` when it
+ * @note The allocated memory should be freed with `OQS_MEM_aligned_free` when
- *       is no longer needed.
+ * it is no longer needed.
 */
 void *OQS_MEM_aligned_alloc(size_t alignment, size_t size);
@ -287,6 +274,11 @@ void *OQS_MEM_aligned_alloc(size_t alignment, size_t size);
 */
 void OQS_MEM_aligned_free(void *ptr);
 /**
 * Free and zeroize memory allocated with OQS_MEM_aligned_alloc.
 */
 void OQS_MEM_aligned_secure_free(void *ptr, size_t len);
 #if defined(__cplusplus)
 } // extern "C"
 #endif
--- a/src/common/ossl_functions.h
+++ b/src/common/ossl_functions.h
@ -10,17 +10,26 @@ VOID_FUNC(void, ERR_print_errors_fp, (FILE *fp), (fp))
 VOID_FUNC(void, EVP_CIPHER_CTX_free, (EVP_CIPHER_CTX *c), (c))
 FUNC(EVP_CIPHER_CTX *, EVP_CIPHER_CTX_new, (void), ())
 FUNC(int, EVP_CIPHER_CTX_set_padding, (EVP_CIPHER_CTX *c, int pad), (c, pad))
-FUNC(int, EVP_DigestFinalXOF, (EVP_MD_CTX *ctx, unsigned char *md, size_t len), (ctx, md, len))
+FUNC(int, EVP_DigestFinalXOF, (EVP_MD_CTX *ctx, unsigned char *md, size_t len),
-FUNC(int, EVP_DigestFinal_ex, (EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s), (ctx, md, s))
+     (ctx, md, len))
-FUNC(int, EVP_DigestInit_ex, (EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl), (ctx, type, impl))
+FUNC(int, EVP_DigestFinal_ex,
-FUNC(int, EVP_DigestUpdate, (EVP_MD_CTX *ctx, const void *d, size_t cnt), (ctx, d, cnt))
+     (EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s), (ctx, md, s))
-FUNC(int, EVP_EncryptFinal_ex, (EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl), (ctx, out, outl))
+FUNC(int, EVP_DigestInit_ex,
-FUNC(int, EVP_EncryptInit_ex, (EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *impl, const unsigned char *key, const unsigned char *iv),
+     (EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl), (ctx, type, impl))
 FUNC(int, EVP_DigestUpdate, (EVP_MD_CTX *ctx, const void *d, size_t cnt),
     (ctx, d, cnt))
 FUNC(int, EVP_EncryptFinal_ex,
     (EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl), (ctx, out, outl))
 FUNC(int, EVP_EncryptInit_ex,
     (EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *impl,
      const unsigned char *key, const unsigned char *iv),
     (ctx, cipher, impl, key, iv))
-FUNC(int, EVP_EncryptUpdate, (EVP_CIPHER_CTX *ctx, unsigned char *out,
+FUNC(int, EVP_EncryptUpdate,
-                              int *outl, const unsigned char *in, int inl),
+     (EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
      const unsigned char *in, int inl),
     (ctx, out, outl, in, inl))
-FUNC(int, EVP_MD_CTX_copy_ex, (EVP_MD_CTX *out, const EVP_MD_CTX *in), (out, in))
+FUNC(int, EVP_MD_CTX_copy_ex, (EVP_MD_CTX *out, const EVP_MD_CTX *in),
     (out, in))
 VOID_FUNC(void, EVP_MD_CTX_free, (EVP_MD_CTX *ctx), (ctx))
 FUNC(EVP_MD_CTX *, EVP_MD_CTX_new, (void), ())
 FUNC(int, EVP_MD_CTX_reset, (EVP_MD_CTX *ctx), (ctx))
@ -29,12 +38,12 @@ FUNC(const EVP_CIPHER *, EVP_aes_128_ctr, (void), ())
 FUNC(const EVP_CIPHER *, EVP_aes_256_ecb, (void), ())
