Zeroize memory in SHA3 implementation (#2171 )

* Add OQS_MEM_aligned_secure_free convenience fn Signed-off-by: Aiden Fox Ivey <aiden@aidenfoxivey.com> * Rewrite SHA3 aligned frees to zeroize Signed-off-by: Aiden Fox Ivey <aiden@aidenfoxivey.com> --------- Signed-off-by: Aiden Fox Ivey <aiden@aidenfoxivey.com>
Add AVX512VL-Optimized SHA3/SHAKE Implementations (#2167 )
2025-06-23 00:01:22 -04:00 · 2025-06-20 14:12:12 -04:00 · 2025-06-20 13:37:32 -04:00 · 2025-06-19 14:45:44 -04:00 · 2025-06-18 11:38:44 -04:00 · 2025-06-16 10:50:07 -04:00
10651 changed files with 1440173 additions and 1013640 deletions
--- a/.CMake/alg_support.cmake
+++ b/.CMake/alg_support.cmake
--- a/.CMake/apple.cmake
+++ b/.CMake/apple.cmake
--- a/.CMake/cmake_uninstall.cmake.in
+++ b/.CMake/cmake_uninstall.cmake.in
@ -0,0 +1,24 @@
+# As per https://gitlab.kitware.com/cmake/community/-/wikis/FAQ#can-i-do-make-uninstall-with-cmake
+
+if(NOT EXISTS "@CMAKE_BINARY_DIR@/install_manifest.txt")
+  message(FATAL_ERROR "Cannot find install manifest: @CMAKE_BINARY_DIR@/install_manifest.txt")
+endif()
+
+file(READ "@CMAKE_BINARY_DIR@/install_manifest.txt" files)
+string(REGEX REPLACE "\n" ";" files "${files}")
+foreach(file ${files})
+  message(STATUS "Uninstalling $ENV{DESTDIR}${file}")
+  if(IS_SYMLINK "$ENV{DESTDIR}${file}" OR EXISTS "$ENV{DESTDIR}${file}")
+    exec_program(
+      "@CMAKE_COMMAND@" ARGS "-E remove \"$ENV{DESTDIR}${file}\""
+      OUTPUT_VARIABLE rm_out
+      RETURN_VALUE rm_retval
+      )
+    if(NOT "${rm_retval}" STREQUAL 0)
+      message(FATAL_ERROR "Problem when removing $ENV{DESTDIR}${file}")
+    endif()
+  else(IS_SYMLINK "$ENV{DESTDIR}${file}" OR EXISTS "$ENV{DESTDIR}${file}")
+    message(STATUS "File $ENV{DESTDIR}${file} does not exist.")
+  endif()
+endforeach()
+
--- a/.CMake/compiler_opts.cmake
+++ b/.CMake/compiler_opts.cmake
@ -11,6 +11,31 @@
 # If OQS_OPT_TARGET=auto we target the current CPU.
 # If OQS_OPT_TARGET=generic we target a generic CPU.
 # Otherwise we target the specified CPU.
+
+# Pedantic checks (-Wall, ...) are not enabled by default for Release
+# builds such as to avoid future build errors introduced by currently
+# unknown compiler warnings
+
+include(CheckCCompilerFlag)
+check_c_compiler_flag("-Wa,--noexecstack" CC_SUPPORTS_WA_NOEXECSTACK)
+
+# This sets the equivalent of -Werror for supported compilers
+# it can be overriden with --compile-no-warnings-as-errors
+# https://cmake.org/cmake/help/latest/prop_tgt/COMPILE_WARNING_AS_ERROR.html
+set(CMAKE_COMPILE_WARNING_AS_ERROR ${OQS_STRICT_WARNINGS})
+
+if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.18")
+    include(CheckLinkerFlag)
+    check_linker_flag(C "-Wl,-z,noexecstack" LD_SUPPORTS_WL_Z_NOEXECSTACK)
+elseif(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.14")
+    set(TMP_TESTDIR "${CMAKE_BINARY_DIR}/test_noexecstack")
+    file(WRITE "${TMP_TESTDIR}/test.c" "int main() { return 0; }\n")
+    try_compile(LD_SUPPORTS_WL_Z_NOEXECSTACK "${TMP_TESTDIR}" "${TMP_TESTDIR}/test.c" LINK_OPTIONS "-Wl,-z,noexecstack")
+else()
+    message(WARNING "Unable to check if '-Wl,-z,noexecstack' is supported.")
+    set(LD_SUPPORTS_WL_Z_NOEXECSTACK FALSE)
+endif()
+
 set(OQS_OPT_FLAG "")
 if(CMAKE_C_COMPILER_ID MATCHES "Clang|GNU")
    if(${OQS_DIST_BUILD})
@ -22,18 +47,28 @@ if(CMAKE_C_COMPILER_ID MATCHES "Clang|GNU")
    endif()

    if(OQS_OPT_TARGET STREQUAL "generic")
-      if(ARCH_X86_64)
-        set(OQS_OPT_FLAG "-march=x86-64")
-      elseif(ARCH_ARM64v8)
-        set(OQS_OPT_FLAG "-mcpu=cortex-a53")
-      elseif(ARCH_ARM32v7)
-        set(OQS_OPT_FLAG "-mcpu=cortex-a5")
-      endif()
+        if(ARCH_S390X)
+            # At least z9-109 is needed for 'stckf' in benchmarking code.
+            # gcc's default is z900 (older than z9-109), clang's default and minimum is z10.
+            # setting to z10 as sensible default.
+            set(OQS_OPT_FLAG "-march=z10")
+        else()
+            # Assume sensible default like -march=x86-64, -march=armv8-a, etc.
+	    if(ARCH_ARM64v8)
+                set(OQS_OPT_FLAG "-march=armv8-a+crypto")
+    	    else()
+		set(OQS_OPT_FLAG "")
+	    endif()
+        endif()
    elseif(OQS_OPT_TARGET STREQUAL "auto")
      if(ARCH_X86_64)
          set(OQS_OPT_FLAG "-march=native")
      elseif(ARCH_ARM64v8 AND CMAKE_SYSTEM_NAME STREQUAL "Linux")
          set(OQS_OPT_FLAG "-mcpu=native")
+      elseif(ARCH_ARM64v8 AND CMAKE_SYSTEM_NAME STREQUAL "Darwin")
+          set(OQS_OPT_FLAG "-mcpu=native")
+      elseif(ARCH_S390X)
+          set(OQS_OPT_FLAG "-march=native")
      else()
          message(WARNING "Setting OQS_OPT_TARGET=AUTO may not produce optimized code on this system.")
      endif()
@ -42,40 +77,53 @@ if(CMAKE_C_COMPILER_ID MATCHES "Clang|GNU")
        set(OQS_OPT_FLAG "-march=${OQS_OPT_TARGET}")
      elseif(ARCH_ARM64v8 OR ARCH_ARM32v7)
        set(OQS_OPT_FLAG "-mcpu=${OQS_OPT_TARGET}")
+      elseif(ARCH_S390X)
+        set(OQS_OPT_FLAG "-march=${OQS_OPT_TARGET}")
      endif()
    endif()

    add_compile_options(${OQS_OPT_FLAG})

    # If this is not a dist build we also need to set the OQS_USE_[EXTENSION] flags
-    if(NOT ${OQS_DIST_BUILD})
+    if(NOT ${OQS_DIST_BUILD} AND NOT CMAKE_CROSSCOMPILING)
        include(${CMAKE_CURRENT_LIST_DIR}/gcc_clang_intrinsics.cmake)
    endif()
 endif()

 if(CMAKE_C_COMPILER_ID MATCHES "Clang")
-    add_compile_options(-Werror)
+  if(${OQS_STRICT_WARNINGS})
    add_compile_options(-Wall)
    add_compile_options(-Wextra)
    add_compile_options(-Wpedantic)
    add_compile_options(-Wno-unused-command-line-argument)
+  endif()
+    if(CC_SUPPORTS_WA_NOEXECSTACK)
+        add_compile_options("-Wa,--noexecstack")
+    endif()
+    if(LD_SUPPORTS_WL_Z_NOEXECSTACK)
+        add_link_options("-Wl,-z,noexecstack")
+    endif()

-    if(NOT ${OQS_BUILD_ONLY_LIB})
-        set(THREADS_PREFER_PTHREAD_FLAG ON)
-        find_package(Threads REQUIRED)
-        set(OQS_USE_PTHREADS_IN_TESTS 1)
+    set(THREADS_PREFER_PTHREAD_FLAG ON)
+    find_package(Threads)
+    if (CMAKE_USE_PTHREADS_INIT AND NOT OQS_EMBEDDED_BUILD)
+        set(OQS_USE_PTHREADS ON)
    endif()

    if(${OQS_DEBUG_BUILD})
        add_compile_options(-g3)
        add_compile_options(-fno-omit-frame-pointer)
+	if(${USE_COVERAGE})
+            add_compile_options(-coverage)
+            add_link_options(-coverage)
+	endif()
        if(USE_SANITIZER STREQUAL "Address")
            add_compile_options(-fno-optimize-sibling-calls)
            add_compile_options(-fsanitize-address-use-after-scope)
            add_compile_options(-fsanitize=address)
            set(SANITIZER_LD_FLAGS "-fsanitize=address")
        elseif(USE_SANITIZER STREQUAL "Memory")
-            add_compile_options(-fsanitize=address)
+            add_compile_options(-fsanitize=memory)
            set(SANITIZER_LD_FLAGS "-fsanitize=memory")
        elseif(USE_SANITIZER STREQUAL "MemoryWithOrigins")
            add_compile_options(-fsanitize=memory)
@ -100,7 +148,10 @@ if(CMAKE_C_COMPILER_ID MATCHES "Clang")
    endif()

 elseif(CMAKE_C_COMPILER_ID STREQUAL "GNU")
-    add_compile_options(-Werror)
+  if (NOT ${CMAKE_C_COMPILER_VERSION} VERSION_GREATER_EQUAL ${OQS_MINIMAL_GCC_VERSION})
+     message(FATAL_ERROR "GCC version ${CMAKE_C_COMPILER_VERSION} below minimally required version ${OQS_MINIMAL_GCC_VERSION}.")
+  endif()
+  if(${OQS_STRICT_WARNINGS})
    add_compile_options(-Wall)
    add_compile_options(-Wextra)
    add_compile_options(-Wpedantic)
@ -109,16 +160,29 @@ elseif(CMAKE_C_COMPILER_ID STREQUAL "GNU")
    add_compile_options(-Wformat=2)
    add_compile_options(-Wfloat-equal)
    add_compile_options(-Wwrite-strings)
+  endif()
+    if (NOT CMAKE_SYSTEM_NAME STREQUAL "Darwin")
+        if(CC_SUPPORTS_WA_NOEXECSTACK)
+            add_compile_options("-Wa,--noexecstack")
+        endif()
+        if(LD_SUPPORTS_WL_Z_NOEXECSTACK)
+            add_link_options("-Wl,-z,noexecstack")
+        endif()
+    endif()

-    if(NOT ${OQS_BUILD_ONLY_LIB})
-        set(THREADS_PREFER_PTHREAD_FLAG ON)
-        find_package(Threads REQUIRED)
-        set(OQS_USE_PTHREADS_IN_TESTS 1)
+    set(THREADS_PREFER_PTHREAD_FLAG ON)
+    find_package(Threads)
+    if (CMAKE_USE_PTHREADS_INIT AND NOT OQS_EMBEDDED_BUILD)
+        set(OQS_USE_PTHREADS ON)
    endif()

    if(${OQS_DEBUG_BUILD})
        add_compile_options (-Wstrict-overflow)
        add_compile_options(-ggdb3)
+	if(${USE_COVERAGE})
+            add_compile_options(-coverage)
+            add_link_options(-coverage)
+	endif()
    else()
        add_compile_options(-O3)
        add_compile_options(-fomit-frame-pointer)
@ -131,6 +195,12 @@ elseif(CMAKE_C_COMPILER_ID STREQUAL "GNU")
        endif ()
    endif()

+    # workaround for gcc issues on ARM32 as per https://github.com/open-quantum-safe/liboqs/issues/1288
+    if(ARCH_ARM32v7 AND (CMAKE_C_COMPILER_VERSION VERSION_GREATER_EQUAL "11.0.0"))
+        add_compile_options(-fno-ipa-modref)
+        add_compile_options(-fno-ipa-pure-const)
+    endif()
+
 elseif(CMAKE_C_COMPILER_ID STREQUAL "MSVC")
    # Warning C4146 is raised when a unary minus operator is applied to an
    # unsigned type; this has nonetheless been standard and portable for as
@ -144,11 +214,15 @@ elseif(CMAKE_C_COMPILER_ID STREQUAL "MSVC")
 endif()

 if(MINGW OR MSYS OR CYGWIN)
-    add_compile_options(-Wno-maybe-uninitialized)
+    set(OQS_USE_PTHREADS OFF)
+    # Apply -Wno-maybe-uninitialized only for GCC
+    if(CMAKE_C_COMPILER_ID STREQUAL "GNU")
+        add_compile_options(-Wno-maybe-uninitialized)
+    endif()
    if(CMAKE_VERSION VERSION_GREATER_EQUAL "3.13.0")
        add_link_options(-Wl,--stack,16777216)
    else()
-        set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,--stack,1677216")
+        set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,--stack,16777216")
    endif()
 endif()

--- a/.CMake/detect_gcc_clang_intrinsics.c
+++ b/.CMake/detect_gcc_clang_intrinsics.c
@ -24,6 +24,9 @@ int main(void) {
 #if defined(__AVX512F__)
 	printf("AVX512F;");
 #endif
+#if defined(__VPCLMULQDQ__)
+	printf("VPCLMULQDQ;");
+#endif
 #if defined(__BMI__)
 	printf("BMI1;");
 #endif
@ -51,7 +54,7 @@ int main(void) {
 #if defined(__ARM_FEATURE_AES)
 	printf("ARM_AES;");
 #endif
-#if defined(__ARM_FEATURE_SHA2)
+#if (defined(__APPLE__) && defined(__aarch64__)) || defined(__ARM_FEATURE_SHA2)
 	printf("ARM_SHA2;");
 #endif
 #if defined(__ARM_FEATURE_SHA3)
--- a/.CMake/gcc_clang_intrinsics.cmake
+++ b/.CMake/gcc_clang_intrinsics.cmake
@ -9,10 +9,16 @@ if(NOT COMPILE_RESULT)
     message(FATAL_ERROR "Could not compile .CMake/detect_gcc_clang_intrinsics.c" ${COMPILE_OUTPUT})
 endif()
 if(NOT RUN_RESULT EQUAL 0)
-     message(FATAL_ERROR ".CMake/detect_gcc_clang_intrinsics.c returned exit code: " ${RUN_RESULT})
+	if(CMAKE_CROSSCOMPILING)
+		message(STATUS "Detecting language features in cross-compiling mode impossible. Setting all CPU features OFF.")
+	else()
+     		message(FATAL_ERROR ".CMake/detect_gcc_clang_intrinsics.c returned exit code: " ${RUN_RESULT})
+     	endif()
 endif()
 foreach(CPU_EXTENSION ${RUN_OUTPUT})
-    set(OQS_USE_${CPU_EXTENSION}_INSTRUCTIONS ON)
+     if (NOT DEFINED OQS_USE_${CPU_EXTENSION}_INSTRUCTIONS)
+          set(OQS_USE_${CPU_EXTENSION}_INSTRUCTIONS ON)
+     endif()
 endforeach()
 if(OQS_USE_AVX512BW_INSTRUCTIONS AND
   OQS_USE_AVX512DQ_INSTRUCTIONS AND
--- a/.CMake/toolchain_rasppi.cmake
+++ b/.CMake/toolchain_rasppi.cmake
@ -14,3 +14,7 @@ set(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER)
 set(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY)
 set(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY)
 set(CMAKE_FIND_ROOT_PATH_MODE_PACKAGE ONLY)
+
+# Unconditionally set for this platform
+add_definitions( -DOQS_USE_RASPBERRY_PI )
+
--- a/.CMake/toolchain_windows_amd64.cmake
+++ b/.CMake/toolchain_windows_amd64.cmake
@ -0,0 +1,12 @@
+# SPDX-License-Identifier: MIT
+
+set(CMAKE_SYSTEM_NAME Windows)
+
+set(CMAKE_SYSTEM_PROCESSOR AMD64)
+
+set(CMAKE_CROSSCOMPILING OFF)
+
+set(CMAKE_GENERATOR_PLATFORM
+    x64
+    CACHE STRING "Platform" FORCE
+)
--- a/.CMake/toolchain_windows_arm64.cmake
+++ b/.CMake/toolchain_windows_arm64.cmake
@ -0,0 +1,12 @@
+# SPDX-License-Identifier: MIT
+
+set(CMAKE_SYSTEM_NAME Windows)
+
+set(CMAKE_SYSTEM_PROCESSOR arm64)
+
+set(CMAKE_CROSSCOMPILING ON)
+
+set(CMAKE_GENERATOR_PLATFORM
+    ARM64
+    CACHE STRING "Platform" FORCE
+)
--- a/.CMake/toolchain_windows_x86.cmake
+++ b/.CMake/toolchain_windows_x86.cmake
@ -0,0 +1,12 @@
+# SPDX-License-Identifier: MIT
+
+set(CMAKE_SYSTEM_NAME Windows)
+
+set(CMAKE_SYSTEM_PROCESSOR x86)
+
+set(CMAKE_CROSSCOMPILING OFF)
+
+set(CMAKE_GENERATOR_PLATFORM
+    Win32
+    CACHE STRING "Platform" FORCE
+)
--- a/.CMake/toolchain_x86.cmake
+++ b/.CMake/toolchain_x86.cmake
@ -0,0 +1,5 @@
+# SPDX-License-Identifier: MIT
+
+set(CMAKE_SYSTEM_NAME Linux)
+set(CMAKE_SYSTEM_PROCESSOR i586)
+set(CMAKE_CROSSCOMPILING OFF)
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -1,415 +0,0 @@
-version: 2.1
-
-require_stylecheck: &require_stylecheck
-  requires:
-    - stylecheck
-
-require_buildcheck: &require_buildcheck
-  requires:
-    - stylecheck
-    - buildcheck
-
-require_testapproval: &require_testapproval
-  requires:
-    - stylecheck
-    - buildcheck
-    - testapproval
-
-# CircleCI doesn't handle large file sets properly for local builds
-# https://github.com/CircleCI-Public/circleci-cli/issues/281#issuecomment-472808051
-localCheckout: &localCheckout
-  run: |-
-    PROJECT_PATH=$(cd ${CIRCLE_WORKING_DIRECTORY}; pwd)
-    mkdir -p ${PROJECT_PATH}
-    cd /tmp/_circleci_local_build_repo
-    git ls-files -z | xargs -0 -s 2090860 tar -c | tar -x -C ${PROJECT_PATH}
-    cp -a /tmp/_circleci_local_build_repo/.git ${PROJECT_PATH}
-
-jobs:
-  stylecheck:
-    description: Validate formatting of code and documentation
-    docker:
-      - image: openquantumsafe/ci-ubuntu-focal-x86_64:latest
-# Re-enable iff docker enforces rate limitations without auth:
-#        auth:
-#          username: $DOCKER_LOGIN
-#          password: $DOCKER_PASSWORD
-    steps:
-      - checkout # change this from "checkout" to "*localCheckout" when running CircleCI locally
-      - run:
-          name: Ensure code conventions are upheld
-          command: python3 -m pytest --verbose tests/test_code_conventions.py
-      - run:
-          name: Check that doxygen can parse the documentation
-          command: mkdir -p build/docs && doxygen docs/.Doxyfile
-
-  buildcheck:
-    description: Test that we can build a single KEM/Signature pair as part of a minimal build.
-    parameters:
-      CONTAINER:
-        description: "The docker container to use."
-        type: string
-      CMAKE_ARGS:
-        description: "Arguments to pass to CMake."
-        type: string
-        default: ''
-      KEM_NAME:
-        description: "The KEM to build."
-        type: string
-      SIG_NAME:
-        description: "The signature scheme to build."
-        type: string
-    docker:
-      - image: << parameters.CONTAINER >>
-    steps:
-      - checkout # change this from "checkout" to "*localCheckout" when running CircleCI locally
-      - run:
-          name: Configure
-          command: mkdir build && cd build && source ~/.bashrc && cmake --warn-uninitialized -GNinja << parameters.CMAKE_ARGS >> -DOQS_MINIMAL_BUILD=ON -DOQS_KEM_DEFAULT=OQS_KEM_alg_<< parameters.KEM_NAME >> -DOQS_SIG_DEFAULT=OQS_SIG_alg_<< parameters.SIG_NAME >> .. > config.log 2>&1 && cat config.log && cmake -LA .. && ! (grep "uninitialized variable" config.log)
-      - run:
-          name: Build
-          command: ninja
-          working_directory: build
-
-  linux_x64:
-    description: A template for running liboqs tests on x64 Linux Docker VMs
-    parameters:
-      CONTAINER:
-        description: "The docker container to use."
-        type: string
-      CMAKE_ARGS:
-        description: "Arguments to pass to CMake."
-        type: string
-        default: ''
-      PYTEST_ARGS:
-        description: "Arguments to pass to pytest."
-        type: string
-        # Not every executor handles --numprocesses=auto being passed to pytest well
-        # See https://github.com/open-quantum-safe/liboqs/issues/738#issuecomment-621394744
-        default: --numprocesses=auto
-    docker:
-      - image: << parameters.CONTAINER >>
-# Re-enable iff docker enforces rate limitations without auth:
-#        auth:
-#          username: $DOCKER_LOGIN
-#          password: $DOCKER_PASSWORD
-    steps:
-      - checkout # change this from "checkout" to "*localCheckout" when running CircleCI locally
-      - run:
-          name: Configure
-          command: mkdir build && cd build && source ~/.bashrc && cmake -GNinja << parameters.CMAKE_ARGS >> .. && cmake -LA ..
-      - run:
-          name: Build
-          command: ninja
-          working_directory: build
-      - run:
-          name: Run tests
-          no_output_timeout: 1h
-          command: mkdir -p tmp && python3 -m pytest --verbose --ignore=tests/test_code_conventions.py --junitxml=build/test-results/pytest/test-results.xml << parameters.PYTEST_ARGS >>
-      - store_test_results: # Note that this command will fail when running CircleCI locally, that is expected behaviour
-          path: build/test-results
-      - store_artifacts:
-          path: build/test-results
-
-  arm_emulated:
-    description: A template for running liboqs tests on emulated ARM Docker VMs
-    parameters:
-      ARCH:
-        description: "The desired ARM architecture to be emulated."
-        type: string
-      CMAKE_ARGS:
-        description: "Arguments to pass to CMake."
-        type: string
-    machine:
-      image: ubuntu-1604:201903-01
-    steps:
-      - checkout
-      - run:
-          name: Install the emulation handlers
-          command: docker run --rm --privileged multiarch/qemu-user-static:register --reset
-      - run:
-          name: Build in an x86_64 container
-          command: |
-            docker run --rm -v `pwd`:`pwd` -w `pwd` openquantumsafe/ci-debian-buster-amd64:latest /bin/bash -c "
-            mkdir build &&
-            (cd build &&
-            cmake -GNinja << parameters.CMAKE_ARGS >> -DCMAKE_TOOLCHAIN_FILE=../.CMake/toolchain_<< parameters.ARCH >>.cmake .. && cmake -LA .. &&
-            ninja)
-            "
-      - run:
-          name: Run the tests in an << parameters.ARCH >> container
-          command: |
-            docker run -e SKIP_TESTS=style,mem_kem,mem_sig --rm -v `pwd`:`pwd` -w `pwd` openquantumsafe/ci-debian-buster-<< parameters.ARCH >>:latest /bin/bash -c "
-            mkdir -p tmp && python3 -m pytest --verbose --numprocesses=auto --ignore=tests/test_code_conventions.py --junitxml=build/test-results/pytest/test-results.xml
-            "
-      - store_test_results:
-          path: build/test-results
-      - store_artifacts:
-          path: build/test-results
-
-  arm_machine:
-    description: A template for running liboqs tests on ARM(presently only 64) machines
-    parameters:
-      CMAKE_ARGS:
-        description: "Arguments to pass to CMake."
-        type: string
-      PYTEST_ARGS:
-        description: "Arguments to pass to pytest."
-        type: string
-        # Not every executor handles --numprocesses=auto being passed to pytest well
-        # See https://github.com/open-quantum-safe/liboqs/issues/738#issuecomment-621394744
-        default: --numprocesses=auto
-    machine:
-      image: ubuntu-2004:202101-01
-    resource_class: arm.medium
-    steps:
-      - checkout
-      # It seems the machine doesn't contain all preprequisites, and we don't have permission to add them explicitly, 
-      # so we can only run in a prepared ARM64 CI image
-      - run:
-          name: Build and run tests in docker 
-          no_output_timeout: 1h
-          command: |
-            docker run -e CMAKE_ARGS="<< parameters.CMAKE_ARGS >>" -e PYTEST_ARGS="<< parameters.PYTEST_ARGS >>" -v `pwd`:/root/project -it openquantumsafe/ci-ubuntu-focal-arm64:latest bash -c 'cd /root/project && uname -a && mkdir build && cd build && source ~/.bashrc && cmake -GNinja $CMAKE_ARGS .. && cmake -LA .. && ninja && cd .. && mkdir -p tmp && python3 -m pytest --verbose --ignore=tests/test_code_conventions.py --junitxml=build/test-results/pytest/test-results.xml $PYTEST_ARGS'
-      - store_test_results: # Note that this command will fail when running CircleCI locally, that is expected behaviour
-          path: build/test-results
-      - store_artifacts:
-          path: build/test-results
-
-  macOS:
-    description: A template for running liboqs tests on macOS
-    parameters:
-      CMAKE_ARGS:
-        description: "Arguments to pass to CMake."
-        type: string
-      PYTEST_ARGS:
-        description: "Arguments to pass to pytest."
-        type: string
-        default: ""
-    macos:
-      xcode: "11.3.0"
-    steps:
-      - checkout # change this from "checkout" to "*localCheckout" when running CircleCI locally
-      - run:
-          name: Install dependencies
-          command: brew unlink python@2 && env HOMEBREW_NO_AUTO_UPDATE=1 brew install cmake ninja && pip3 install pytest pytest-xdist
-      - run:
-          name: Get system information
-          command: sysctl -a | grep machdep.cpu
-      - run:
-          name: Configure
-          command: mkdir build && cd build && source ~/.bashrc && cmake -GNinja << parameters.CMAKE_ARGS >> .. && cmake -LA ..
-      - run:
-          name: Build
-          command: ninja
-          working_directory: build
-      - run:
-          name: Run tests
-          command: mkdir tmp && python3 -m pytest --verbose --ignore=tests/test_code_conventions.py --junitxml=build/test-results/pytest/test-results.xml << parameters.PYTEST_ARGS >>
-      - store_test_results: # Note that this command will fail when running CircleCI locally, that is expected behaviour
-          path: build/test-results
-      - store_artifacts:
-          path: build/test-results
-
-  trigger-downstream-ci:
-    docker:
-      - image: cimg/base:2020.01
-# Re-enable iff docker enforces rate limitations without auth:
-#        auth:
-#          username: $DOCKER_LOGIN
-#          password: $DOCKER_PASSWORD
-    steps:
-      - run:
-          name: Trigger OQS-OpenSSL CI
-          command: |
-            curl -u ${BUILD_TRIGGER_TOKEN}: \
-                 -X POST \
-                 --header "Content-Type: application/json" \
-                 -d '{ "branch": "OQS-OpenSSL_1_1_1-stable", "parameters": { "run_downstream_tests": true } }' \
-                 https://circleci.com/api/v2/project/gh/open-quantum-safe/openssl/pipeline
-      - run:
-          name: Trigger OQS-BoringSSL CI
-          command: |
-            curl -u ${BUILD_TRIGGER_TOKEN}: \
-                 -X POST \
-                 --header "Content-Type: application/json" \
-                 -d '{ "branch": "master", "parameters": { "run_downstream_tests": true } }' \
-                 https://circleci.com/api/v2/project/gh/open-quantum-safe/boringssl/pipeline
-      - run:
-          name: Trigger OQS-OpenSSH CI
-          command: |
-            curl -u ${BUILD_TRIGGER_TOKEN}: \
-                 -X POST \
-                 --header "Content-Type: application/json" \
-                 -d '{ "branch": "OQS-master", "parameters": { "run_downstream_tests": true } }' \
-                 https://circleci.com/api/v2/project/gh/open-quantum-safe/openssh/pipeline
-      - run:
-          name: Trigger liboqs-dotnet CI
-          command: |
-            curl -u ${BUILD_TRIGGER_TOKEN}: \
-                 -X POST \
-                 --header "Content-Type: application/json" \
-                 -d '{ "branch": "master" }' \
-                 https://circleci.com/api/v2/project/gh/open-quantum-safe/liboqs-dotnet/pipeline
-      - run:
-          name: Trigger liboqs-java CI
-          command: |
-            curl -u ${BUILD_TRIGGER_TOKEN}: \
-                 -X POST \
-                 --header "Content-Type: application/json" \
-                 -d '{ "branch": "master" }' \
-                 https://circleci.com/api/v2/project/gh/open-quantum-safe/liboqs-java/pipeline
-      - run:
-          name: Trigger liboqs-python CI
-          command: |
-            curl -u ${BUILD_TRIGGER_TOKEN}: \
-                 -X POST \
-                 --header "Content-Type: application/json" \
-                 -d '{ "branch": "master" }' \
-                 https://circleci.com/api/v2/project/gh/open-quantum-safe/liboqs-python/pipeline
-
-workflows:
-  version: 2.1
-  build:
-    when:
-      not:
-        equal: [ main, << pipeline.git.branch >> ]
-    jobs:
-      - stylecheck
-      - buildcheck:
-          <<: *require_stylecheck
-          context: openquantumsafe
-          CONTAINER: openquantumsafe/ci-ubuntu-focal-x86_64:latest
-          KEM_NAME: kyber_768
-          SIG_NAME: dilithium_3
-      # Disabling testapproval as no jobs currently need it.
-      #- testapproval:
-      #    <<: *require_buildcheck
-      #    type: approval
-      - linux_x64:
-          <<: *require_buildcheck
-          name: alpine-noopenssl
-          context: openquantumsafe
-          CONTAINER: openquantumsafe/ci-alpine-amd64:latest
-          CMAKE_ARGS: -DOQS_USE_OPENSSL=OFF
-      - linux_x64:
-          <<: *require_buildcheck
-          name: alpine
-          context: openquantumsafe
-          CONTAINER: openquantumsafe/ci-alpine-amd64:latest
-          CMAKE_ARGS: -DOQS_USE_OPENSSL=ON -DBUILD_SHARED_LIBS=ON
-      # Disabling centos-8 and debian-buster.
-      # Re-enable if specific configurations (package versions etc) that need to be tested are identified.
-      #- linux_x64:
-      #    <<: *require_buildcheck
-      #    name: centos-8
-      #    context: openquantumsafe
-      #    CONTAINER: openquantumsafe/ci-centos-8-amd64:latest
-      #    CMAKE_ARGS: -DCMAKE_C_COMPILER=clang
-      #- linux_x64:
-      #    <<: *require_buildcheck
-      #    name: debian-buster
-      #    context: openquantumsafe
-      #    CONTAINER: openquantumsafe/ci-debian-buster-amd64:latest
-      - linux_x64:
-          <<: *require_buildcheck
-          name: ubuntu-focal-noopenssl
-          context: openquantumsafe
-          CONTAINER: openquantumsafe/ci-ubuntu-focal-x86_64:latest
-          CMAKE_ARGS: -DCMAKE_C_COMPILER=gcc-8 -DOQS_USE_OPENSSL=OFF
-      - linux_x64:
-          <<: *require_buildcheck
-          name: ubuntu-focal-shared-noopenssl
-          context: openquantumsafe
-          CONTAINER: openquantumsafe/ci-ubuntu-focal-x86_64:latest
-          CMAKE_ARGS: -DCMAKE_C_COMPILER=gcc-7 -DOQS_DIST_BUILD=ON -DOQS_USE_OPENSSL=OFF -DBUILD_SHARED_LIBS=ON
-          PYTEST_ARGS: --ignore=tests/test_namespace.py --numprocesses=auto
-      - linux_x64:
-          <<: *require_buildcheck
-          name: ubuntu-focal-clang9
-          context: openquantumsafe
-          CONTAINER: openquantumsafe/ci-ubuntu-focal-x86_64:latest
-          CMAKE_ARGS: -DCMAKE_C_COMPILER=clang-9
-      - linux_x64:
-          <<: *require_buildcheck
-          name: address-sanitizer
-          context: openquantumsafe
-          filters:
-            branches:
-              only:
-                - /^audit.*/
-          CONTAINER: openquantumsafe/ci-ubuntu-focal-x86_64:latest
-          CMAKE_ARGS: -DCMAKE_C_COMPILER=clang-9 -DCMAKE_BUILD_TYPE=Debug -DUSE_SANITIZER=Address
-          PYTEST_ARGS: --ignore=tests/test_portability.py --numprocesses=auto --maxprocesses=10
-      # Disabling test_constant_time for now
-      #- linux_x64:
-      #    <<: *require_buildcheck
-      #    name: constant-time-x64
-      #    filters:
-      #      branches:
-      #        only:
-      #          - /^audit.*/
-      #    context: openquantumsafe
-      #    CONTAINER: openquantumsafe/ci-ubuntu-bionic-x86_64:latest
-      #    CMAKE_ARGS: -DOQS_OPT_TARGET=generic -DCMAKE_BUILD_TYPE=Debug -DOQS_ENABLE_TEST_CONSTANT_TIME=ON
-      #    PYTEST_ARGS: --numprocesses=auto -k 'test_constant_time'
-      #- linux_x64:
-      #    <<: *require_buildcheck
-      #    name: constant-time-x64-extensions
-      #    filters:
-      #      branches:
-      #        only:
-      #          - /^audit.*/
-      #    context: openquantumsafe
-      #    CONTAINER: openquantumsafe/ci-ubuntu-bionic-x86_64:latest
-      #    CMAKE_ARGS: -DOQS_OPT_TARGET=auto -DCMAKE_BUILD_TYPE=Debug -DOQS_ENABLE_TEST_CONSTANT_TIME=ON
-      #    PYTEST_ARGS: --numprocesses=auto -k 'test_constant_time'
-      # Disabling for now due to https://github.com/open-quantum-safe/liboqs/issues/791
-      #- linux_x64:
-      #    name: undefined-sanitizer
-      #    context: openquantumsafe
-      #    CONTAINER: openquantumsafe/ci-ubuntu-focal-x86_64:latest
-      #    CMAKE_ARGS: -DCMAKE_C_COMPILER=clang-9 -DCMAKE_BUILD_TYPE=Debug -DUSE_SANITIZER=Undefined
-           # Normally the linux tests are run with 35 processes, but that
-           # exhausts memory for this test
-      #    PYTEST_ARGS: --numprocesses=1
-      # SPHINCS exhausts memory on CircleCI servers
-      # for these configurations.
-      # don't run ARM64 emulated any more:
-      #- arm_emulated:
-      #    <<: *require_buildcheck
-      #    name: arm64
-      #    ARCH: arm64
-      #    CMAKE_ARGS: -DOQS_ENABLE_SIG_SPHINCS=OFF -DOQS_DIST_BUILD=ON
-      - arm_machine:
-          <<: *require_buildcheck
-          name: arm64
-          PYTEST_ARGS: --numprocesses=auto --maxprocesses=10
-          CMAKE_ARGS: -DOQS_DIST_BUILD=ON
-      - arm_emulated:
-          <<: *require_buildcheck
-          name: armhf
-          ARCH: armhf
-          CMAKE_ARGS: -DOQS_ENABLE_SIG_SPHINCS=OFF -DOQS_USE_OPENSSL=OFF -DOQS_OPT_TARGET=generic
-      # Disabling armel
-      #- arm_emulated:
-      #    <<: *require_buildcheck
-      #    name: armel
-      #    ARCH: armel
-      #    CMAKE_ARGS:  -DOQS_ENABLE_SIG_SPHINCS=OFF -DOQS_USE_OPENSSL=OFF -DOQS_OPT_TARGET=generic
-
-      - macOS:
-          <<: *require_buildcheck
-          name: macOS-noopenssl
-          CMAKE_ARGS: -DOQS_USE_OPENSSL=OFF
-      - macOS:
-          <<: *require_buildcheck
-          name: macOS-shared
-          CMAKE_ARGS: -DBUILD_SHARED_LIBS=ON -DOQS_DIST_BUILD=ON
-
-  commit-to-main:
-    when:
-      equal: [ main, << pipeline.git.branch >> ]
-    jobs:
-      - trigger-downstream-ci:
-          context: openquantumsafe
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -1,22 +1,24 @@
 # https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners

-* @dstebila @xvzcf
-/.circleci @jschanck @baentsch @xvzcf
-/.CMake @xvzcf
-/docs @dstebila
-/scripts @xvzcf
-/scripts/copy_from_upstream @baentsch @bhess @xvczf
+* @dstebila @baentsch
+/.github/workflows @SWilson4
+/docs/cbom.json @bhess
+/scripts/copy_from_upstream @baentsch @bhess @alexrow @praveksharma
 /src/common @dstebila
-/src/kem/bike @crockeea
+/src/common/*/*arm* @Martyrshot
+/src/common/libjade_shims @praveksharma
+/src/kem/bike @brian-jarvis-aws
 /src/kem/frodokem @dstebila
-/src/kem/kyber @jschanck
-/src/kem/ntru @jschanck
-/src/kem/sike @christianpaquin
-/src/oqsconfig.h.cmake @xvzcf
+/src/kem/kyber @bhess
+/src/kem/kyber/libjade* @praveksharma
+/src/kem/ml_kem @bhess
+/src/sig/cross @alexrow
 /src/sig/dilithium @bhess
-/src/sig/picnic @christianpaquin
-/CONTRIBUTORS @dstebila
-/LICENSE.txt @dstebila
-/README.md @dstebila
-/RELEASE.md @dstebila
-CMakeLists.txt @xvzcf
+/src/sig/mayo @bhess
+/src/sig/ml_dsa @bhess
+/src/sig_stfl/lms @ashman-p
+/src/sig_stfl/xmss @cothan
+/tests/ACVP_Vectors @bhess
+/tests/PQC_Intermediate_Values @bhess
+/tests/test_acvp_vectors.py @bhess
+/tests/test_sig_stfl.c @ashman-p @cothan
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -0,0 +1,34 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Environment (please complete the following information):**
+ - OS: [e.g. Ubuntu 20]
+ - OpenSSL version [e.g., 3.0.2]
+ - Compiler version used [e.g., clang 9.0.0]
+ - Build variables used [e.g., "-DOQS_ALGS_ENABLED=STD"]
+ - liboqs version [e.g. 0.7.2 or main branch]
+
+**Additional context**
+Add any other context about the problem here.
--- a/.github/actionlint.yaml
+++ b/.github/actionlint.yaml
@ -0,0 +1,7 @@
+# Configuration variables in array of strings defined in your repository or organization
+# From https://github.com/rhysd/actionlint/blob/v1.7.7/docs/config.md:
+# "When an array is set, actionlint will check vars properties strictly. An empty array means no variable is allowed."
+config-variables:
+  # - DEFAULT_RUNNER
+  # - JOB_NAME
+  # - ENVIRONMENT_STAGE
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@ -2,9 +2,12 @@

 <!-- Does this PR resolve any issue?  If so, please reference it using automatic-closing keywords like "Fixes #123." -->

+<!-- Any PR adding a new feature is expected to contain a test; the test should be part of CI testing, preferably within the ".github/workflows" directory tree. Please add an explanation to the PR if/when (why) this cannot be done. -->
+
 <!-- Please answer the following questions to help manage version and changes across projects. -->

 * [ ] Does this PR change the input/output behaviour of a cryptographic algorithm (i.e., does it change known answer test values)?  (If so, a version bump will be required from *x.y.z* to *x.(y+1).0*.)
-* [ ] Does this PR change the the list of algorithms available -- either adding, removing, or renaming?  (If so, PRs in OQS-OpenSSL, OQS-BoringSSL, and OQS-OpenSSH will also be required by the time this is merged.)
+* [ ] Does this PR change the list of algorithms available -- either adding, removing, or renaming? Does this PR otherwise change an API? (If so, PRs in fully supported downstream projects dependent on these, i.e., [oqs-provider](https://github.com/open-quantum-safe/oqs-provider) will also need to be ready for review and merge by the time this is merged.)