 FUNC(const EVP_CIPHER *, EVP_aes_256_ctr, (void), ())
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
-FUNC(EVP_CIPHER *, EVP_CIPHER_fetch, (OSSL_LIB_CTX *ctx, const char *algorithm,
+FUNC(EVP_CIPHER *, EVP_CIPHER_fetch,
-                                      const char *properties),
+     (OSSL_LIB_CTX *ctx, const char *algorithm, const char *properties),
     (ctx, algorithm, properties))
 VOID_FUNC(void, EVP_CIPHER_free, (EVP_CIPHER *cipher), (cipher))
-FUNC(EVP_MD *, EVP_MD_fetch, (OSSL_LIB_CTX *ctx, const char *algorithm,
+FUNC(EVP_MD *, EVP_MD_fetch,
-                              const char *properties),
+     (OSSL_LIB_CTX *ctx, const char *algorithm, const char *properties),
     (ctx, algorithm, properties))
 VOID_FUNC(void, EVP_MD_free, (EVP_MD *md), (md))
 #else
@ -51,3 +60,8 @@ VOID_FUNC(void, OPENSSL_cleanse, (void *ptr, size_t len), (ptr, len))
 FUNC(int, RAND_bytes, (unsigned char *buf, int num), (buf, num))
 FUNC(int, RAND_poll, (void), ())
 FUNC(int, RAND_status, (void), ())
 VOID_FUNC(void, OPENSSL_thread_stop, (void), ())
 FUNC(void *, CRYPTO_malloc, (size_t num, const char *file, int line), (num, file, line))
 FUNC(void *, CRYPTO_zalloc, (size_t num, const char *file, int line), (num, file, line))
 FUNC(char *, CRYPTO_strdup, (const char *str, const char *file, int line), (str, file, line))
 VOID_FUNC(void, CRYPTO_free, (void *ptr, const char *file, int line), (ptr, file, line))
--- a/src/common/ossl_helpers.c
+++ b/src/common/ossl_helpers.c
@ -4,7 +4,9 @@
 #define OQS_OSSL_NO_EXTERN 1
 #include "ossl_helpers.h"
 #include <assert.h>
 #if !defined(_WIN32)
 #include <dlfcn.h>
 #endif
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
 #if defined(OQS_USE_PTHREADS)
@ -43,31 +45,41 @@ static void fetch_ossl_objects(void) {
 	}
 }
 static inline void cleanup_evp_md(EVP_MD **mdp) {
 	/* Always check argument is non-NULL before calling EVP_MD_free
 	 * to avoid OpenSSL functions being used when they are
 	 * overridden with OQS_*_set_callbacks.
 	 */
 	if (*mdp) {
 		OSSL_FUNC(EVP_MD_free)(*mdp);
 		*mdp = NULL;
 	}
 }
 static inline void cleanup_evp_cipher(EVP_CIPHER **cipherp) {
 	/* Always check argument is non-NULL before calling EVP_CIPHER_free
 	 * to avoid OpenSSL functions being used when they are
 	 * overridden with OQS_*_set_callbacks.
 	 */
 	if (*cipherp) {
 		OSSL_FUNC(EVP_CIPHER_free)(*cipherp);
 		*cipherp = NULL;
 	}
 }
 static void free_ossl_objects(void) {
-	OSSL_FUNC(EVP_MD_free)(sha256_ptr);
+	cleanup_evp_md(&sha256_ptr);
-	sha256_ptr = NULL;
+	cleanup_evp_md(&sha384_ptr);
-	OSSL_FUNC(EVP_MD_free)(sha384_ptr);
+	cleanup_evp_md(&sha512_ptr);
-	sha384_ptr = NULL;
+	cleanup_evp_md(&sha3_256_ptr);
-	OSSL_FUNC(EVP_MD_free)(sha512_ptr);
+	cleanup_evp_md(&sha3_384_ptr);
-	sha512_ptr = NULL;
+	cleanup_evp_md(&sha3_512_ptr);
-	OSSL_FUNC(EVP_MD_free)(sha3_256_ptr);
+	cleanup_evp_md(&shake128_ptr);
-	sha3_256_ptr = NULL;
+	cleanup_evp_md(&shake256_ptr);
-	OSSL_FUNC(EVP_MD_free)(sha3_384_ptr);
+	cleanup_evp_cipher(&aes128_ecb_ptr);
-	sha3_384_ptr = NULL;
+	cleanup_evp_cipher(&aes128_ctr_ptr);