 <!-- Once your pull request is ready for review and passing continuous integration tests, please convert from a draft PR to a normal PR, and request a review from one of the OQS core team members. -->
+
--- a/.github/workflows/android.yml
+++ b/.github/workflows/android.yml
@ -0,0 +1,22 @@
+name: android build
+
+permissions:
+  contents: read
+
+on: [workflow_call, workflow_dispatch]
+
+jobs:
+
+  android:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        abi: [armeabi-v7a, arm64-v8a, x86, x86_64]
+        stfl_opt: [ON, OFF]
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3
+      - name: Build project
+        run: ./scripts/build-android.sh $ANDROID_NDK_HOME -a ${{ matrix.abi }} -f "-DOQS_ENABLE_SIG_STFL_LMS=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=${{ matrix.stfl_opt }}"
--- a/.github/workflows/apple.yml
+++ b/.github/workflows/apple.yml
@ -0,0 +1,25 @@
+name: apple build
+
+permissions:
+  contents: read
+
+on: [workflow_call, workflow_dispatch]
+
+jobs:
+
+  apple-mobile:
+    runs-on: macos-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        platform: [OS64, TVOS]
+        stfl_opt: [OFF, ON]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3
+      - name: Generate project
+        run: |
+          cmake -B build --toolchain .CMake/apple.cmake -DOQS_USE_OPENSSL=OFF -DPLATFORM=${{ matrix.platform }} \
+            -DOQS_ENABLE_SIG_STFL_LMS=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=${{ matrix.stfl_opt }} .
+      - name: Build project
+        run: cmake --build build
--- a/.github/workflows/basic.yml
+++ b/.github/workflows/basic.yml
@ -0,0 +1,173 @@
+name: Basic checks
+
+permissions:
+  contents: read
+
+on: [workflow_call, workflow_dispatch]
+
+jobs:
+  workflowcheck:
+    name: Check validity of GitHub workflows
+    runs-on: ubuntu-latest
+    container: openquantumsafe/ci-ubuntu-latest:latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
+      - name: Ensure GitHub actions are valid
+        run: actionlint -shellcheck "" # run *without* shellcheck
+
+  stylecheck:
+    name: Check code formatting
+    needs: [workflowcheck]
+    runs-on: ubuntu-latest
+    container: openquantumsafe/ci-ubuntu-latest:latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
+      - name: Ensure code conventions are upheld
+        run: python3 -m pytest --verbose tests/test_code_conventions.py
+      - name: Check that doxygen can parse the documentation
+        run: mkdir build && ./scripts/run_doxygen.sh $(which doxygen) ./docs/.Doxyfile ./build
+      - name: Validate CBOM
+        run: scripts/validate_cbom.sh
+
+  upstreamcheck:
+    name: Check upstream code is properly integrated
+    needs: [workflowcheck]
+    runs-on: ubuntu-latest
+    container: openquantumsafe/ci-ubuntu-latest:latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
+      - name: Configure
+        run: |
+          git config --global user.name "ciuser" && \
+          git config --global user.email "ci@openquantumsafe.org" && \
+          git config --global --add safe.directory "$PWD" && \
+          echo "LIBOQS_DIR=$PWD" >> "$GITHUB_ENV"
+      - name: Verify copy_from_upstream state after copy
+        working-directory: "scripts/copy_from_upstream"
+        run: |
+          python3 copy_from_upstream.py -d copy && \
+          git status --porcelain && \
+          test -z "$(git status --porcelain)"
+      - name: Verify copy_from_upstream state after libjade
+        working-directory: "scripts/copy_from_upstream"
+        run: |
+          python3 copy_from_upstream.py -d libjade && \
+          git status --porcelain && \
+          test -z "$(git status --porcelain)"
+
+  buildcheck:
+    name: Check that code passes a basic build
+    needs: [workflowcheck, stylecheck, upstreamcheck]
+    runs-on: ubuntu-latest
+    container: openquantumsafe/ci-ubuntu-latest:latest
+    env:
+      KEM_NAME: ml_kem_768
+      SIG_NAME: ml_dsa_65
+    steps:
+      - name: Create random build folder
+        run: tmp_build=$(mktemp -d) && echo "RANDOM_BUILD_DIR=$tmp_build" >> $GITHUB_ENV
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
+      - name: Configure
+        run: |
+          cmake \
+            -B ${{ env.RANDOM_BUILD_DIR }} \
+            -GNinja \
+            -DOQS_STRICT_WARNINGS=ON \
+            -DOQS_MINIMAL_BUILD="KEM_$KEM_NAME;SIG_$SIG_NAME" \
+            --warn-uninitialized . > config.log 2>&1 && \
+          cat config.log && \
+          cmake -LA -N . && \
+          ! (grep -i "uninitialized variable" config.log)
+      - name: Build code
+        run: ninja
+        working-directory: ${{ env.RANDOM_BUILD_DIR }}
+      - name: Build documentation
+        run: ninja gen_docs
+        working-directory: ${{ env.RANDOM_BUILD_DIR }}
+
+  cppcheck:
+    name: Check C++ linking with example program
+    runs-on: ubuntu-latest
+    container: openquantumsafe/ci-ubuntu-latest:latest
+    env:
+      SIG_NAME: dilithium_2
+    steps:
+      - name: Create random build folder
+        run: tmp_build=$(mktemp -d) && echo "RANDOM_BUILD_DIR=$tmp_build" >> $GITHUB_ENV
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
+      - name: Configure
+        run: |
+          cmake \
+            -B ${{ env.RANDOM_BUILD_DIR }} \
+            -GNinja \
+            -DOQS_STRICT_WARNINGS=ON \
+            -DOQS_MINIMAL_BUILD="SIG_$SIG_NAME" \
+            --warn-uninitialized . > config.log 2>&1 && \
+          cat config.log && \
+          cmake -LA -N . && \
+          ! (grep -i "uninitialized variable" config.log)
+      - name: Build liboqs
+        run: ninja
+        working-directory: ${{ env.RANDOM_BUILD_DIR }}
+      - name: Link with C++ program
+        run: |
+          g++ "$GITHUB_WORKSPACE"/cpp/sig_linking_test.cpp -g \
+          -I./include -L./lib -loqs -lcrypto -std=c++11 -o example_sig && \
+          ./example_sig
+        working-directory: ${{ env.RANDOM_BUILD_DIR }}
+
+  fuzzbuildcheck:
+    name: Check that code passes a basic fuzzing build
+    needs: [workflowcheck, stylecheck, upstreamcheck]
+    runs-on: ubuntu-latest
+    container: openquantumsafe/ci-ubuntu-latest:latest
+    env:
+      SIG_NAME: dilithium_2
+      CC: clang
+      CXX: clang++
+      CFLAGS: -fsanitize=fuzzer-no-link,address
+      LDFLAGS: -fsanitize=address
+    steps:
+      - name: Create random build folder
+        run: tmp_build=$(mktemp -d) && echo "RANDOM_BUILD_DIR=$tmp_build" >> $GITHUB_ENV
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
+      - name: Configure
+        run: |
+          cmake \
+            -B ${{ env.RANDOM_BUILD_DIR }} \
+            -GNinja \
+            -DOQS_STRICT_WARNINGS=ON \
+            -DOQS_BUILD_FUZZ_TESTS=ON \
+            -DOQS_MINIMAL_BUILD="SIG_$SIG_NAME" \
+            --warn-uninitialized . > config.log 2>&1 && \
+          cat config.log && \
+          cmake -LA -N . && \
+          ! (grep -i "uninitialized variable" config.log)
+      - name: Build code
+        run: ninja fuzz_test_sig
+        working-directory: ${{ env.RANDOM_BUILD_DIR }}
+
+      - name: Short fuzz check (30s)
+        run: ./tests/fuzz_test_sig -max_total_time=30
+        working-directory: ${{ env.RANDOM_BUILD_DIR }}
+
+  nixflakecheck:
+    name: Check that Nix flake has correct syntax and can build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
+      - name: Install Nix
+        uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72
+      - name: Check devShell
+        run: nix develop --command echo 
+      - name: Check flake syntax
+        run: nix flake check --no-build # check for accurate syntax
+      - name: Check that the flake builds
+        run: nix build # check that the build runs
--- a/.github/workflows/code-coverage.yml
+++ b/.github/workflows/code-coverage.yml
@ -0,0 +1,60 @@
+name: Code coverage tests
+
+permissions:
+  contents: read
+
+on: [workflow_call, workflow_dispatch]
+
+jobs:
+  coverage:
+    name: Run code coverage testing
+    strategy:
+      matrix:
+        # The 'id' value for each job should be added to the 'carry-forward' string in the 'finish' job.
+        include:
+          - id: x64-generic
+            runner: ubuntu-latest
+            CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=generic
+          - id: x64-distbuild
+            runner: ubuntu-latest
+            CMAKE_ARGS: -DOQS_DIST_BUILD=ON
+          - id: arm64-distbuild
+            runner: ubuntu-24.04-arm
+            CMAKE_ARGS: -DOQS_DIST_BUILD=ON
+    runs-on: ${{ matrix.runner }}
+    container: openquantumsafe/ci-ubuntu-latest:latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
+      - name: Configure
+        run: |
+          mkdir build && cd build && \
+          cmake -GNinja -DCMAKE_BUILD_TYPE=Debug -DUSE_COVERAGE=ON ${{ matrix.CMAKE_ARGS }} .. && \
+          cmake -LA -N ..
+      - name: Build
+        run: ninja
+        working-directory: build
+      - name: Run tests
+        run: |
+          python3 -m pytest --verbose --numprocesses=auto \
+          tests/test_acvp_vectors.py \
+          tests/test_cmdline.py \
+          tests/test_kat.py
+      - name: Run lcov
+        run: lcov -d . -c -o lcov.info --exclude /usr/lib,/usr/include --ignore-errors unused
+      - name: Upload to coveralls.io
+        uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # pin@v2.3.6
+        with:
+          flag-name: ${{ matrix.id }}
+          parallel: true
+
+  finish:
+    needs: coverage
+    if: ${{ always() }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Finish coveralls.io
+        uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # pin@v2.3.6
+        with:
+          parallel-finished: true
+          carry-forward: "x64-generic,x64-distbuild,arm64-distbuild"
--- a/.github/workflows/commit-to-main.yml
+++ b/.github/workflows/commit-to-main.yml
@ -0,0 +1,38 @@
+name: Main branch tests
+
+permissions:
+  contents: read
+
+on:
+  push:
+    branches: ['main']
+
+jobs:
+
+  platform-tests:
+    uses: ./.github/workflows/platforms.yml
+
+  code-coverage:
+    uses: ./.github/workflows/code-coverage.yml
+    secrets: inherit
+
+  scorecard:
+    uses: ./.github/workflows/scorecard.yml
+    secrets: inherit
+    permissions:
+      id-token: write
+      security-events: write
+
+  basic-downstream:
+    uses: ./.github/workflows/downstream-basic.yml
+    secrets: inherit
+
+  call-kem-benchmarking:
+    uses: ./.github/workflows/kem-bench.yml
+    permissions:
+      contents: write
+    
+  call-sig-benchmarking:
+    uses: ./.github/workflows/sig-bench.yml
+    permissions:
+      contents: write
--- a/.github/workflows/downstream-basic.yml
+++ b/.github/workflows/downstream-basic.yml
@ -0,0 +1,107 @@
+name: Trigger basic downstream CI
+
+permissions:
+  contents: read
+
+on: [workflow_call, workflow_dispatch]
+
+jobs:
+
+  trigger-downstream-ci:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Trigger OQS-BoringSSL CI
+        if: ${{ !cancelled() }} # run all steps independent of failures
+        run: |
+          curl --silent \
+               --write-out "\n%{response_code}\n" \
+               --request POST \
+               --header "Accept: application/vnd.github+json" \
+               --header "Authorization: Bearer ${{ secrets.OQSBOT_GITHUB_ACTIONS }}" \
+               --header "X-GitHub-Api-Version: 2022-11-28" \
+               --data '{"event_type":"liboqs-upstream-trigger"}' \
+               https://api.github.com/repos/open-quantum-safe/boringssl/dispatches | tee curl_out \
+          && grep -q "204" curl_out
+      - name: Trigger OQS-OpenSSH CI
+        if: ${{ !cancelled() }} # run all steps independent of failures
+        run: |
+          curl --silent \
+               --write-out "\n%{response_code}\n" \
+               --request POST \
+               --header "Accept: application/vnd.github+json" \
+               --header "Authorization: Bearer ${{ secrets.OQSBOT_GITHUB_ACTIONS }}" \
+               --header "X-GitHub-Api-Version: 2022-11-28" \
+               --data '{"ref":"OQS-v9"}' \
+               https://api.github.com/repos/open-quantum-safe/openssh/actions/workflows/ubuntu.yaml/dispatches | tee curl_out \
+          && grep -q "204" curl_out
+      - name: Trigger oqs-provider CI
+        if: ${{ !cancelled() }} # run all steps independent of failures
+        run: |
+          curl --silent \
+               --write-out "\n%{response_code}\n" \
+               --user ${{ secrets.BUILD_TRIGGER_TOKEN }}: \
+               --request POST \
+               --header "Content-Type: application/json" \
+               --data '{ "branch": "main" }' \
+               https://circleci.com/api/v2/project/gh/open-quantum-safe/oqs-provider/pipeline | tee curl_out \
+          && grep -q "201" curl_out
+      - name: Trigger liboqs-cpp CI
+        if: ${{ !cancelled() }} # run all steps independent of failures
+        run: |
+          curl --silent \
+               --write-out "\n%{response_code}\n" \
+               --request POST \
+               --header "Accept: application/vnd.github+json" \
+               --header "Authorization: Bearer ${{ secrets.OQSBOT_GITHUB_ACTIONS }}" \
+               --header "X-GitHub-Api-Version: 2022-11-28" \
+               --data '{"event_type":"liboqs-upstream-trigger"}' \
+               https://api.github.com/repos/open-quantum-safe/liboqs-cpp/dispatches | tee curl_out \
+          && grep -q "204" curl_out
+      - name: Trigger liboqs-go CI
+        if: ${{ !cancelled() }} # run all steps independent of failures
+        run: |
+          curl --silent \
+               --write-out "\n%{response_code}\n" \
+               --request POST \
+               --header "Accept: application/vnd.github+json" \
+               --header "Authorization: Bearer ${{ secrets.OQSBOT_GITHUB_ACTIONS }}" \
+               --header "X-GitHub-Api-Version: 2022-11-28" \
+               --data '{"event_type":"liboqs-upstream-trigger"}' \
+               https://api.github.com/repos/open-quantum-safe/liboqs-go/dispatches | tee curl_out \
+          && grep -q "204" curl_out
+      - name: Trigger liboqs-python CI
+        if: ${{ !cancelled() }} # run all steps independent of failures
+        run: |
+          curl --silent \
+               --write-out "\n%{response_code}\n" \
+               --request POST \
+               --header "Accept: application/vnd.github+json" \
+               --header "Authorization: Bearer ${{ secrets.OQSBOT_GITHUB_ACTIONS }}" \
+               --header "X-GitHub-Api-Version: 2022-11-28" \
+               --data '{"event_type":"liboqs-upstream-trigger"}' \
+               https://api.github.com/repos/open-quantum-safe/liboqs-python/dispatches | tee curl_out \
+          && grep -q "204" curl_out
+      - name: Trigger liboqs-java CI
+        if: ${{ !cancelled() }} # run all steps independent of failures
+        run: |
+          curl --silent \
+               --write-out "\n%{response_code}\n" \
+               --request POST \
+               --header "Accept: application/vnd.github+json" \
+               --header "Authorization: Bearer ${{ secrets.OQSBOT_GITHUB_ACTIONS }}" \
+               --header "X-GitHub-Api-Version: 2022-11-28" \
+               --data '{"event_type":"liboqs-upstream-trigger"}' \
+               https://api.github.com/repos/open-quantum-safe/liboqs-java/dispatches | tee curl_out \
+          && grep -q "204" curl_out
+      - name: Trigger liboqs-rust CI
+        if: ${{ !cancelled() }} # run all steps independent of failures
+        run: |
+          curl --silent \
+               --write-out "\n%{response_code}\n" \
+               --request POST \
+               --header "Accept: application/vnd.github+json" \
+               --header "Authorization: Bearer ${{ secrets.OQSBOT_GITHUB_ACTIONS }}" \
+               --header "X-GitHub-Api-Version: 2022-11-28" \
+               --data '{"event_type":"liboqs-upstream-trigger"}' \
+               https://api.github.com/repos/open-quantum-safe/liboqs-rust/dispatches | tee curl_out \
+          && grep -q "204" curl_out
--- a/.github/workflows/downstream-release.yml
+++ b/.github/workflows/downstream-release.yml
@ -0,0 +1,30 @@
+name: Downstream release tests
+
+permissions:
+  contents: read
+
+on: [workflow_call, workflow_dispatch]
+
+# Trigger oqs-provider release tests.
+# When triggered by a release (see release.yml), the liboqs release tag and the provider "<release tag>-tracker" branch are used.
+# When triggered by a commit message (see filter.yml), the triggering liboqs branch and the provider "<liboqs branch>-tracker" branch are used.
+# If the tracker branch does not exist, the downstream pipeline should detect it and run on the main branch instead.
+
+jobs:
+  oqs-provider-release-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout release tests script
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4
+        with:
+          sparse-checkout: |
+            scripts/provider-test-trigger.sh
+          sparse-checkout-cone-mode: false
+      - name: Trigger oqs-provider release tests
+        run: |
+          CURL_FLAGS="--silent --write-out \n%{response_code}\n" \
+          ACCESS_TOKEN="${{ secrets.OQSBOT_GITHUB_ACTIONS }}" \
+          LIBOQS_REF="${{ github.ref_name }}" \
+          PROVIDER_REF="${{ github.ref_name }}-tracker" \
+          ./scripts/provider-test-trigger.sh | tee curl_out \
+          && grep -q "204" curl_out
--- a/.github/workflows/extended.yml
+++ b/.github/workflows/extended.yml
@ -0,0 +1,74 @@
+name: Extended tests
+
+permissions:
+  contents: read
+
+on: [workflow_call, workflow_dispatch]
+
+jobs:
+
+  constant-time-x64:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: generic
+            container: openquantumsafe/ci-ubuntu-latest:latest
+            CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=generic -DCMAKE_BUILD_TYPE=Debug -DOQS_ENABLE_TEST_CONSTANT_TIME=ON
+            PYTEST_ARGS: --numprocesses=auto -k 'test_constant_time'
+            SKIP_ALGS: 'SPHINCS\+-SHA(.)*s-simple,SPHINCS\+-SHAKE-(.)*'
+          - name: extensions
+            container: openquantumsafe/ci-ubuntu-latest:latest
+            CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=auto -DCMAKE_BUILD_TYPE=Debug -DOQS_ENABLE_TEST_CONSTANT_TIME=ON
+            PYTEST_ARGS: --numprocesses=auto -k 'test_constant_time'
+            SKIP_ALGS: 'SPHINCS\+-SHA(.)*s-simple,SPHINCS\+-SHAKE-(.)*'
+    container:
+      image: ${{ matrix.container }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # pin@v2
+      - name: Configure
+        run: mkdir build && cd build && cmake -GNinja ${{ matrix.CMAKE_ARGS }} .. && cmake -LA -N ..
+      - name: Build
+        run: ninja
+        working-directory: build
+      - name: Run tests
+        timeout-minutes: 360
+        run: mkdir -p tmp && SKIP_ALGS='${{ matrix.SKIP_ALGS }}' python3 -m pytest --verbose ${{ matrix.PYTEST_ARGS }}
+
+  nistkat-x64:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: generic
+            container: openquantumsafe/ci-ubuntu-latest:latest
+            CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=generic
+            PYTEST_ARGS: --numprocesses=auto -k 'test_kat_all'
+          - name: generic-libjade
+            container: openquantumsafe/ci-ubuntu-latest:latest
+            CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=generic -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}"
+            PYTEST_ARGS: --numprocesses=auto -k 'test_kat_all'
+          - name: extensions
+            container: openquantumsafe/ci-ubuntu-latest:latest
+            CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=auto
+            PYTEST_ARGS: --numprocesses=auto -k 'test_kat_all'
+          - name: extensions-libjade
+            container: openquantumsafe/ci-ubuntu-latest:latest
+            CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=auto -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST}}"
+            PYTEST_ARGS: --numprocesses=auto -k 'test_kat_all'
+    container:
+      image: ${{ matrix.container }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
+      - name: Configure
+        run: mkdir build && cd build && cmake -GNinja ${{ matrix.CMAKE_ARGS }} .. && cmake -LA -N ..
+      - name: Build
+        run: ninja
+        working-directory: build
+      - name: Run tests
+        timeout-minutes: 360
+        run: mkdir -p tmp && python3 -m pytest --verbose ${{ matrix.PYTEST_ARGS }}
--- a/.github/workflows/kem-bench.yml
+++ b/.github/workflows/kem-bench.yml
@ -0,0 +1,121 @@
+name: kem benchmark
+
+on:
+  workflow_dispatch:
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      # Checkout repository
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
+        with:
+          fetch-depth: 0
+
+      # Set up dependencies
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y cmake ninja-build gcc g++ python3 python3-pip
+          sudo apt-get install -y python3-cpuinfo
+
+      # Build the speed_kem binary only
+      - name: Build speed_kem binary
+        run: |
+          mkdir -p build
+          cd build
+          cmake -GNinja .. -DBUILD_SHARED_LIBS=OFF
+          ninja speed_kem
+
+      # Copy the parse_liboqs_speed.py script
+      - name: Copy parse_liboqs_speed.py
+        run: |
+          cp scripts/parse_liboqs_speed.py build/tests/
+
+      # Upload the built binary and script as an artifact
+      - name: Upload artifacts
+        uses: actions/upload-artifact@6027e3dd177782cd8ab9af838c04fd81a07f1d47
+        with:
+          name: built-binary
+          path: build/tests/
+
+  benchmark:
+    needs: build
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    strategy:
+      matrix: 
+        algorithm: [ # List of available KEMs to perform the benchmarking on
+          "BIKE-L1",
+          "BIKE-L3", 
+          "BIKE-L5",
+          "Classic-McEliece-348864", 
+          "Classic-McEliece-348864f",
+          "Classic-McEliece-460896", 
+          "Classic-McEliece-460896f",
+          "Classic-McEliece-6688128", 
+          "Classic-McEliece-6688128f",
+          "Classic-McEliece-6960119", 
+          "Classic-McEliece-6960119f",
+          "Classic-McEliece-8192128", 
+          "Classic-McEliece-8192128f",
+          "Kyber512",
+          "Kyber768",
+          "Kyber1024",
+          "ML-KEM-512",
+          "ML-KEM-768",
+          "ML-KEM-1024",
+          "sntrup761",
+          "FrodoKEM-640-AES", 
+          "FrodoKEM-640-SHAKE",
+          "FrodoKEM-976-AES", 
+          "FrodoKEM-976-SHAKE",
+          "FrodoKEM-1344-AES", 
+          "FrodoKEM-1344-SHAKE"
+        ]
+      max-parallel: 1 # No parallel jobs to not compromise the pull-push operations of the benchmarking actions below
+
+    steps:
+      # Ensure the repository is checked out
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
+        with:
+          fetch-depth: 0
+
+      # Download the built binary and script
+      - name: Download artifacts
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # pin@v4
+        with:
+          name: built-binary
+          path: build/tests/
+
+      # Set execute permissions for the binary
+      - name: Set execute permissions
+        run: chmod +x build/tests/speed_kem
+
+      # Run speed_kem tests for each algorithm
+      - name: Run speed_kem tests
+        run: |
+          cd build/tests
+          ./speed_kem "${{matrix.algorithm}}" > ${{matrix.algorithm}}_output.txt
+          python3 parse_liboqs_speed.py ${{matrix.algorithm}}_output.txt --algorithm ${{matrix.algorithm}}
+
+      # Push to GitHub pages using continuous-benchmark
+      - name: Store benchmark result
+        uses: benchmark-action/github-action-benchmark@d48d326b4ca9ba73ca0cd0d59f108f9e02a381c7
+        with:
+          name: ${{matrix.algorithm}}
+          tool: "customSmallerIsBetter"
+          output-file-path: build/tests/${{matrix.algorithm}}_formatted.json
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          auto-push: true
+          comment-on-alert: true
+          summary-always: true
+          alert-threshold: 105%
+          comment-always: false
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@ -0,0 +1,311 @@
+name: Linux tests
+
+permissions:
+  contents: read
+
+on: [workflow_call, workflow_dispatch]
+
+jobs:
+
+  linux:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: arm64
+            runner: ubuntu-24.04-arm
+            container: openquantumsafe/ci-ubuntu-latest:latest
+            PYTEST_ARGS: --maxprocesses=10 --ignore=tests/test_kat_all.py
+            CMAKE_ARGS: -DOQS_ENABLE_SIG_STFL_LMS=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON
+          - name: alpine
+            runner: ubuntu-latest
+            container: openquantumsafe/ci-alpine-amd64:latest
+            CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=ON -DBUILD_SHARED_LIBS=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON
+            PYTEST_ARGS: --ignore=tests/test_alg_info.py --ignore=tests/test_kat_all.py
+          - name: alpine-libjade
+            runner: ubuntu-latest
+            container: openquantumsafe/ci-alpine-amd64:latest
+            CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=ON -DBUILD_SHARED_LIBS=ON -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}"
+            PYTEST_ARGS: --ignore=tests/test_alg_info.py --ignore=tests/test_kat_all.py
+          - name: alpine-no-stfl-key-sig-gen
+            runner: ubuntu-latest
+            container: openquantumsafe/ci-alpine-amd64:latest
+            CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=ON -DBUILD_SHARED_LIBS=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=OFF -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON
+            PYTEST_ARGS: --ignore=tests/test_alg_info.py --ignore=tests/test_kat_all.py
+          - name: alpine-openssl-all
+            runner: ubuntu-latest
+            container: openquantumsafe/ci-alpine-amd64:latest
+            CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=ON -DBUILD_SHARED_LIBS=ON -DOQS_USE_AES_OPENSSL=ON -DOQS_USE_SHA2_OPENSSL=ON -DOQS_USE_SHA3_OPENSSL=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON
+            PYTEST_ARGS: --ignore=tests/test_alg_info.py --ignore=tests/test_kat_all.py
+          - name: alpine-noopenssl
+            runner: ubuntu-latest
+            container: openquantumsafe/ci-alpine-amd64:latest
+            CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=OFF -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON
+            PYTEST_ARGS: --ignore=tests/test_alg_info.py --ignore=tests/test_kat_all.py
+          - name: noble-nistr4-openssl
+            runner: ubuntu-latest
+            container: openquantumsafe/ci-ubuntu-latest:latest
+            CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=NIST_R4
+            PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py
+          - name: noble-nistonramp-openssl
+            runner: ubuntu-latest
+            container: openquantumsafe/ci-ubuntu-latest:latest
+            CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=NIST_SIG_ONRAMP
+            PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py
+          - name: noble-noopenssl
+            runner: ubuntu-latest
+            container: openquantumsafe/ci-ubuntu-latest:latest
+            CMAKE_ARGS: -DOQS_USE_OPENSSL=OFF
+            PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py
+          - name: noble-noopenssl-libjade
+            runner: ubuntu-latest
+            container: openquantumsafe/ci-ubuntu-latest:latest
+            CMAKE_ARGS: -DOQS_USE_OPENSSL=OFF -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}"
+            PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py
+          - name: noble-shared-noopenssl
+            runner: ubuntu-latest
+            container: openquantumsafe/ci-ubuntu-latest:latest
+            CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_USE_OPENSSL=OFF -DBUILD_SHARED_LIBS=ON
+            PYTEST_ARGS: --ignore=tests/test_namespace.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py
+          - name: jammy-clang
+            runner: ubuntu-latest
+            container: openquantumsafe/ci-ubuntu-jammy:latest
+            CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DCMAKE_C_COMPILER=clang
+            PYTEST_ARGS: --ignore=tests/test_kat_all.py
+          - name: noble-clang
+            runner: ubuntu-latest
+            container: openquantumsafe/ci-ubuntu-latest:latest
+            CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DCMAKE_C_COMPILER=clang
+            PYTEST_ARGS: --ignore=tests/test_kat_all.py -k 'not (leaks and (Dilithium or ML-DSA))'
+          - name: jammy-std-openssl3
+            runner: ubuntu-latest
+            container: openquantumsafe/ci-ubuntu-jammy:latest
+            CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=STD -DBUILD_SHARED_LIBS=ON
+            PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py
+          - name: jammy-std-openssl3-libjade
+            runner: ubuntu-latest
+            container: openquantumsafe/ci-ubuntu-jammy:latest
+            CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=STD -DBUILD_SHARED_LIBS=ON -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}"
+            PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py
+          - name: jammy-std-openssl3-dlopen
+            runner: ubuntu-latest
+            container: openquantumsafe/ci-ubuntu-jammy:latest
+            CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=STD -DBUILD_SHARED_LIBS=ON -DOQS_DLOPEN_OPENSSL=ON
+            PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py
+          - name: jammy-std-openssl3-dlopen-libjade
+            runner: ubuntu-latest
+            container: openquantumsafe/ci-ubuntu-jammy:latest
+            CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=STD -DBUILD_SHARED_LIBS=ON -DOQS_DLOPEN_OPENSSL=ON -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}"
+            PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py
+          - name: address-sanitizer
+            runner: ubuntu-latest
+            container: openquantumsafe/ci-ubuntu-latest:latest
+            CMAKE_ARGS: -DCMAKE_C_COMPILER=clang -DCMAKE_BUILD_TYPE=Debug -DUSE_SANITIZER=Address -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON
+            PYTEST_ARGS: --ignore=tests/test_distbuild.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py --maxprocesses=10
+          - name: address-sanitizer-no-stfl-key-sig-gen
+            runner: ubuntu-latest
+            container: openquantumsafe/ci-ubuntu-latest:latest
+            CMAKE_ARGS: -DCMAKE_C_COMPILER=clang -DCMAKE_BUILD_TYPE=Debug -DUSE_SANITIZER=Address -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=OFF -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON
+            PYTEST_ARGS: --ignore=tests/test_distbuild.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py --maxprocesses=10
+          - name: address-sanitizer-libjade
+            runner: ubuntu-latest
+            container: openquantumsafe/ci-ubuntu-latest:latest
+            CMAKE_ARGS: -DCMAKE_C_COMPILER=clang -DCMAKE_BUILD_TYPE=Debug -DUSE_SANITIZER=Address -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}"
+            PYTEST_ARGS: --ignore=tests/test_distbuild.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py --maxprocesses=10
+          - name: noble-no-sha3-avx512vl
+            runner: ubuntu-latest
+            container: openquantumsafe/ci-ubuntu-latest:latest
+            CMAKE_ARGS: -DOQS_USE_SHA3_AVX512VL=OFF
+            PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py
+    runs-on: ${{ matrix.runner }}
+    container:
+      image: ${{ matrix.container }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
+      - name: Configure
+        run: mkdir build && cd build && cmake -GNinja ${{ matrix.CMAKE_ARGS }} .. && cmake -LA -N ..
+      - name: Build
+        run: ninja
+        working-directory: build
+      - name: Check the library artifacts
+        if: matrix.name == 'jammy-std-openssl3-dlopen'
+        run: |
+          nm -gu lib/liboqs.so | sed -n 's/^[[:space:]]*[Uw] \([^_].*\)/\1/p' > undefined-syms.txt &&
+          ! (grep '^\(CRYPTO\|ERR\|EVP\|OPENSSL\|RAND\)_' undefined-syms.txt)
+        working-directory: build
+      - name: Run tests
+        timeout-minutes: 60
+        run: mkdir -p tmp && python3 -m pytest --verbose --ignore=tests/test_code_conventions.py --numprocesses=auto ${{ matrix.PYTEST_ARGS }}
+      - name: Package .deb
+        if: matrix.name == 'jammy-std-openssl3'
+        run: cpack
+        working-directory: build
+      - name: Retain .deb file
+        if: matrix.name == 'jammy-std-openssl3'
+        uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # pin@v4
+        with:
+          name: liboqs-openssl3-shared-x64
+          path: build/*.deb
+      - name: Check STD algorithm and alias
+        if: matrix.name == 'jammy-std-openssl3'
+        run: 'tests/dump_alg_info | grep -zoP "ML-DSA-44:\n    isnull: false" && tests/dump_alg_info | grep -zoP "ML-KEM-512:\n    isnull: false"'
+        working-directory: build
+
+  linux_arm_emulated:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: armhf
+            ARCH: armhf
+            CMAKE_ARGS: -DOQS_ENABLE_SIG_SPHINCS=OFF -DOQS_USE_OPENSSL=OFF -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=generic -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON
+            PYTEST_ARGS: --ignore=tests/test_alg_info.py --ignore=tests/test_kat_all.py
+          - name: armhf-no-stfl-key-sig-gen
+            ARCH: armhf
+            CMAKE_ARGS: -DOQS_ENABLE_SIG_SPHINCS=OFF -DOQS_USE_OPENSSL=OFF -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=generic -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=OFF -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON
+            PYTEST_ARGS: --ignore=tests/test_alg_info.py --ignore=tests/test_kat_all.py
+          # no longer supporting armel
+          # - name: armel
+          #   ARCH: armel
+          #   CMAKE_ARGS: -DOQS_ENABLE_SIG_SPHINCS=OFF -DOQS_USE_OPENSSL=OFF -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=generic
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
+      - name: Install the emulation handlers
+        run: docker run --rm --privileged multiarch/qemu-user-static:register --reset
+      - name: Build in an x86_64 container
+        run: |
+          docker run --rm \
+                     -v `pwd`:`pwd` \
+                     -w `pwd` \
+                     openquantumsafe/ci-debian-buster-amd64:latest /bin/bash \
+                     -c "mkdir build && \
+                         (cd build && \
+                          cmake .. -GNinja ${{ matrix.CMAKE_ARGS }} \
+                                   -DCMAKE_TOOLCHAIN_FILE=../.CMake/toolchain_${{ matrix.ARCH }}.cmake && \
+                          cmake -LA -N .. && \
+                          ninja)"
+      - name: Run the tests in an ${{ matrix.ARCH }} container
+        timeout-minutes: 60
+        run: |
+          docker run --rm -e SKIP_TESTS=style,mem_kem,mem_sig \
+                          -v `pwd`:`pwd` \
+                          -w `pwd` \
+                          openquantumsafe/ci-debian-buster-${{ matrix.ARCH }}:latest /bin/bash \
+                          -c "mkdir -p tmp && \
+                              python3 -m pytest --verbose \
+                                                --numprocesses=auto \
+                                                --ignore=tests/test_code_conventions.py ${{ matrix.PYTEST_ARGS }}"
+
+  linux_cross_compile:
+    runs-on: ubuntu-latest
+    container: openquantumsafe/ci-ubuntu-latest:latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: windows-binaries
+            CMAKE_ARGS: -DCMAKE_TOOLCHAIN_FILE=../.CMake/toolchain_windows-amd64.cmake
+          - name: windows-dll
+            CMAKE_ARGS: -DCMAKE_TOOLCHAIN_FILE=../.CMake/toolchain_windows-amd64.cmake -DBUILD_SHARED_LIBS=ON
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
+      - name: Configure
+        run: mkdir build && cd build && cmake -GNinja ${{ matrix.CMAKE_ARGS }} .. && cmake -LA -N ..
+      - name: Build
+        run: ninja
+        working-directory: build
+
+  linux_openssl330-dev:
+    runs-on: ubuntu-latest
+    container:
+      image: openquantumsafe/ci-ubuntu-jammy:latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
+      - name: Retrieve OpenSSL330 from cache
+        id: cache-openssl330
+        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # pin@v4
+        with:
+          path: .localopenssl330
+          key: ${{ runner.os }}-openssl330
+      - name: Checkout the OpenSSL v3.3.0 commit
+        if: steps.cache-openssl330.outputs.cache-hit != 'true'
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
+        with:
+          repository: 'openssl/openssl'
+          ref: 'openssl-3.3.0-beta1'
+          path: openssl
+      - name: Prepare the OpenSSL build directory
+        if: steps.cache-openssl330.outputs.cache-hit != 'true'
+        run: mkdir .localopenssl330
+        working-directory: openssl
+      - name: Build openssl3 if not cached
+        if: steps.cache-openssl330.outputs.cache-hit != 'true'
+        run: |
+          ./config --prefix=`pwd`/../.localopenssl330 && make -j 4 && make install_sw install_ssldirs
+        working-directory: openssl
+      - name: Save OpenSSL
+        id: cache-openssl-save
+        if: steps.cache-openssl330.outputs.cache-hit != 'true'
+        uses: actions/cache/save@d4323d4df104b026a6aa633fdb11d772146be0bf # pin@v4
+        with:
+          path: |
+            .localopenssl330
+          key: ${{ runner.os }}-openssl330
+      - name: Configure
+        run: mkdir build && cd build && cmake -GNinja -DOQS_STRICT_WARNINGS=ON -DOPENSSL_ROOT_DIR=../.localopenssl330 -DOQS_USE_OPENSSL=ON -DBUILD_SHARED_LIBS=ON -DOQS_USE_AES_OPENSSL=ON -DOQS_USE_SHA2_OPENSSL=ON -DOQS_USE_SHA3_OPENSSL=ON .. && cmake -LA -N ..
+      - name: Build
+        run: ninja
+        working-directory: build
+      - name: Run tests
+        timeout-minutes: 60
+        run: mkdir -p tmp && python3 -m pytest --verbose --ignore=tests/test_code_conventions.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py
+
+  scan_build:
+    runs-on: ubuntu-latest
+    container: openquantumsafe/ci-ubuntu-latest:latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
+      - name: Configure
+        run: mkdir build && cd build && scan-build --status-bugs cmake -GNinja ..
+      - name: Build
+        run: scan-build --status-bugs ninja
+        working-directory: build
+
+  linux_x86_emulated:
+    runs-on: ubuntu-latest
+    container:
+      image: openquantumsafe/ci-ubuntu-latest:latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: avx512-ml-kem_ml-dsa
+            SDE_ARCH: -skx
+            CMAKE_ARGS: -DOQS_MINIMAL_BUILD="KEM_ml_kem_512;KEM_ml_kem_768;KEM_ml_kem_1024;SIG_ml_dsa_44;SIG_ml_dsa_65;SIG_ml_dsa_87"
+            PYTEST_ARGS: tests/test_hash.py::test_sha3 tests/test_kat.py tests/test_acvp_vectors.py
+    env:
+      SDE_URL: https://downloadmirror.intel.com/850782/sde-external-9.53.0-2025-03-16-lin.tar.xz
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
+      - name: Setup Intel SDE
+        run: |
+          wget -O sde.tar.xz "$SDE_URL" && \
+            mkdir sde && tar -xf sde.tar.xz -C sde --strip-components=1 && \
+            echo "$(pwd)/sde" >> $GITHUB_PATH
+      - name: Configure
+        run: mkdir build && cd build && cmake -GNinja ${{ matrix.CMAKE_ARGS }} .. && cmake -LA -N ..
+      - name: Build
+        run: ninja
+        working-directory: build
+      - name: Run tests
+        timeout-minutes: 60
+        run: |
+          mkdir -p tmp && sde64 ${{ matrix.SDE_ARCH }} -- \
+            python3 -m pytest --verbose --numprocesses=auto ${{ matrix.PYTEST_ARGS }}
--- a/.github/workflows/macos.yml
+++ b/.github/workflows/macos.yml
@ -0,0 +1,63 @@
+name: MacOS tests
+
+permissions:
+  contents: read
+
+on: [workflow_call, workflow_dispatch]
+
+jobs:
+
+  macos:
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          # macos-13 runs on x64; the others run on aarch64
+          - macos-13
+          - macos-14
+          - macos-15
+        CMAKE_ARGS:
+          - -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON
+          - -DCMAKE_C_COMPILER=gcc-14
+          - -DOQS_USE_OPENSSL=OFF
+          - -DBUILD_SHARED_LIBS=ON -DOQS_DIST_BUILD=OFF
+        libjade-build:
+          - -DOQS_LIBJADE_BUILD=OFF
+          # Restrict -DOQS_LIBJADE_BUILD=ON build to algs provided by
+          # libjade to minimise repeated tests
+          - -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}"
+        exclude:
+          # macos-14 and macos-15 run on aarch64, libjade targets x86