-	OSSL_FUNC(EVP_MD_free)(sha3_512_ptr);
+	cleanup_evp_cipher(&aes256_ecb_ptr);
-	sha3_512_ptr = NULL;
+	cleanup_evp_cipher(&aes256_ctr_ptr);
 	OSSL_FUNC(EVP_MD_free)(shake128_ptr);
 	shake128_ptr = NULL;
 	OSSL_FUNC(EVP_MD_free)(shake256_ptr);
 	shake256_ptr = NULL;
 	OSSL_FUNC(EVP_CIPHER_free)(aes128_ecb_ptr);
 	aes128_ecb_ptr = NULL;
 	OSSL_FUNC(EVP_CIPHER_free)(aes128_ctr_ptr);
 	aes128_ctr_ptr = NULL;
 	OSSL_FUNC(EVP_CIPHER_free)(aes256_ecb_ptr);
 	aes256_ecb_ptr = NULL;
 	OSSL_FUNC(EVP_CIPHER_free)(aes256_ctr_ptr);
 	aes256_ctr_ptr = NULL;
 }
 #endif // OPENSSL_VERSION_NUMBER >= 0x30000000L
@ -85,6 +97,10 @@ void oqs_ossl_destroy(void) {
 #endif
 }
 void oqs_thread_stop(void) {
 	OSSL_FUNC(OPENSSL_thread_stop)();
 }
 const EVP_MD *oqs_sha256(void) {
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
 #if defined(OQS_USE_PTHREADS)
--- a/src/common/ossl_helpers.h
+++ b/src/common/ossl_helpers.h
@ -6,6 +6,7 @@
 extern "C" {
 #endif
 #include <openssl/crypto.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/rand.h>
@ -13,6 +14,8 @@ extern "C" {
 #if defined(OQS_USE_OPENSSL)
 void oqs_ossl_destroy(void);
 void oqs_thread_stop(void);
 const EVP_MD *oqs_sha256(void);
 const EVP_MD *oqs_sha384(void);
@ -39,8 +42,7 @@ const EVP_CIPHER *oqs_aes_256_ctr(void);
 #ifdef OQS_DLOPEN_OPENSSL
-#define FUNC(ret, name, args, cargs)        \
+#define FUNC(ret, name, args, cargs) ret _oqs_ossl_##name args;
    ret _oqs_ossl_##name args;
 #define VOID_FUNC FUNC
 #include "ossl_functions.h"
 #undef VOID_FUNC
--- a/src/common/pqclean_shims/fips202.h
+++ b/src/common/pqclean_shims/fips202.h
@ -53,6 +53,7 @@
 #define shake256_inc_ctx_clone OQS_SHA3_shake256_inc_ctx_clone
 #define shake256_inc_ctx_reset OQS_SHA3_shake256_inc_ctx_reset
 #define shake128_init shake128_inc_init
 #define shake128_absorb_once OQS_SHA3_shake128_absorb_once
 void OQS_SHA3_shake128_absorb_once(shake128incctx *state, const uint8_t *in, size_t inlen);
--- a/src/common/pqclean_shims/fips202x4.h
+++ b/src/common/pqclean_shims/fips202x4.h
@ -48,4 +48,10 @@ void OQS_SHA3_shake256_x4_absorb_once(shake256x4incctx *state, const uint8_t *in
 #define shake256x4_squeezeblocks(OUT0, OUT1, OUT2, OUT3, NBLOCKS, STATE) \
        OQS_SHA3_shake256_x4_inc_squeeze(OUT0, OUT1, OUT2, OUT3, (NBLOCKS)*OQS_SHA3_SHAKE256_RATE, STATE)
 #define shake128x4ctx shake128x4incctx
 #define shake128x4_init shake128x4_inc_init
 #define shake128x4_release shake128x4_inc_ctx_release
 #define shake128ctx shake128incctx
 #define shake128_release shake128_inc_ctx_release
 #endif
--- a/src/common/rand/rand_nist.c
+++ b/src/common/rand/rand_nist.c
@ -67,7 +67,7 @@ void OQS_randombytes_nist_kat_init_256bit(const uint8_t *entropy_input, const ui
 		for (int i = 0; i < 48; i++) {
 			seed_material[i] ^= personalization_string[i];
 		}
-	memset(DRBG_ctx.Key, 0x00, 32);
+	OQS_MEM_cleanse(DRBG_ctx.Key, 32);
 	memset(DRBG_ctx.V, 0x00, 16);
 	AES256_CTR_DRBG_Update(seed_material, DRBG_ctx.Key, DRBG_ctx.V);
 	DRBG_ctx.reseed_counter = 1;
--- a/Show More
+++ b/Show More