+          # Skip testing libjade on macos-14
+          - os: macos-14
+            libjade-build: -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}"
+          - os: macos-15
+            libjade-build: -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}"
+          # No point in testing stateful sigs with minimal libjade build
+          - libjade-build: -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}"
+            CMAKE_ARGS: -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON
+          # Failing configuration on Github actions; see https://github.com/open-quantum-safe/liboqs/pull/2148
+          - os: macos-15
+            CMAKE_ARGS: -DCMAKE_C_COMPILER=gcc-14
+            libjade-build: -DOQS_LIBJADE_BUILD=OFF
+
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Install Python
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # pin@v5
+        with:
+          python-version: '3.12'
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
+      - name: Install dependencies
+        run: env HOMEBREW_NO_AUTO_UPDATE=1 brew install ninja && pip3 install --require-hashes --break-system-packages -r .github/workflows/requirements.txt
+      - name: Get system information
+        run: sysctl -a | grep machdep.cpu
+      - name: Configure
+        run: mkdir -p build && cd build && source ~/.bashrc && cmake -GNinja -DOQS_STRICT_WARNINGS=ON ${{ matrix.CMAKE_ARGS }} ${{ matrix.libjade-build }} .. && cmake -LA -N ..
+      - name: Build
+        run: ninja
+        working-directory: build
+      - name: Run tests
+        run: mkdir -p tmp && python3 -m pytest --verbose --ignore=tests/test_code_conventions.py --ignore=tests/test_kat_all.py
+        timeout-minutes: 60
--- a/.github/workflows/platforms.yml
+++ b/.github/workflows/platforms.yml
@ -0,0 +1,26 @@
+name: Tests for all supported platforms
+
+permissions:
+  contents: read
+
+on: [workflow_call, workflow_dispatch]
+
+jobs:
+
+  android-tests:
+    uses: ./.github/workflows/android.yml
+
+  ios-tests:
+    uses: ./.github/workflows/apple.yml
+
+  linux-tests:
+    uses: ./.github/workflows/linux.yml
+
+  macos-tests:
+    uses: ./.github/workflows/macos.yml
+
+  windows-tests:
+    uses: ./.github/workflows/windows.yml
+
+  zephyr-tests:
+    uses: ./.github/workflows/zephyr.yml
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@ -0,0 +1,32 @@
+name: Pull request tests
+
+permissions:
+  contents: read
+
+on: pull_request
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+
+  basic-checks:
+    uses: ./.github/workflows/basic.yml
+
+  platform-tests:
+    needs: basic-checks
+    uses: ./.github/workflows/platforms.yml
+
+  code-coverage:
+    needs: basic-checks
+    uses: ./.github/workflows/code-coverage.yml
+    secrets: inherit
+
+  scorecard:
+    needs: basic-checks
+    uses: ./.github/workflows/scorecard.yml
+    secrets: inherit
+    permissions:
+      id-token: write
+      security-events: write
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@ -0,0 +1,33 @@
+name: Push tests
+
+permissions:
+  contents: read
+
+on:
+  push:
+    branches-ignore: 'main'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+
+  basic-checks:
+    uses: ./.github/workflows/basic.yml
+
+  full-tests:
+    needs: basic-checks
+    if: contains( github.event.head_commit.message, '[full tests]' )
+    uses: ./.github/workflows/platforms.yml
+
+  extended-tests:
+    needs: basic-checks
+    if: contains( github.event.head_commit.message, '[extended tests]' )
+    uses: ./.github/workflows/extended.yml
+
+  downstream-release-tests:
+    needs: basic-checks
+    if: contains( github.event.head_commit.message, '[trigger downstream]' )
+    uses: ./.github/workflows/downstream-release.yml
+    secrets: inherit
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -0,0 +1,17 @@
+name: Release tests
+
+permissions:
+  contents: read
+
+on:
+  release:
+    types: [ published ]
+
+jobs:
+
+  extended-tests:
+    uses: ./.github/workflows/extended.yml
+
+  downstream-release-tests:
+    uses: ./.github/workflows/downstream-release.yml
+    secrets: inherit
--- a/.github/workflows/requirements.in
+++ b/.github/workflows/requirements.in
@ -0,0 +1,8 @@
+colorama==0.4.6
+execnet==2.1.1
+iniconfig==2.0.0
+packaging==24.0
+pluggy==1.4.0
+pytest==8.1.1
+pytest-xdist==3.5.0
+pyyaml==6.0.1
--- a/.github/workflows/requirements.txt
+++ b/.github/workflows/requirements.txt
@ -0,0 +1,97 @@
+#
+# This file is autogenerated by pip-compile with Python 3.12
+# by the following command:
+#
+#    pip-compile --generate-hashes --output-file=requirements_new.txt requirements.txt
+#
+colorama==0.4.6 \
+    --hash=sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44 \
+    --hash=sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6
+    # via -r requirements.txt
+execnet==2.1.1 \
+    --hash=sha256:26dee51f1b80cebd6d0ca8e74dd8745419761d3bef34163928cbebbdc4749fdc \
+    --hash=sha256:5189b52c6121c24feae288166ab41b32549c7e2348652736540b9e6e7d4e72e3
+    # via
+    #   -r requirements.txt
+    #   pytest-xdist
+iniconfig==2.0.0 \
+    --hash=sha256:2d91e135bf72d31a410b17c16da610a82cb55f6b0477d1a902134b24a455b8b3 \
+    --hash=sha256:b6a85871a79d2e3b22d2d1b94ac2824226a63c6b741c88f7ae975f18b6778374
+    # via
+    #   -r requirements.txt
+    #   pytest
+packaging==24.0 \
+    --hash=sha256:2ddfb553fdf02fb784c234c7ba6ccc288296ceabec964ad2eae3777778130bc5 \
+    --hash=sha256:eb82c5e3e56209074766e6885bb04b8c38a0c015d0a30036ebe7ece34c9989e9
+    # via
+    #   -r requirements.txt
+    #   pytest
+pluggy==1.4.0 \
+    --hash=sha256:7db9f7b503d67d1c5b95f59773ebb58a8c1c288129a88665838012cfb07b8981 \
+    --hash=sha256:8c85c2876142a764e5b7548e7d9a0e0ddb46f5185161049a79b7e974454223be
+    # via
+    #   -r requirements.txt
+    #   pytest
+pytest==8.1.1 \
+    --hash=sha256:2a8386cfc11fa9d2c50ee7b2a57e7d898ef90470a7a34c4b949ff59662bb78b7 \
+    --hash=sha256:ac978141a75948948817d360297b7aae0fcb9d6ff6bc9ec6d514b85d5a65c044
+    # via
+    #   -r requirements.txt
+    #   pytest-xdist
+pytest-xdist==3.5.0 \
+    --hash=sha256:cbb36f3d67e0c478baa57fa4edc8843887e0f6cfc42d677530a36d7472b32d8a \
+    --hash=sha256:d075629c7e00b611df89f490a5063944bee7a4362a5ff11c7cc7824a03dfce24
+    # via -r requirements.txt
+pyyaml==6.0.1 \
+    --hash=sha256:04ac92ad1925b2cff1db0cfebffb6ffc43457495c9b3c39d3fcae417d7125dc5 \
+    --hash=sha256:062582fca9fabdd2c8b54a3ef1c978d786e0f6b3a1510e0ac93ef59e0ddae2bc \
+    --hash=sha256:0d3304d8c0adc42be59c5f8a4d9e3d7379e6955ad754aa9d6ab7a398b59dd1df \
+    --hash=sha256:1635fd110e8d85d55237ab316b5b011de701ea0f29d07611174a1b42f1444741 \
+    --hash=sha256:184c5108a2aca3c5b3d3bf9395d50893a7ab82a38004c8f61c258d4428e80206 \
+    --hash=sha256:18aeb1bf9a78867dc38b259769503436b7c72f7a1f1f4c93ff9a17de54319b27 \
+    --hash=sha256:1d4c7e777c441b20e32f52bd377e0c409713e8bb1386e1099c2415f26e479595 \
+    --hash=sha256:1e2722cc9fbb45d9b87631ac70924c11d3a401b2d7f410cc0e3bbf249f2dca62 \
+    --hash=sha256:1fe35611261b29bd1de0070f0b2f47cb6ff71fa6595c077e42bd0c419fa27b98 \
+    --hash=sha256:28c119d996beec18c05208a8bd78cbe4007878c6dd15091efb73a30e90539696 \
+    --hash=sha256:326c013efe8048858a6d312ddd31d56e468118ad4cdeda36c719bf5bb6192290 \
+    --hash=sha256:40df9b996c2b73138957fe23a16a4f0ba614f4c0efce1e9406a184b6d07fa3a9 \
+    --hash=sha256:42f8152b8dbc4fe7d96729ec2b99c7097d656dc1213a3229ca5383f973a5ed6d \
+    --hash=sha256:49a183be227561de579b4a36efbb21b3eab9651dd81b1858589f796549873dd6 \
+    --hash=sha256:4fb147e7a67ef577a588a0e2c17b6db51dda102c71de36f8549b6816a96e1867 \
+    --hash=sha256:50550eb667afee136e9a77d6dc71ae76a44df8b3e51e41b77f6de2932bfe0f47 \
+    --hash=sha256:510c9deebc5c0225e8c96813043e62b680ba2f9c50a08d3724c7f28a747d1486 \
+    --hash=sha256:5773183b6446b2c99bb77e77595dd486303b4faab2b086e7b17bc6bef28865f6 \
+    --hash=sha256:596106435fa6ad000c2991a98fa58eeb8656ef2325d7e158344fb33864ed87e3 \
+    --hash=sha256:6965a7bc3cf88e5a1c3bd2e0b5c22f8d677dc88a455344035f03399034eb3007 \
+    --hash=sha256:69b023b2b4daa7548bcfbd4aa3da05b3a74b772db9e23b982788168117739938 \
+    --hash=sha256:6c22bec3fbe2524cde73d7ada88f6566758a8f7227bfbf93a408a9d86bcc12a0 \
+    --hash=sha256:704219a11b772aea0d8ecd7058d0082713c3562b4e271b849ad7dc4a5c90c13c \
+    --hash=sha256:7e07cbde391ba96ab58e532ff4803f79c4129397514e1413a7dc761ccd755735 \
+    --hash=sha256:81e0b275a9ecc9c0c0c07b4b90ba548307583c125f54d5b6946cfee6360c733d \
+    --hash=sha256:855fb52b0dc35af121542a76b9a84f8d1cd886ea97c84703eaa6d88e37a2ad28 \
+    --hash=sha256:8d4e9c88387b0f5c7d5f281e55304de64cf7f9c0021a3525bd3b1c542da3b0e4 \
+    --hash=sha256:9046c58c4395dff28dd494285c82ba00b546adfc7ef001486fbf0324bc174fba \
+    --hash=sha256:9eb6caa9a297fc2c2fb8862bc5370d0303ddba53ba97e71f08023b6cd73d16a8 \
+    --hash=sha256:a08c6f0fe150303c1c6b71ebcd7213c2858041a7e01975da3a99aed1e7a378ef \
+    --hash=sha256:a0cd17c15d3bb3fa06978b4e8958dcdc6e0174ccea823003a106c7d4d7899ac5 \
+    --hash=sha256:afd7e57eddb1a54f0f1a974bc4391af8bcce0b444685d936840f125cf046d5bd \
+    --hash=sha256:b1275ad35a5d18c62a7220633c913e1b42d44b46ee12554e5fd39c70a243d6a3 \
+    --hash=sha256:b786eecbdf8499b9ca1d697215862083bd6d2a99965554781d0d8d1ad31e13a0 \
+    --hash=sha256:ba336e390cd8e4d1739f42dfe9bb83a3cc2e80f567d8805e11b46f4a943f5515 \
+    --hash=sha256:baa90d3f661d43131ca170712d903e6295d1f7a0f595074f151c0aed377c9b9c \
+    --hash=sha256:bc1bf2925a1ecd43da378f4db9e4f799775d6367bdb94671027b73b393a7c42c \
+    --hash=sha256:bd4af7373a854424dabd882decdc5579653d7868b8fb26dc7d0e99f823aa5924 \
+    --hash=sha256:bf07ee2fef7014951eeb99f56f39c9bb4af143d8aa3c21b1677805985307da34 \
+    --hash=sha256:bfdf460b1736c775f2ba9f6a92bca30bc2095067b8a9d77876d1fad6cc3b4a43 \
+    --hash=sha256:c8098ddcc2a85b61647b2590f825f3db38891662cfc2fc776415143f599bb859 \
+    --hash=sha256:d2b04aac4d386b172d5b9692e2d2da8de7bfb6c387fa4f801fbf6fb2e6ba4673 \
+    --hash=sha256:d483d2cdf104e7c9fa60c544d92981f12ad66a457afae824d146093b8c294c54 \
+    --hash=sha256:d858aa552c999bc8a8d57426ed01e40bef403cd8ccdd0fc5f6f04a00414cac2a \
+    --hash=sha256:e7d73685e87afe9f3b36c799222440d6cf362062f78be1013661b00c5c6f678b \
+    --hash=sha256:f003ed9ad21d6a4713f0a9b5a7a0a79e08dd0f221aff4525a2be4c346ee60aab \
+    --hash=sha256:f22ac1c3cac4dbc50079e965eba2c1058622631e526bd9afd45fedd49ba781fa \
+    --hash=sha256:faca3bdcf85b2fc05d06ff3fbc1f83e1391b3e724afa3feba7d13eeab355484c \
+    --hash=sha256:fca0e3a251908a499833aa292323f32437106001d436eca0e6e7833256674585 \
+    --hash=sha256:fd1592b3fdf65fff2ad0004b5e363300ef59ced41c2e6b3a99d4089fa8c5435d \
+    --hash=sha256:fd66fc5d0da6d9815ba2cebeb4205f95818ff4b79c3ebe268e75d961704af52f
+    # via -r requirements.txt
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@ -0,0 +1,64 @@
+name: Scorecard supply-chain security
+
+permissions: {}
+
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  workflow_call:
+  workflow_dispatch:
+
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # pin@v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # pin@v4
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 28
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # pin@v3
+        with:
+          sarif_file: results.sarif
--- a/.github/workflows/sig-bench.yml
+++ b/.github/workflows/sig-bench.yml
@ -0,0 +1,151 @@
+name: sig benchmark
+
+on:
+  workflow_dispatch:
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      # Checkout repository
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
+        with:
+          fetch-depth: 0
+
+      # Set up dependencies
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y cmake ninja-build gcc g++ python3 python3-pip
+          sudo apt-get install -y python3-cpuinfo
+
+      # Build the speed_sig binary only
+      - name: Build speed_sig binary
+        run: |
+          mkdir -p build
+          cd build
+          cmake -GNinja .. -DBUILD_SHARED_LIBS=OFF
+          ninja speed_sig
+
+      # Copy the parse_liboqs_speed.py script
+      - name: Copy parse_liboqs_speed.py
+        run: |
+          cp scripts/parse_liboqs_speed.py build/tests/
+
+      # Upload the built binary and script as an artifact
+      - name: Upload artifacts
+        uses: actions/upload-artifact@6027e3dd177782cd8ab9af838c04fd81a07f1d47
+        with:
+          name: built-sig-binary
+          path: build/tests/
+
+  benchmark:
+    needs: build
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    strategy:
+      matrix:
+        algorithm: [ # List of available signatures to perform the benchmarking on
+          "Dilithium2",
+          "Dilithium3",
+          "Dilithium5",
+          "ML-DSA-44",
+          "ML-DSA-65",
+          "ML-DSA-87",
+          "Falcon-512",
+          "Falcon-1024",
+          "Falcon-padded-512",
+          "Falcon-padded-1024",
+          "SPHINCS+-SHA2-128f-simple",
+          "SPHINCS+-SHA2-128s-simple",
+          "SPHINCS+-SHA2-192f-simple",
+          "SPHINCS+-SHA2-192s-simple",
+          "SPHINCS+-SHA2-256f-simple",
+          "SPHINCS+-SHA2-256s-simple",
+          "SPHINCS+-SHAKE-128f-simple",
+          "SPHINCS+-SHAKE-128s-simple",
+          "SPHINCS+-SHAKE-192f-simple",
+          "SPHINCS+-SHAKE-192s-simple",
+          "SPHINCS+-SHAKE-256f-simple",
+          "SPHINCS+-SHAKE-256s-simple",
+          "MAYO-1",
+          "MAYO-2",
+          "MAYO-3",
+          "MAYO-5",
+          "cross-rsdp-128-balanced",
+          "cross-rsdp-128-fast",
+          "cross-rsdp-128-small",
+          "cross-rsdp-192-balanced",
+          "cross-rsdp-192-fast",
+          "cross-rsdp-192-small",
+          "cross-rsdp-256-balanced",
+          "cross-rsdp-256-fast",
+          "cross-rsdp-256-small",
+          "cross-rsdpg-128-balanced",
+          "cross-rsdpg-128-fast",
+          "cross-rsdpg-128-small",
+          "cross-rsdpg-192-balanced",
+          "cross-rsdpg-192-fast",
+          "cross-rsdpg-192-small",
+          "cross-rsdpg-256-balanced",
+          "cross-rsdpg-256-fast",
+          "cross-rsdpg-256-small",
+          "OV-Is",
+          "OV-Ip",
+          "OV-III",
+          "OV-V",
+          "OV-Is-pkc",
+          "OV-Ip-pkc",
+          "OV-III-pkc",
+          "OV-V-pkc",
+          "OV-Is-pkc-skc",
+          "OV-Ip-pkc-skc",
+          "OV-III-pkc-skc",
+          "OV-V-pkc-skc"
+        ]
+      max-parallel: 1 # No parallel jobs to not compromise the pull-push operations of the benchmarking actions below
+
+    steps:
+      # Ensure the repository is checked out
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
+        with:
+          fetch-depth: 0
+
+      # Download the built binary and script
+      - name: Download artifacts
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # pin@v4
+        with:
+          name: built-sig-binary
+          path: build/tests/
+
+      # Set execute permissions for the binary
+      - name: Set execute permissions
+        run: chmod +x build/tests/speed_sig
+
+      # Run speed_sig tests for each algorithm
+      - name: Run speed_sig tests
+        run: |
+          cd build/tests
+          ./speed_sig "${{matrix.algorithm}}" > ${{matrix.algorithm}}_output.txt
+          python3 parse_liboqs_speed.py ${{matrix.algorithm}}_output.txt --algorithm ${{matrix.algorithm}}
+
+      # Push to GitHub pages using continuous-benchmark
+      - name: Store benchmark result
+        uses: benchmark-action/github-action-benchmark@d48d326b4ca9ba73ca0cd0d59f108f9e02a381c7
+        with:
+          name: ${{matrix.algorithm}}
+          tool: "customSmallerIsBetter"
+          output-file-path: build/tests/${{matrix.algorithm}}_formatted.json
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          auto-push: true
+          comment-on-alert: true
+          summary-always: true
+          alert-threshold: 105%
+          comment-always: false
--- a/.github/workflows/weekly.yml
+++ b/.github/workflows/weekly.yml
@ -0,0 +1,22 @@
+name: Weekly tests
+
+permissions:
+  contents: read
+
+on:
+  schedule:
+    - cron: "5 0 * * 0"
+
+jobs:
+
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  scorecard:
+    uses: ./.github/workflows/scorecard.yml
+    secrets: inherit
+    permissions:
+      id-token: write
+      security-events: write
+
+  extended-tests:
+    uses: ./.github/workflows/extended.yml
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@ -0,0 +1,45 @@
+name: Windows tests
+
+permissions:
+  contents: read
+
+on: [workflow_call, workflow_dispatch]
+
+jobs:
+
+  windows-arm64:
+    strategy:
+      matrix:
+        runner: [windows-2022, windows-2025]
+        stfl_opt: [ON, OFF]
+    runs-on: ${{ matrix.runner }}
+    steps:
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3
+      - name: Generate Project
+        run: cmake -B build --toolchain .CMake/toolchain_windows_arm64.cmake -DOQS_ENABLE_SIG_STFL_LMS=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=${{ matrix.stfl_opt }} .
+      - name: Build Project
+        run: cmake --build build
+
+  windows-x86:
+    strategy:
+      fail-fast: false
+      matrix:
+        runner: [windows-2022, windows-2025]
+        toolchain: [.CMake/toolchain_windows_x86.cmake, .CMake/toolchain_windows_amd64.cmake]
+        stfl_opt: [ON, OFF]
+    runs-on: ${{ matrix.runner }}
+    steps:
+      - name: Install Python
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # pin@v5
+        with:
+          python-version: '3.12'
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3
+      - name: Generate Project
+        run: cmake -B build --toolchain ${{ matrix.toolchain }} -DOQS_ENABLE_SIG_STFL_LMS=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=${{ matrix.stfl_opt }} .
+      - name: Build Project
+        run: cmake --build build
+      - name: Test dependencies
+        run: pip.exe install --require-hashes -r .github\workflows\requirements.txt
+      - name: Run tests
+        run: |
+          python -m pytest --numprocesses=auto -vv --maxfail=10 --ignore=tests/test_code_conventions.py --ignore=tests/test_kat_all.py --junitxml=build\test-results\pytest\test-results.xml
--- a/.github/workflows/zephyr.yml
+++ b/.github/workflows/zephyr.yml
@ -0,0 +1,61 @@
+name: Zephyr tests
+
+permissions:
+  contents: read
+
+on: [workflow_call, workflow_dispatch]
+
+jobs:
+
+  zephyr_test:
+    runs-on: ubuntu-22.04
+    container: ghcr.io/zephyrproject-rtos/ci:v0.27.4
+    env:
+        CMAKE_PREFIX_PATH: /opt/toolchains
+    strategy:
+        fail-fast: false
+        matrix:
+          config:
+            - zephyr-ref: v3.4.0
+            - zephyr-ref: v3.7.0
+
+    steps:
+        - name: Init Zephyr workspace
+          run: |
+            mkdir zephyr && cd zephyr
+            mkdir manifest && cd manifest
+            echo "manifest:" > west.yml
+            echo "  remotes:" >> west.yml
+            echo "    - name: zephyr" >> west.yml
+            echo "      url-base: https://github.com/zephyrproject-rtos" >> west.yml
+            echo "    - name: liboqs" >> west.yml
+            echo "      url-base: https://github.com/${{ github.repository_owner }}" >> west.yml
+            echo "  projects:" >> west.yml
+            echo "    - name: zephyr" >> west.yml
+            echo "      remote: zephyr" >> west.yml
+            echo "      repo-path: zephyr" >> west.yml
+            echo "      revision: ${{ matrix.config.zephyr-ref }}" >> west.yml
+            echo "      import:" >> west.yml
+            echo "        name-allowlist:" >> west.yml
+            echo "          - picolibc" >> west.yml
+            echo "    - name: liboqs" >> west.yml
+            echo "      remote: liboqs" >> west.yml
+            echo "      revision: $(echo '${{ github.ref }}' | sed -e 's/refs\/heads\///')" >> west.yml
+            echo "      path: modules/crypto/liboqs" >> west.yml
+            west init -l --mf west.yml .
+
+        - name: Update west workspace
+          working-directory: zephyr
+          run: |
+            west update -n -o=--depth=1
+            west zephyr-export
+
+        - name: Run Signature test
+          working-directory: zephyr
+          run: |
+            west twister --integration -T modules/crypto/liboqs/zephyr -s samples/Signatures/sample.crypto.liboqs_signature_example -vvv
+
+        - name: Run KEM test
+          working-directory: zephyr
+          run: |
+            west twister --integration -T modules/crypto/liboqs/zephyr -s samples/KEMs/sample.crypto.liboqs_kem_example -vvv
--- a/.gitignore
+++ b/.gitignore
@ -5,8 +5,9 @@ tags
 *~
 .tags*

-# CMake
+# CMake & testing
 /build*
+/tmp*

 # MSVC
 .vs
@ -15,9 +16,27 @@ tags
 # CLion
 /cmake-build*

+# Visual Studio Code
+.vscode
+
+# Jetbrains IDEs
+.idea
+
+# MacOS
+.DS_Store
+
+# Generated by copy_from_upstream.py
+# and update_pqclean_alg_docs.py
+scripts/copy_from_upstream/repos
+scripts/copy_from_upstream/verify_from_upstream
+
 # Misc
 __pycache__
 .pytest_cache
 .cache
 .CMake/a.out
+compile_commands.json
+
+# Generated by Nix flake
+result/

--- a/.travis.yml
+++ b/.travis.yml
@ -0,0 +1,21 @@
+language: c
+before_script:
+  - sudo apt update && sudo apt -y install astyle cmake gcc ninja-build libssl-dev python3-pytest python3-pytest-xdist unzip xsltproc doxygen graphviz valgrind
+jobs:
+  include:
+    - arch: ppc64le         # The IBM Power LXD container based build for OSS only
+      os: linux             # required for arch different than amd64
+      dist: focal           # or bionic | xenial with xenial as default
+      compiler: gcc
+      if: NOT branch =~ /^ghactionsonly-/
+      script:
+        - mkdir build && cd build && cmake -GNinja -DOQS_ENABLE_SIG_STFL_LMS=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_STFL_SIG_KEY_SIG_GEN=ON .. && cmake -LA -N .. && ninja
+        - cd build & ninja run_tests
+    - arch: s390x
+      os: linux
+      dist: focal
+      compiler: gcc
+      if: NOT branch =~ /^ghactionsonly-/
+      script:
+        - mkdir build && cd build && cmake -GNinja -DOQS_ENABLE_SIG_STFL_LMS=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_STFL_SIG_KEY_SIG_GEN=ON .. && cmake -LA -N .. && ninja
+        - cd build & ninja run_tests
--- a/CI.md
+++ b/CI.md
@ -0,0 +1,111 @@
+# Continuous Integration (CI)
+
+This document aims to provide a accessible yet comprehensive overview of the liboqs CI setup.
+
+## GitHub Actions
+
+liboqs relies on GitHub Actions for almost all of its CI and makes extensive use of [reusable workflows](https://docs.github.com/en/actions/sharing-automations/reusing-workflows).
+All workflow files are located in the `.github/workflows` subdirectory.
+
+### Caller workflows
+
+These workflows are triggered by GitHub events (for example, a pull request or a release).
+They implement the logic dictating which tests should run on which events.
+
+#### <a name="push.yml"></a> Push workflow (`push.yml`)
+
+This workflow is triggered by pushes to non-`main` branches.
+It calls only [basic checks](#basic.yml) unless one of the following strings is included in the commit message:
+- "[full tests]": calls [all platform tests](#platforms.yml).
+- "[extended tests]": calls the [extended tests](#extended.yml).
+- "[trigger downstream]": calls the [downstream release tests](#downstream-release.yml).
+
+To trigger multiple test suites, include multiple trigger strings in the commit message.
+For example, "[full tests] [trigger downstream]" will trigger both the platform tests and the downstream release tests.
+
+#### <a name="pr.yml"></a> Pull request workflow (`pr.yml`)
+
+This workflow runs on pull requests.
+It calls [basic checks](#basic.yml), [code coverage tests](#code-coverage.yml), [platform tests](#platforms.yml) and [scorecard analysis](#scorecard.yml).
+
+#### <a name="commit-to-main.yml"></a> Commit-to-main workflow (`commit-to-main.yml`)
+
+This workflow runs on pushes to the `main` branch (typically done automatically when a pull request is merged).
+It calls [platform tests](#platforms.yml), [code coverage tests](#code-coverage.yml), [scorecard analysis](#scorecard.yml), and [basic downstream tests](#downstream-basic.yml).
+
+#### <a name="weekly.yml"></a> Weekly workflow (`weekly.yml`)
+
+This workflow is triggered by a weekly schedule.
+It calls [extended tests](#extended.yml) and [scorecard analysis](#scorecard.yml).
+
+#### <a name="release.yml"></a> Release workflow (`release.yml`)
+
+This workflow is triggered when a release (including a pre-release) is published on GitHub.
+It calls [extended tests](#extended) and [downstream release tests](#downstream-release.yml).
+
+### Callable workflows
+
+These workflows are not triggered directly by any GitHub event.
+They are instead called by one of the [caller workflows](#caller-workflows).
+Users with "write" permissions can also trigger them manually via the GitHub web UI or REST API.
+
+#### <a name="basic.yml"></a> Basic checks (`basic.yml`)
+
+This workflow runs a minimal set of tests that should pass before heavier tests are triggered.
+
+#### <a name="code-coverage.yml"></a> Code coverage tests (`code-coverage.yml`)
+
+This workflow runs code coverage tests and uploads the results to [Coveralls.io](https://coveralls.io/github/open-quantum-safe/liboqs).
+
+#### <a name="<platform>.yml"></a> Individual platform tests (`<platform>.yml`)
+
+These workflows contain tests for the individual [platforms supported by liboqs](PLATFORMS.md).
+Currently, these include
+- `android.yml`,
+- `apple.yml`,
+- `macos.yml`,
+- `linux.yml`,
+- `windows.yml`, and
+- `zephyr.yml`.
+
+All of these these are wrapped by [`platforms.yml`](#platforms.yml).
+
+#### <a name="platforms.yml"></a> All platform tests (`platforms.yml`)
+
+This workflow calls all of the [platform-specific tests](#<platform>.yml).
+
+#### <a name="extended.yml"></a> Extended tests (`extended.yml`)
+
+This workflow calls tests which are either resource intensive or rarely need to be triggered.
+Currently, this includes constant-time testing with valgrind and the full suite of NIST Known Answer Tests.
+
+#### <a name="downstream-basic.yml"></a> Basic downstream trigger (`downstream-basic.yml`)
+
+This workflow triggers basic CI for a selection of projects that depend on `liboqs`.
+Currently, these include
+- [`OQS OpenSSL3 provider`](https://github.com/open-quantum-safe/oqs-provider)
+- [`OQS-BoringSSL`](https://github.com/open-quantum-safe/boringssl)
+- [`OQS-OpenSSH`](https://github.com/open-quantum-safe/openssh)
+- [`OQS Demos`](https://github.com/open-quantum-safe/oqs-demos)
+- [`liboqs-cpp`](https://github.com/open-quantum-safe/liboqs-cpp)
+- [`liboqs-go`](https://github.com/open-quantum-safe/liboqs-go)
+- [`liboqs-python`](https://github.com/open-quantum-safe/liboqs-python)
+
+Callers must include `secrets: inherit` in order for the appropriate access tokens to be passed to this workflow.
+
+#### <a name="downstream-release.yml"></a> Downstream release trigger (`downstream-release.yml`)
+
+This workflow triggers release tests for a selection of projects that depend on `liboqs`.
+Currently, this is only the [`OQS OpenSSL3 provider`](https://github.com/open-quantum-safe/oqs-provider).
+Callers must include `secrets: inherit` in order for the appropriate access tokens to be passed to this workflow.
+
+#### <a name="scorecard.yml"></a> OpenSSF scorecard analysis (`scorecard.yml`)
+
+This workflow runs the [OpenSSF scorecard](https://github.com/ossf/scorecard) tool.
+It is additionally triggered automatically when branch protection rules are changed.
+Callers must include `secrets: inherit` in order for the appropriate access tokens to be passed to this workflow.
+
+## Travis CI
+
+In the past, we used Travis CI to test on [some IBM platforms](PLATFORMS.md#tier-3-1) that are not supported by GitHub Actions.
+Our Travis builds are currently disabled pending resolution of [issue #1888](https://github.com/open-quantum-safe/liboqs/issues/1888).
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -1,6 +1,6 @@
 # SPDX-License-Identifier: MIT

-cmake_minimum_required (VERSION 3.5)
+cmake_minimum_required (VERSION 3.15)
 # option() honors normal variables.
 # see: https://cmake.org/cmake/help/git-stage/policy/CMP0077.html
 if(POLICY CMP0077)
@ -11,12 +11,29 @@ endif()
 if(POLICY CMP0063)
    cmake_policy(SET CMP0063 NEW)
 endif()
+if(POLICY CMP0066)
+    cmake_policy(SET CMP0066 NEW)
+endif()
+if(POLICY CMP0067)
+    cmake_policy(SET CMP0067 NEW)
+endif()

 project(liboqs C ASM)

-option(OQS_DIST_BUILD "Build distributable library with optimized code for several CPU microarchitectures. Enables run-time CPU feature detection." OFF)
+option(OQS_DIST_BUILD "Build distributable library with optimized code for several CPU microarchitectures. Enables run-time CPU feature detection." ON)
 option(OQS_BUILD_ONLY_LIB "Build only liboqs and do not expose build targets for tests, documentation, and pretty-printing available." OFF)
-option(OQS_MINIMAL_BUILD  "Only build the default KEM and Signature schemes." OFF)
+set(OQS_MINIMAL_BUILD "" CACHE STRING "Only build specifically listed algorithms.")
+option(OQS_LIBJADE_BUILD "Enable formally verified implementation of supported algorithms from libjade." OFF)
+option(OQS_PERMIT_UNSUPPORTED_ARCHITECTURE "Permit compilation on an an unsupported architecture." OFF)
+option(OQS_STRICT_WARNINGS "Enable all compiler warnings." OFF)
+option(OQS_EMBEDDED_BUILD "Compile liboqs for an Embedded environment without a full standard library." OFF)
+option(OQS_USE_CUPQC "Utilize cuPQC as the backend for supported PQC algorithms." OFF)
+
+# Libfuzzer isn't supported on gcc
+if('${CMAKE_C_COMPILER_ID}' STREQUAL 'Clang')
+    option(OQS_BUILD_FUZZ_TESTS "Build fuzz test suite" OFF)
+endif()
+

 set(OQS_OPT_TARGET auto CACHE STRING "The target microarchitecture for optimization.")

@ -24,30 +41,118 @@ set(CMAKE_C_STANDARD 11)
 set(CMAKE_C_STANDARD_REQUIRED ON)
 set(CMAKE_POSITION_INDEPENDENT_CODE ON)
 set(CMAKE_C_VISIBILITY_PRESET hidden)
-set(OQS_VERSION_TEXT "0.6.0-rc3")
+set(OQS_VERSION_MAJOR 0)
+set(OQS_VERSION_MINOR 13)
+set(OQS_VERSION_PATCH 1)
+set(OQS_VERSION_PRE_RELEASE "-dev")
+set(OQS_VERSION_TEXT "${OQS_VERSION_MAJOR}.${OQS_VERSION_MINOR}.${OQS_VERSION_PATCH}${OQS_VERSION_PRE_RELEASE}")
 set(OQS_COMPILE_BUILD_TARGET "${CMAKE_SYSTEM_PROCESSOR}-${CMAKE_HOST_SYSTEM}")
+set(OQS_MINIMAL_GCC_VERSION "7.1.0")
 set(CMAKE_EXPORT_COMPILE_COMMANDS ON)

+# Determine the flags for fuzzing. Use OSS-Fuzz's configuration if available, otherwise fall back to defaults.
+if(DEFINED ENV{LIB_FUZZING_ENGINE})
+    set(FUZZING_ENGINE $ENV{LIB_FUZZING_ENGINE})
+    set(FUZZING_COMPILE_FLAGS "")
+    set(FUZZING_LINK_FLAGS "${FUZZING_ENGINE}")
+else()
+    set(FUZZING_COMPILE_FLAGS "-fsanitize=fuzzer,address")
+    set(FUZZING_LINK_FLAGS "-fsanitize=fuzzer,address")
+endif()
+
+# heuristic check to see whether we're running on a RaspberryPi
+if(EXISTS "/opt/vc/include/bcm_host.h")
+	add_definitions( -DOQS_USE_RASPBERRY_PI )
+endif()
+
 if(CMAKE_SYSTEM_PROCESSOR MATCHES "x86_64|amd64|AMD64")
    set(ARCH "x86_64")
    set(ARCH_X86_64 ON)
    if(${OQS_DIST_BUILD})
        set(OQS_DIST_X86_64_BUILD ON)
    endif()
+elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "x86|i586|i686")
+    set(ARCH "i586")
+    set(ARCH_X86 ON)
+    if(${OQS_DIST_BUILD})
+        set(OQS_DIST_X86_BUILD ON)
+    endif()
 elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "aarch64|arm64|arm64v8")
    set(ARCH "arm64v8")
    set(ARCH_ARM64v8 ON)
    if(${OQS_DIST_BUILD})
-        set(OQS_DIST_ARM64v8_BUILD ON)
+        set(OQS_DIST_ARM64_V8_BUILD ON)
    endif()
 elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "armel|armhf|armv7|arm32v7")
    set(ARCH "arm32v7")
    set(ARCH_ARM32v7 ON)
    if(${OQS_DIST_BUILD})
-        set(OQS_DIST_ARM32v7_BUILD ON)
+        set(OQS_DIST_ARM32_V7_BUILD ON)
    endif()
+elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "ppc64le|powerpc64le")
+    set(ARCH "ppc64le")
+    set(ARCH_PPC64LE ON)
+    if(${OQS_DIST_BUILD})
+        set(OQS_DIST_PPC64LE_BUILD ON)
+    endif()
+elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "(ppc64|powerpc64)")
+    message(WARNING "There is currently no CI for: " ${CMAKE_SYSTEM_PROCESSOR})
+    set(ARCH "ppc64")
+    set(ARCH_PPC64 ON)
+    if(${OQS_DIST_BUILD})
+        set(OQS_DIST_PPC64_BUILD ON)
+    endif()
+elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "(ppc|powerpc)")
+    message(WARNING "There is currently no CI for: " ${CMAKE_SYSTEM_PROCESSOR})
+    # CMake uses uname to derive CMAKE_SYSTEM_PROCESSOR value, so on Darwin
+    # the value is identical for ppc and ppc64. To have the right build arch
+    # in 64-bit case, we use CMAKE_OSX_ARCHITECTURES.
+    if(APPLE AND CMAKE_OSX_ARCHITECTURES STREQUAL "ppc64")
+        set(ARCH "ppc64")
+        set(ARCH_PPC64 ON)
+        if(${OQS_DIST_BUILD})
+            set(OQS_DIST_PPC64_BUILD ON)
+        endif()
+    else()
+        set(ARCH "ppc")
+        set(ARCH_PPC ON)
+        if(${OQS_DIST_BUILD})
+            set(OQS_DIST_PPC_BUILD ON)
+        endif()
+    endif()
+elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "s390x")
+    set(ARCH "s390x")
+    set(ARCH_S390X ON)
+    if(${OQS_DIST_BUILD})
+        set(OQS_DIST_S390X_BUILD ON)
+    endif()
+elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "riscv")
+    set(ARCH "riscv")
+elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "loongarch64")
+    set(ARCH "loongarch64")
+    set(ARCH_LOONGARCH64 ON)
+    if(${OQS_DIST_BUILD})
+        set(OQS_DIST_LOONGARCH64_BUILD ON)
+    endif()
+elseif(OQS_PERMIT_UNSUPPORTED_ARCHITECTURE)
+    message(WARNING "Unknown or unsupported processor: " ${CMAKE_SYSTEM_PROCESSOR})
+    message(WARNING "Compilation on an unsupported processor should only be used for testing, as it may result an insecure configuration, for example due to variable-time instructions leaking secret information.")
 else()
-    message(FATAL_ERROR "Unknown or unsupported processor: " ${CMAKE_SYSTEM_PROCESSOR})
+    message(FATAL_ERROR "Unknown or unsupported processor: " ${CMAKE_SYSTEM_PROCESSOR} ". Override by setting OQS_PERMIT_UNSUPPORTED_ARCHITECTURE=ON")
+endif()
+
+if(${OQS_USE_CUPQC})
+    # CMAKE's CUDA language requires CMAKE 3.18
+    cmake_minimum_required (VERSION 3.18)
+    enable_language(CUDA)
+    if(NOT DEFINED CMAKE_CUDA_ARCHITECTURES)
+      set(CMAKE_CUDA_ARCHITECTURES 80 90)
+    endif()
+    find_package(cuPQC 0.2.0 REQUIRED)
+endif()
+
+if (NOT ((CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin") AND (ARCH_X86_64 STREQUAL "ON")) AND (OQS_LIBJADE_BUILD STREQUAL "ON"))
+    message(FATAL_ERROR "Building liboqs with libjade implementations from libjade is only supported on Linux and Darwin on x86_64.")
 endif()

 # intentionally don't switch to variables to avoid --warn-uninitialized report
@ -66,7 +171,9 @@ else()
    set(OQS_DEBUG_BUILD OFF)
 endif()

-if(WIN32)
+option(OQS_SPEED_USE_ARM_PMU "Use ARM Performance Monitor Unit during benchmarking" OFF)
+
+if(WIN32 AND NOT (MINGW OR MSYS OR CYGWIN))
    set(CMAKE_GENERATOR_CC cl)
 endif()

@ -76,23 +183,46 @@ include(.CMake/alg_support.cmake)
 if(${OQS_USE_OPENSSL})
    if(NOT DEFINED OPENSSL_ROOT_DIR)
        if(${CMAKE_HOST_SYSTEM_NAME} STREQUAL "Darwin")
-            set(OPENSSL_ROOT_DIR "/usr/local/opt/openssl@1.1")
-        elseif(${CMAKE_HOST_SYSTEM_NAME} STREQUAL "Linux")
-            set(OPENSSL_ROOT_DIR "/usr")
+            if(EXISTS "/usr/local/opt/openssl@1.1")
+                set(OPENSSL_ROOT_DIR "/usr/local/opt/openssl@1.1")
+            elseif(EXISTS "/opt/homebrew/opt/openssl@1.1")
+                set(OPENSSL_ROOT_DIR "/opt/homebrew/opt/openssl@1.1")
+            endif()
        endif()
    endif()
    find_package(OpenSSL 1.1.1 REQUIRED)
+
+    if(OQS_DLOPEN_OPENSSL)
+      find_program(OBJDUMP objdump)
+      if(NOT OBJDUMP)
+	message(FATAL_ERROR "objdump not found. Please install it from binutils.")
+      endif()
+      execute_process(
+	COMMAND ${OBJDUMP} -p ${OPENSSL_CRYPTO_LIBRARY}
+	COMMAND sed -n "s/[ 	]\\{1,\\}SONAME[ 	]\\{1,\\}//p"
+	OUTPUT_VARIABLE OQS_OPENSSL_CRYPTO_SONAME
+	OUTPUT_STRIP_TRAILING_WHITESPACE
+	COMMAND_ERROR_IS_FATAL ANY)
+      message(STATUS "OpenSSL dlopen SONAME: " ${OQS_OPENSSL_CRYPTO_SONAME})
+    endif()
 endif()

 set(PUBLIC_HEADERS ${PROJECT_SOURCE_DIR}/src/oqs.h
+                   ${PROJECT_SOURCE_DIR}/src/common/aes/aes_ops.h
                   ${PROJECT_SOURCE_DIR}/src/common/common.h
                   ${PROJECT_SOURCE_DIR}/src/common/rand/rand.h
-                   ${PROJECT_SOURCE_DIR}/src/common/aes/aes.h
-                   ${PROJECT_SOURCE_DIR}/src/common/sha2/sha2.h
-                   ${PROJECT_SOURCE_DIR}/src/common/sha3/sha3.h
-                   ${PROJECT_SOURCE_DIR}/src/common/sha3/sha3x4.h
+                   ${PROJECT_SOURCE_DIR}/src/common/sha2/sha2_ops.h
+                   ${PROJECT_SOURCE_DIR}/src/common/sha3/sha3_ops.h
+                   ${PROJECT_SOURCE_DIR}/src/common/sha3/sha3x4_ops.h
                   ${PROJECT_SOURCE_DIR}/src/kem/kem.h
-                   ${PROJECT_SOURCE_DIR}/src/sig/sig.h)
+                   ${PROJECT_SOURCE_DIR}/src/sig/sig.h
+                   ${PROJECT_SOURCE_DIR}/src/sig_stfl/sig_stfl.h)
+
+set(INTERNAL_HEADERS ${PROJECT_SOURCE_DIR}/src/common/aes/aes.h
+                     ${PROJECT_SOURCE_DIR}/src/common/rand/rand_nist.h
+                     ${PROJECT_SOURCE_DIR}/src/common/sha2/sha2.h
+                     ${PROJECT_SOURCE_DIR}/src/common/sha3/sha3.h
+                     ${PROJECT_SOURCE_DIR}/src/common/sha3/sha3x4.h)

 if(${OQS_ENABLE_KEM_BIKE})
    set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/kem/bike/kem_bike.h)
@ -100,11 +230,8 @@ endif()
 if(${OQS_ENABLE_KEM_FRODOKEM})
    set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/kem/frodokem/kem_frodokem.h)
 endif()
-if(${OQS_ENABLE_KEM_SIKE} OR ${OQS_ENABLE_KEM_SIDH})
-    set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/kem/sike/kem_sike.h)
-endif()
-if(${OQS_ENABLE_SIG_PICNIC})
-    set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/sig/picnic/sig_picnic.h)
+if(OQS_ENABLE_KEM_NTRUPRIME)
+    set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/kem/ntruprime/kem_ntruprime.h)
 endif()
 ##### OQS_COPY_FROM_UPSTREAM_FRAGMENT_INCLUDE_HEADERS_START
 if(OQS_ENABLE_KEM_CLASSIC_MCELIECE)
@ -116,30 +243,43 @@ endif()
 if(OQS_ENABLE_KEM_KYBER)
    set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/kem/kyber/kem_kyber.h)
 endif()
-if(OQS_ENABLE_KEM_NTRU)
-    set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/kem/ntru/kem_ntru.h)
-endif()
-if(OQS_ENABLE_KEM_NTRUPRIME)
-    set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/kem/ntruprime/kem_ntruprime.h)
-endif()
-if(OQS_ENABLE_KEM_SABER)
-    set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/kem/saber/kem_saber.h)
+if(OQS_ENABLE_KEM_ML_KEM)
+    set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/kem/ml_kem/kem_ml_kem.h)
 endif()
 if(OQS_ENABLE_SIG_DILITHIUM)
    set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/sig/dilithium/sig_dilithium.h)
 endif()
+if(OQS_ENABLE_SIG_ML_DSA)
+    set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/sig/ml_dsa/sig_ml_dsa.h)
+endif()
 if(OQS_ENABLE_SIG_FALCON)
    set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/sig/falcon/sig_falcon.h)
 endif()
-if(OQS_ENABLE_SIG_RAINBOW)
-    set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/sig/rainbow/sig_rainbow.h)
-endif()
 if(OQS_ENABLE_SIG_SPHINCS)
    set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/sig/sphincs/sig_sphincs.h)
 endif()
+if(OQS_ENABLE_SIG_MAYO)
+    set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/sig/mayo/sig_mayo.h)
+endif()
+if(OQS_ENABLE_SIG_CROSS)
+    set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/sig/cross/sig_cross.h)
+endif()
+if(OQS_ENABLE_SIG_UOV)
+    set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/sig/uov/sig_uov.h)
+endif()
+if(OQS_ENABLE_SIG_SNOVA)
+    set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/sig/snova/sig_snova.h)
+endif()
 ##### OQS_COPY_FROM_UPSTREAM_FRAGMENT_INCLUDE_HEADERS_END
+if(OQS_ENABLE_SIG_STFL_XMSS)
+    set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/sig_stfl/xmss/sig_stfl_xmss.h)
+endif()
+if(OQS_ENABLE_SIG_STFL_LMS)
+    set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/sig_stfl/lms/sig_stfl_lms.h)
+endif()
 execute_process(COMMAND ${CMAKE_COMMAND} -E make_directory ${PROJECT_BINARY_DIR}/include/oqs)
 execute_process(COMMAND ${CMAKE_COMMAND} -E copy ${PUBLIC_HEADERS} ${PROJECT_BINARY_DIR}/include/oqs)
+execute_process(COMMAND ${CMAKE_COMMAND} -E copy ${INTERNAL_HEADERS} ${PROJECT_BINARY_DIR}/include/oqs)
 configure_file(src/oqsconfig.h.cmake ${PROJECT_BINARY_DIR}/include/oqs/oqsconfig.h)
 set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_BINARY_DIR}/include/oqs/oqsconfig.h)

@ -155,7 +295,7 @@ if(NOT ${OQS_BUILD_ONLY_LIB})
        set(DOXYFILE ${PROJECT_SOURCE_DIR}/docs/.Doxyfile)
        add_custom_target(
            gen_docs
-            COMMAND ${DOXYGEN_EXECUTABLE} ${DOXYFILE}
+            COMMAND ${PROJECT_SOURCE_DIR}/scripts/run_doxygen.sh ${DOXYGEN_EXECUTABLE} ${DOXYFILE} ${PROJECT_BINARY_DIR}
            WORKING_DIRECTORY ${PROJECT_SOURCE_DIR}
            COMMENT "Generate API documentation with Doxygen."
            USES_TERMINAL)
@ -170,3 +310,26 @@ if(NOT ${OQS_BUILD_ONLY_LIB})
            USES_TERMINAL)
    endif()
 endif()
+set(CPACK_GENERATOR "DEB")
+set(CPACK_PACKAGE_VENDOR "www.openquantumsafe.org")
+set(CPACK_PACKAGE_VERSION ${OQS_VERSION_TEXT})
+if(${OQS_USE_OPENSSL})
+    set(CPACK_DEBIAN_PACKAGE_DEPENDS "libc6, openssl")
+else()
+    set(CPACK_DEBIAN_PACKAGE_DEPENDS "libc6")
+endif()
+
+set(CPACK_DEBIAN_PACKAGE_MAINTAINER "www.openquantumsafe.org")
+include(CPack)
+
+# uninstall target
+if(NOT TARGET uninstall)
+  configure_file(
+    "${CMAKE_CURRENT_SOURCE_DIR}/.CMake/cmake_uninstall.cmake.in"
+    "${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake"
+    IMMEDIATE @ONLY)
+
+  add_custom_target(uninstall
+    COMMAND ${CMAKE_COMMAND} -P ${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake)
+endif()
+
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@ -0,0 +1,128 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity
+and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the
+  overall community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+conduct@openquantumsafe.org.
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series
+of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or
+permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior,  harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within
+the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.0, available at
+https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct
+enforcement ladder](https://github.com/mozilla/diversity).
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see the FAQ at
+https://www.contributor-covenant.org/faq. Translations are available at
+https://www.contributor-covenant.org/translations.
--- a/CONFIGURE.md
+++ b/CONFIGURE.md
@ -0,0 +1,242 @@
+Options for configuring liboqs builds
+=====================================
+
+The following options can be passed to CMake before the build file generation process to customize the way liboqs is built. The syntax for doing so is: `cmake .. [ARGS] [-D<OPTION_NAME>=<OPTION_VALUE>]...`, where `<OPTON_NAME>` is:
+
+- [BUILD_SHARED_LIBS](#BUILD_SHARED_LIBS)
+- [CMAKE_BUILD_TYPE](#CMAKE_BUILD_TYPE)
+- [CMAKE_INSTALL_PREFIX](#CMAKE_INSTALL_PREFIX)
+- [OQS_ALGS_ENABLED](#OQS_ALGS_ENABLED)
+- [OQS_BUILD_ONLY_LIB](#OQS_BUILD_ONLY_LIB)
+- [OQS_ENABLE_KEM_ALG/OQS_ENABLE_SIG_ALG/OQS_ENABLE_SIG_STFL_ALG](#OQS_ENABLE_KEM_ALG/OQS_ENABLE_SIG_ALG/OQS_ENABLE_SIG_STFL_ALG)
+- [OQS_MINIMAL_BUILD](#OQS_MINIMAL_BUILD)
+- [OQS_DIST_BUILD](#OQS_DIST_BUILD)
+- [OQS_USE_CPUFEATURE_INSTRUCTIONS](#OQS_USE_CPUFEATURE_INSTRUCTIONS)
+- [OQS_USE_OPENSSL](#OQS_USE_OPENSSL)
+- [OQS_USE_CUPQC](#OQS_USE_CUPQC)
+- [OQS_OPT_TARGET](#OQS_OPT_TARGET)
+- [OQS_SPEED_USE_ARM_PMU](#OQS_SPEED_USE_ARM_PMU)
+- [USE_COVERAGE](#USE_COVERAGE)
+- [USE_SANITIZER](#USE_SANITIZER)
+- [OQS_ENABLE_TEST_CONSTANT_TIME](#OQS_ENABLE_TEST_CONSTANT_TIME)
+- [OQS_STRICT_WARNINGS](#OQS_STRICT_WARNINGS)
+- [OQS_EMBEDDED_BUILD](#OQS_EMBEDDED_BUILD)
+- [OQS_LIBJADE_BUILD](#OQS_LIBJADE_BUILD)
+- [OQS_ENABLE_LIBJADE_KEM_ALG/OQS_ENABLE_LIBJADE_SIG_ALG](#OQS_ENABLE_LIBJADE_KEM_ALG/OQS_ENABLE_LIBJADE_SIG_ALG)
+- [OQS_BUILD_FUZZ_TESTS](#OQS_BUILD_FUZZ_TESTS)
+
+## BUILD_SHARED_LIBS
+
+Can be set to `ON` or `OFF`. When `ON`, liboqs is built as a shared library.
+
+**Default**: `OFF`.
+
+This means liboqs is built as a static library by default.
+
+## CMAKE_BUILD_TYPE
+
+Can be set to the following values:
+
+- `Debug`: This turns off all compiler optimizations and produces debugging information. **This value only has effect when the compiler is GCC or Clang**
+  - The [USE_COVERAGE](#USE_COVERAGE) option can also be specified to enable code coverage testing.
+  - When the compiler is Clang, the [USE_SANITIZER](#USE_SANITIZER) option can also be specified to enable a Clang sanitizer.
+
+- `Release`: This compiles code at the `O3` optimization level, and sets other compiler flags that reduce the size of the binary.
+
+**Default**: `Release`.
+
+## CMAKE_INSTALL_PREFIX
+
+See the [CMake documentation](https://cmake.org/cmake/help/latest/variable/CMAKE_INSTALL_PREFIX.html).
+
+## OQS_ENABLE_KEM_ALG/OQS_ENABLE_SIG_ALG/OQS_ENABLE_SIG_STFL_ALG
+
+Note: `ALG` in `OQS_ENABLE_KEM_ALG/OQS_ENABLE_SIG_ALG/OQS_ENABLE_SIG_STFL_ALG` should be replaced with the specific algorithm name as demonstrated below.
+
+This can be set to `ON` or `OFF`, and is `ON` by default. When `OFF`, `ALG` and its code are excluded from the build process. When `ON`, made available are additional options whereby individual variants of `ALG` can be excluded from the build process. 
+
+For example: if `OQS_ENABLE_KEM_BIKE` is set to `ON`, the options `OQS_ENABLE_KEM_bike_l1`, `OQS_ENABLE_KEM_bike_l3`, and `OQS_ENABLE_KEM_bike_l5` are made available (and are set to be `ON` by default).
+
+To enable `XMSS` stateful signature, set `OQS_ENABLE_SIG_STFL_XMSS` to `ON`, the options `OQS_ENABLE_SIG_STFL_xmss_sha256_h10` and its variants are also set to be `ON` by default. Similarly, `LMS` stateful signature family can also be enabled by setting `OQS_ENABLE_SIG_STFL_LMS` to `ON`.
+
+For a full list of such options and their default values, consult [.CMake/alg_support.cmake](https://github.com/open-quantum-safe/liboqs/blob/master/.CMake/alg_support.cmake).
+
+**Default**: Unset.
+
+## OQS_ALGS_ENABLED
+
+A selected algorithm set is enabled. Possible values are "STD" selecting all algorithms standardized by NIST; "NIST_R4" selecting all algorithms evaluated in round 4 of the NIST PQC competition; "NIST_SIG_ONRAMP" selecting algorithms evaluated in the NIST PQC "onramp" standardization for additional signature schemes; "All" (or any other value) selecting all algorithms integrated into liboqs. Parameter setting "STD" minimizes library size but may require re-running code generator scripts in projects integrating `liboqs`; e.g., [oqs-provider](https://github.com/open-quantum-safe/oqs-provider) and [oqs-boringssl](https://github.com/open-quantum-safe/boringssl).
+
+**Attention**: If you use any predefined value (`STD` or `NIST_R4` or `NIST_SIG_ONRAMP` as of now) for this variable, the values added via [OQS_ENABLE_KEM_ALG/OQS_ENABLE_SIG_ALG/OQS_ENABLE_SIG_STFL_ALG](#OQS_ENABLE_KEM_ALG/OQS_ENABLE_SIG_ALG/OQS_ENABLE_SIG_STFL_ALG) variables will be ignored.
+
+**Default**: `All`.
+
+## OQS_BUILD_ONLY_LIB
+
+Can be `ON` or `OFF`. When `ON`, only liboqs is built, and all the targets: `run_tests`, `gen_docs`, and `prettyprint` are excluded from the build system.
+
+**Default**: `OFF`.
+
+## OQS_MINIMAL_BUILD
+
+If set, this defines a semicolon-delimited list of algorithms to be contained in a minimal build of `liboqs`: Only algorithms explicitly set here are included in a build: For example running `cmake -DOQS_MINIMAL_BUILD="KEM_kyber_768;SIG_dilithium_3" ..` will build a minimum-size `liboqs` library only containing support for Kyber768 and Dilithium3.
+
+The full list of identifiers that can be set is listed [here for KEM algorithms](https://github.com/open-quantum-safe/liboqs/blob/main/src/kem/kem.h#L34) and [here for Signature algorithms](https://github.com/open-quantum-safe/liboqs/blob/f3caccff9e6225e7c50ca27f5ee6e58b7bc74188/src/sig/sig.h#L34). The default setting is empty, thus including all [supported algorithms](https://github.com/open-quantum-safe/liboqs#supported-algorithms) in the build.
+
+**Default**: Unset.
+
+## OQS_DIST_BUILD
+
+Can be `ON` or `OFF`. When `ON`, build liboqs for distribution. When `OFF`, build liboqs for use on a single machine.
+
+The library is always built for a particular architecture, either x86-64, ARM32v7, or ARM64v8, depending on the setting of CMAKE_SYSTEM_PROCESSOR. But liboqs contains code that is optimized for micro-architectures as well, e.g. x86-64 with the AVX2 extension.
+
+When built for distribution, the library will run on any CPU of the target architecture. Function calls will be dispatched to micro-architecture optimized routines at run-time using CPU feature detection.
+
+When built for use on a single machine, the library will only include the best available code for the target micro-architecture (see [OQS_OPT_TARGET](#OQS_OPT_TARGET)).
+
+**Default**: `ON`.
+
+## OQS_USE_CPUFEATURE_INSTRUCTIONS
+
+Note: `CPUFEATURE` in `OQS_USE_CPUFEATURE_INSTRUCTIONS` should be replaced with the specific CPU feature as noted below.
+
+These can be set to `ON` or `OFF` and take effect if liboqs is built for use on a single machine. By default, the CPU features are automatically determined and set to `ON` or `OFF` based on the CPU features available on the build system. The default values can be overridden by providing CMake build options. The available options on x86-64 are: `OQS_USE_ADX_INSTRUCTIONS`, `OQS_USE_AES_INSTRUCTIONS`, `OQS_USE_AVX_INSTRUCTIONS`, `OQS_USE_AVX2_INSTRUCTIONS`, `OQS_USE_AVX512_INSTRUCTIONS`, `OQS_USE_BMI1_INSTRUCTIONS`, `OQS_USE_BMI2_INSTRUCTIONS`, `OQS_USE_PCLMULQDQ_INSTRUCTIONS`, `OQS_USE_VPCLMULQDQ_INSTRUCTIONS`, `OQS_USE_POPCNT_INSTRUCTIONS`, `OQS_USE_SSE_INSTRUCTIONS`, `OQS_USE_SSE2_INSTRUCTIONS` and `OQS_USE_SSE3_INSTRUCTIONS`. The available options on ARM64v8 are `OQS_USE_ARM_AES_INSTRUCTIONS`, `OQS_USE_ARM_SHA2_INSTRUCTIONS`, `OQS_USE_ARM_SHA3_INSTRUCTIONS` and `OQS_USE_ARM_NEON_INSTRUCTIONS`.
+
+**Default**: Options valid on the build machine.
+
+## OQS_USE_OPENSSL
+
+To save size and limit the amount of different cryptographic code bases, it is possible to use OpenSSL as a crypto code provider by setting this configuration option.
+
+This can be set to `ON` or `OFF`. When `ON`, the additional options `OQS_USE_AES_OPENSSL`, `OQS_USE_SHA2_OPENSSL`, and `OQS_USE_SHA3_OPENSSL` are made available to control whether liboqs uses OpenSSL's AES, SHA-2, and SHA-3 implementations.
+
+By default,
+- `OQS_USE_AES_OPENSSL` is `ON` (on x86-64 only if `OQS_DIST_BUILD` and `OQS_USE_AES_INSTRUCTIONS` are not set)
+- `OQS_USE_SHA2_OPENSSL` is `ON`
+- `OQS_USE_SHA3_OPENSSL` is `OFF`.
+
+These default choices have been made to optimize the default performance of all algorithms. Changing them implies performance penalties.
+
+When `OQS_USE_OPENSSL` is `ON`, CMake also scans the filesystem to find the minimum version of OpenSSL required by liboqs (which happens to be 1.1.1). The [OPENSSL_ROOT_DIR](https://cmake.org/cmake/help/latest/module/FindOpenSSL.html) option can be set to aid CMake in its search.
+
+**Default**: `ON`.
+
+### OQS_DLOPEN_OPENSSL
+
+Dynamically load OpenSSL through `dlopen`. When using liboqs from other cryptographic libraries, hard dependency on OpenSSL is sometimes undesirable. If this option is `ON`, loading of OpenSSL will be deferred until any of the OpenSSL functions is used.
+
+Only has an effect if the system supports `dlopen` and ELF binary format, such as Linux or BSD family.
+
+### OQS_USE_CUPQC
+
+Can be `ON` or `OFF`.  When `ON`, use NVIDIA's cuPQC library where able (currently just ML-KEM).  When this option is enabled, liboqs may not run correctly on machines that lack supported GPUs. To download cuPQC follow the instructions at (https://developer.nvidia.com/cupqc-download/). Detailed descriptions of the API, requirements, and installation guide are in the cuPQC documentation (https://docs.nvidia.com/cuda/cupqc/index.html). While the code shipped by liboqs required to use cuPQC is licensed under Apache 2.0 the cuPQC SDK comes with its own license agreement (https://docs.nvidia.com/cuda/cupqc/license.html). 
+
+**Default**: `OFF`
+
+
+## Stateful Hash Based Signatures 
+
+XMSS and LMS are the two supported Hash-Based Signatures schemes.
+`OQS_ENABLE_SIG_STFL_XMSS` and `OQS_ENABLE_SIG_STFL_LMS` control these algorithms, which are disabled by default.
+A third variable, `OQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN`, also controls the ability to generate keys and signatures. This is also disabled by default.
+Each of these variables can be set to `ON` or `OFF`.
+When all three are `ON`, stateful signatures are fully functional and can generate key pairs, sign data, and verify signatures.
+If `OQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN` is `OFF` signature verification is the only functional operation.
+
+Standards bodies, such as NIST, recommend that key and signature generation only by done in hardware in order to best enforce the one-time use of secret keys.
+Keys stored in a file system are extremely susceptible to simultaneous use.
+When enabled in this library a warning message will be generated by the config process.
+The name of the configuration variable has been chosen to make every user of this feature aware of its security risks.
+The OQS team explicitly discourages enabling this variable and reserves the right to remove this feature in future releases if its use causes actual harm.
+It remains present as long as it is responsibly used as per the stated warnings.
+
+By default,
+- `OQS_ENABLE_SIG_STFL_XMSS` is `OFF` 
+- `OQS_ENABLE_SIG_STFL_LMS` is `OFF`
+- `OQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN` is `OFF`.
+
+**Default**: `OFF`.
+
+## OQS_OPT_TARGET
+
+An optimization target. Only has an effect if the compiler is GCC or Clang and `OQS_DIST_BUILD=OFF`. Can take any valid input to the `-march` (on x86-64) or `-mcpu` (on ARM32v7 or ARM64v8) option for `CMAKE_C_COMPILER`. Can also be set to one of the following special values.
+  - `auto`: Use `-march=native` or `-mcpu=native` (if the compiler supports it).
+  - `generic`: Use `-march=x86-64` on x86-64, or `-mcpu=cortex-a5` on ARM32v7, or `-mcpu=cortex-a53` on ARM64v8.
+
+**Default**: `auto`.
+
+## OQS_SPEED_USE_ARM_PMU
+
+Can be `ON` or `OFF`. When `ON`, the benchmarking script will try to use the ARMv8 Performance Monitoring Unit (PMU). This will make cycle counts on ARMv8 platforms significantly more accurate.
+
+In order to use this option, user mode access to the PMU must be enabled via a kernel module. If user mode access is not enabled via the kernel module, benchmarking will throw an `Illegal Instruction` error. A kernel module that has been found to work on several platforms can be found [here for Linux](https://github.com/mupq/pqax#enable-access-to-performance-counters). Follow the instructions there (i.e., clone the repository, `cd enable_ccr` and `make install`) to load the kernel module, after which benchmarking should work. Superuser permissions are required. Linux header files must also be installed on your platform, which may not be present by default.
+
+Note that this option is not known to work on Apple M1 chips.
+
+**Default**: `OFF`.
+
+## USE_COVERAGE
+
+This has an effect when the compiler is GCC or Clang and when [CMAKE_BUILD_TYPE](#CMAKE_BUILD_TYPE) is `Debug`. Can be `ON` or `OFF`. When `ON`, code coverage testing will be enabled.
+
+**Default**: Unset.
+
+## USE_SANITIZER
+
+This has an effect when the compiler is Clang and when [CMAKE_BUILD_TYPE](#CMAKE_BUILD_TYPE) is `Debug`. Then, it can be set to:
+
+- `Address`: This enables Clang's `AddressSanitizer`
+- `Memory`: This enables Clang's `MemorySanitizer`
+- `MemoryWithOrigins`: This enables Clang's `MemorySanitizer` with the added functionality of being able to track the origins of uninitialized values
+- `Undefined`: This enables Clang's `UndefinedBehaviorSanitizer`. The `BLACKLIST_FILE` option can be additionally set to a path to a file listing the entities Clang should ignore.
+- `Thread`: This enables Clang's `ThreadSanitizer`
+- `Leak`: This enables Clang's `LeakSanitizer`
+
+**Default**: Unset.
+
+## OQS_ENABLE_TEST_CONSTANT_TIME
+
+This is used in conjunction with `tests/test_constant_time.py` to use Valgrind to look for instances of secret-dependent control flow.  liboqs must also be compiled with [CMAKE_BUILD_TYPE](#CMAKE_BUILD_TYPE) set to `Debug`.  
+
+See the documentation in [`tests/test_constant_time.py`](https://github.com/open-quantum-safe/liboqs/blob/main/tests/test_constant_time.py) for more usage information.
+
+**Default**: `OFF`.
+
+## OQS_STRICT_WARNINGS
+
+Can be `ON` or `OFF`. When `ON`, all compiler warnings are enabled and treated as errors. This setting is recommended to be enabled prior to submission of a Pull Request as CI runs with this setting active. When `OFF`, significantly fewer compiler warnings are enabled such as to avoid undue build errors triggered by (future) compiler warning features/unknown at the development time of this library.
+
+**Default**: `OFF`.
+
+## OQS_EMBEDDED_BUILD
+
+Can be `ON` or `OFF`. When `ON`, calls to standard library functions typically not present in a bare-metal embedded environment are excluded from compilation. 
+
+At the moment, this is **only** considered for random number generation, as both `getentropy()` and a file based `/dev/urandom` are not available on embedded targets (e.g. the Zephyr port).
+
+**Attention**: When this option is enabled, you have to supply a custom callback for obtaining random numbers using the `OQS_randombytes_custom_algorithm()` API before accessing the cryptographic API. Otherwise, all key generation and signing operations will fail. 
+
+**Default**: `OFF`.
+
+## OQS_LIBJADE_BUILD
+Can be `ON` or `OFF`. When `ON` liboqs is built to use high assurance implementations of cryptographic algorithms from [Libjade](https://github.com/formosa-crypto/libjade). The cryptographic primitives in Libjade are written using [Jasmin](https://github.com/jasmin-lang/jasmin) and built using the Jasmin compiler. The Jasmin compiler is proven (in Coq) to preserve semantic correctness of a program, maintain secret-independence of control flow, and maintain secret independence of locations of memory access through compilation. Additionally, the Jasmin compiler guarantees thread safety because Jasmin doesn't support global variables. 
+
+At the moment, Libjade only provides Kyber512 and Kyber768 KEMs. 
+
+At the moment, libjade only supports Linux and Darwin based operating systems on x86_64 platforms.
+
+**Default** `OFF`.
+
+## OQS_ENABLE_LIBJADE_KEM_ALG/OQS_ENABLE_LIBJADE_SIG_ALG
+
+Note: `ALG` in `OQS_ENABLE_LIBJADE_KEM_ALG/OQS_ENABLE_LIBJADE_SIG_ALG` should be replaced with the specific algorithm name as demonstrated in OQS_ENABLE_KEM_ALG/OQS_ENABLE_SIG_ALG.
+
+**Default**: `OFF` if OQS_LIBJADE_BUILD is `OFF` else unset.
+
+## OQS_BUILD_FUZZ_TESTS
+Can be `ON` or `OFF`. When `ON` liboqs the fuzz test-suite will be enabled. This option is only available if the c compiler is set to clang i.e. `-DCMAKE_C_COMPILER=clang`.
+
+Note: It is strongly recommended that this configuration be enabled with `CFLAGS=-fsanitize=address,fuzzer-no-link LDFLAGS=-fsanitize=address`. While fuzzing will run without these flags, enabling this instrumentation will make fuzzing performance much faster and catch [potential memory related bugs](https://clang.llvm.org/docs/AddressSanitizer.html). 
+
+**Default** `OFF`.
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -0,0 +1,94 @@
+# Contributing
+
+The OQS core team welcomes all proposals to improve this project. This may take 
+the form of [a discussion](https://github.com/open-quantum-safe/liboqs/discussions)
+for input or feedback, possible bug reports or feature requests via [issues](https://github.com/open-quantum-safe/liboqs/issues)
+as well as new code and documentation via a [pull request (PR)](https://github.com/open-quantum-safe/liboqs/pulls).
+
+## Baseline design goal
+
+OQS is a collection of many different PQC algorithms, maintained by a small team of people who are not guaranteed to be versed in the intricate details of each algorithm.
+
+Therefore, all contributions to the general logic of the project should be as independent of any single algorithm such as to ease long-term maintainability. If changes are contributed catering to the properties of a specific algorithm, it is expected that consideration is given at least how the other algorithms of the same type (KEM or SIG) should cater to the proposed changes, e.g., by way of a new, generally satisfiable API.
+
+All contributions to a specific algorithm ideally come with the willingness to provide long-term support, or at least a contact person that can help the OQS team pinpoint potential problems with the algorithm.
+
+## Review and Feedback
+
+We aim to provide timely feedback to any input. If you are uncertain as to whether
+a particular contribution is welcome, needed or timely, please first open an [issue](https://github.com/open-quantum-safe/liboqs/issues)
+particularly in case of possible bugs or new feature requests or create a
+[discussion](https://github.com/open-quantum-safe/liboqs/discussions).
+
+## Pull requests
+
+Pull requests should clearly state their purpose, possibly referencing an existing
+[issue](https://github.com/open-quantum-safe/liboqs/issues) when resolving it.
+
+All PRs should move to "Ready for Review" stage only if all CI tests pass (are green).
+
+The OQS core team is happy to provide feedback also to Draft PRs in order to improve
+them before the final "Review" stage.
+
+### Coding style
+
+This project has adopted a slightly modified [Google code formatting style](https://astyle.sourceforge.net/astyle.html#_style=google) for the core components
+of the library as documented in the [style template](.astylerc).
+The `astyle` tool is used to check formatting in CI.
+Due to variations in behaviour across version and platforms, it is possible to encounter CI failures even if code has been locally formatted with `astyle`.
+To assist with this inconvenience, we provide a convenience script which runs `astyle` in the same Docker image that we use for the CI checks:
+```bash
+LIBOQS_DIR=<liboqs directory> ./scripts/format_code.sh
+```
+This script has been tested on x86\_64 Ubuntu and arm64 macOS. Contributions for other platforms are welcome and appreciated!
+
+### Continuous Integration (CI)
+
+`liboqs` uses GitHub Actions for CI.
+For a comprehensive overview of our CI setup, see [CI.md](CI.md).
+
+#### Running CI on your branch
+
+OQS attempts to be responsible with resource usage and only runs a minimal set of tests automatically on push.
+A more thorough test suite runs automatically on pull requests.
+To trigger these tests before creating a PR, include the string "[full tests]" in a commit message.
+Other trigger strings are documented in [CI.md](CI.md#push.yml).
+
+#### Running CI locally
+
+[Act](https://github.com/nektos/act) is a tool facilitating local execution of
+GitHub CI jobs. When executed in the main `liboqs` directory, 
+
+    act -l Displays all GitHub CI jobs
+    act -j some-job Executes "some-job"
+
+When installing `act` as a GitHub extension, prefix the commands with `gh `.
+
+## Modifications to CI
+
+Modifications to GitHub Actions workflows are checked with [actionlint](https://github.com/rhysd/actionlint) during the [basic.yml](.github/workflows/basic.yml) job, protecting the CI chain and against wrong approval decisions based on improper CI runs.  Changes to these workflows can be validated locally with `actionlint`:
+
+```bash
+actionlint .github/workflows/*.yml
+```
+
+or running the CI locally (as above):
+
+```bash
+act workflow_call -W '.github/workflows/basic.yml'
+```
+
+### New features
+
+Any PR introducing a new feature is expected to contain a test of this feature
+and this test should be part of the CI pipeline.
+
+## Failsafe
+
+If you feel your contribution is not getting proper attention, please be sure to
+add a tag to one or more of our [most active contributors](https://github.com/open-quantum-safe/liboqs/graphs/contributors).
+
+## Issues to start working on
+
+If you feel like contributing but don't know what specific topic to work on,
+please check the [open issues tagged "good first issue" or "help wanted"](https://github.com/open-quantum-safe/liboqs/issues).
--- a/19
+++ b/19
@ -1,25 +1,42 @@
 Nicholas Allen (Amazon Web Services)
 Maxime Anvari
 Michael Baentsch
+Zane Beckwith (SandboxAQ)
+HY Chang
+Vitaly Chikunov
 Eric Crockett (Amazon Web Services)
 Nir Drucker
 Ben Davies (University of Waterloo)
 Javad Doliskani (University of Waterloo)
+Ted Eaton (University of Waterloo)
 Nicholas Fulton (Arizona State University)
-Vlad Gheorghiu (evolutionQ, University of Waterloo)
+Vlad Gheorghiu (softwareQ Inc., University of Waterloo)
+Jason Goertzen (University of Waterloo)
 Shay Gueron (Amazon Web Services)
 Torben Hansen (Royal Holloway University of London)
 Basil Hess (IBM Research)
 Kevin Kane (Microsoft Research)
 Nikita Karpey (https://github.com/gadoofou87)
+Dusan Kostic (Amazon Web Services)
+Piotr Kubaj (Intel)
 Tancrède Lepoint (SRI International)
 Shravan Mishra (University of Waterloo)
 Christian Paquin (Microsoft Research)
 Alex Parent (University of Waterloo)
+Sebastian Ramacher (Austrian Institute of Technology)
+John Schanck (University of Waterloo)
 Peter Schwabe (Radboud University Nijmegen)
 Dimitris Sikeridis (University of New Mexico, Cisco Systems)
 Douglas Stebila (University of Waterloo)
 Goutam Tamvada (University of Waterloo)
 John Underhill
+Karolin Varner
 Sebastian Verschoor (University of Waterloo)
 Thom Wiggers (Radboud University)
+Dindyal Jeevesh Rishi (University of Mauritius / cyberstorm.mu)
+Duc Tri Nguyen
+Marco Gianvecchio (Politecnico di Milano)
+Alessandro Barenghi (Politecnico di Milano)
+Gerardo Pelosi (Politecnico di Milano)
+
+See additional contributors at https://github.com/open-quantum-safe/liboqs/graphs/contributors
--- a/GOVERNANCE.md
+++ b/GOVERNANCE.md
@ -0,0 +1,124 @@
+# Governance
+
+## Basic principles
+
+The Open Quantum Safe project aims to operate by the following principles:
+
+- **Openness**: The project will be open in its operation, open to contributions, and produce open source software.
+- **Respect**: The project will foster respectful interactions with all participants.
+- **Scientific integrity**: The project will follow advancements in cryptographic research and will be guided by standards and best practices.
+
+Decision making in the project will follow the principles above, and be governed first and foremost by reason and mutually respectful interaction between all participants.
+The project will aim to build consensus for decisions, and will where possible operate by the approach of [lazy consensus](https://community.apache.org/committers/decisionMaking.html).
+If decisions cannot be reached using lazy consensus, voting will be used to come to a resolution.
+
+## Community and Roles
+
+The OQS community is open to all who would like to participate in the project following its principles, including academic, industry, public sector, and individual contributors.
+
+The following roles exist in the project:
+
+### Users
+
+A **User** is a person or organization using software produced by the project.
+
+Responsibilities:
+
+- Abide by the [license](LICENSE.txt)
+- Consider participating in the project!
+
+### Community Members
+
+A **Community Member** is a User who interacts with the project, for example by participating in discussions on Github or mailing lists, or in project meetings.
+
+Responsibilities:
+
+- Follow the [code of conduct](CODE_OF_CONDUCT.md)
+
+### Contributors
+
+A **Contributor** is a Community Member who contributes directly to the project by submitting code or documentation, or actively participating in issues or pull requests on Github.
+
+### Committers
+
+A **Committer** is a Contributor with increased experience in the project who helps review pull requests and actively participates in discussions about the project. Committers will be members of the open-quantum-safe GitHub organization and will have "write" permissions in GitHub.
+
+Responsibilities:
+
+- Further the goals of the project.
+- Monitor and respond to GitHub issues.
+- Review and merge pull requests.
+- Assist with security releases when required.
+- Participate in discussions and project meetings.
+
+### Maintainers
+
+A **Maintainer** is a Committer who makes significant and sustained contributions to the project, and is committed to guiding the direction of the project. Maintainers will have "administrative" permissions in GitHub.
+
+Responsibilities:
+
+- Oversee the overall project health and growth.
+- Lead communication for the project.
+- Define general and technical guidelines for the project.
+- Identify priorities and manage the release cycle.
+
+### Change of role
+
+Any Community Member may become a Contributor by creating a pull request (PR) and getting it successfully reviewed and merged by Committers.
+
+Any Contributor can become a Committer by contributing sufficient code and displaying deep subject matter knowledge in discussions such that a majority of Committers vote for this change of role. A Maintainer can veto such a vote. Such a veto can be overruled by a 2/3 majority of Committers.
+
+As such a voting decision may be considered subjective, Contributors striving to become Committers are encouraged to ask for advice from Committers/Maintainers as to what they can do to obtain this role. Baseline requirements for contributions are documented in [CONTRIBUTING.md](CONTRIBUTING.md). Any Contributor can create a discussion item to request a vote to become Committer.
+
+Any Committer can become a Maintainer by majority vote of voting Committers. A current Maintainer can veto such a vote. Such a veto can be overruled by a 2/3 majority of all Committers.
+
+A Maintainer is not permitted to remove another Maintainer's GitHub privileges.
+
+A Committer may be automatically moved to Contributor status if not actively contributing by discussion or PR review during the last 90 days or by voluntarily suspending this status (e.g., by taking a ["Leave of absence"](#leave-of-absence)). If a Maintainer loses or relinquishes the Committer status and, hence, the Maintainer status, the Committers have to determine whether a new Maintainer needs to be elected.
+
+Any person violating the [code of conduct](CODE_OF_CONDUCT.md), consistently not fulfilling the role responsibilities, or for other reasons can lose the role held if a simple majority of Committers votes for such removal and no Maintainer vetoes that decision. If a Maintainer is to be removed from that role a 2/3 majority of Committers must agree.
+
+Depending on the reason for removal, a Maintainer may be converted to Emeritus status. Emeritus Maintainers may still be consulted on some project matters, and can be returned to Maintainer status if their availability changes and a simple majority of Committers agrees.
+
+### Leave of absence
+
+Any Committer may voluntarily step down from the role for a documented period of time, losing voting rights for that time period. The period is documented in this file next to the person's name below.  At the end of this time period, the Committer automatically regains their voting rights.
+
+A leave of absence may not be longer than a year. If the Committer needs to be away for longer than that, they must step down from that role unconditionally, and regaining that role becomes subject of normal procedures to become Committer, as described in ["Change of role"](#change-of-role) above.
+
+## Voting
+
+Change of role or changes to this document is subject to voting.
+
+Votes are to be executed by way of open GitHub discussions. No quorum is needed for votes open for 4 weeks. Urgent matters may be decided by majority vote among Maintainers or 2/3 majority by all Committers within an arbitrary voting period.
+
+## Current Maintainers and Committers
+
+### Maintainers
+
+@baentsch (on leave of absence as of March 11, 2025)
+@dstebila
+@SWilson4
+
+### Committers
+
+@baentsch (on leave of absence as of March 11, 2025)
+@bhess
+@christianpaquin
+@dstebila
+@Martyrshot
+@praveksharma
+@SWilson4
+@vsoftco
+
+## Former Maintainers and Committers
+
+OQS is grateful to the following individuals who have previously served as Maintainers or Committers for liboqs.
+
+### Former Committers
+
+@jschanck
+
+## Afterword
+
+*This governance document was based in part of the [Falco Project governance document](https://github.com/falcosecurity/evolution/blob/main/GOVERNANCE.md).
--- a/LICENSE.txt
+++ b/LICENSE.txt
@ -4,7 +4,7 @@ differently; the corresponding subfolder contains the license that applies in
 that case.


-Copyright (c) 2016-2020 Open Quantum Safe project
+Copyright (c) 2016-2024 The Open Quantum Safe project authors

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/PLATFORMS.md
+++ b/PLATFORMS.md
@ -0,0 +1,68 @@
+# Supported platforms
+
+This file documents the different platforms supported by `liboqs` and therefore defines three different support tiers:
+
+## Support tiers
+
+This classification is roughly based on the [rust platform support tier classification](https://doc.rust-lang.org/beta/rustc/platform-support.html):
+
+### Tier 1
+
+Tier 1 targets can be thought of as "guaranteed to work". The CI system builds and tests binary versions for each tier 1 target to make sure any change does not negatively affect those platforms. Platform-specific build documentation must exist. Tier 1 targets marked with a dagger (†) are additionally tested for constant-time behaviour. The CI system contains automated constant-time testing for each of these starred targets, and all failures are documented in the `tests/constant_time` directory. IMPORTANT: This does not mean that constant-time behaviour is guaranteed on these targets, or that non-constant-time behaviour is limited to documented exceptions. It does, however, mean that `liboqs` developers should track constant-time issues on these platforms.
+
+Tier 1 platforms are also prioritized for security support, as per the [OQS security response process](https://github.com/open-quantum-safe/tsc/blob/main/security/response-process.md).
+
+### Tier 2
+
+Tier 2 targets can be thought of as "guaranteed to build". The `liboqs` CI system contains builds for each tier 2 target; testing may or may not be available (typically depending on CI system platform availability). Therefore, tier 2 targets often work to quite a good degree and patches are always welcome! Tier 2 targets may also have known deficiencies caused by a lack of expertise to fix those on a given platform. Again, help and PRs to move platforms from tier 2 to tier 1 are always welcome.
+
+### Tier 3
+
+Tier 3 targets are those which the `liboqs` codebase has support for, but which the CI system does not build or test automatically, so they may or may not work. Platform-specific build documentation should exist.
+
+## Platform tier policy
+
+Tier 2 and tier 1 targets place work on `liboqs` core project developers as a whole, to avoid breaking the target. The broader `liboqs` community may also feel more inclined to support higher-tier targets in their work. Thus, these tiers require commensurate and ongoing efforts from the maintainers of the target, to demonstrate value and to minimize any disruptions to ongoing `liboqs` development.
+
+This policy defines the requirements for accepting a proposed target at a given level of support.
+
+Each tier builds on all the requirements from the previous tier, unless overridden by a stronger requirement.
+
+Change of tier is subject to approval by the `liboqs` technical governance team.  This team is responsible for reviewing and evaluating the target, based on these requirements and their own judgment. The tea may apply additional requirements, including subjective requirements, such as to deal with issues not foreseen by this policy. (Such requirements may subsequently motivate additions to this policy.)
+
+While these criteria attempt to document the policy, that policy still involves human judgment. Targets must fulfill the spirit of the requirements as well, as determined by the judgment of the approving team. Reviewers and team members evaluating targets and target-specific patches should always use their own best judgment regarding the quality of work, and the suitability of a target for the `liboqs` project. Neither this policy nor any decisions made regarding targets shall create any binding agreement or estoppel by any party.
+
+Before filing an issue or pull request (PR) to introduce or promote a target, the target should already meet the corresponding tier requirements. This does not preclude an existing target's maintainers using issues (on the `liboqs` repository or otherwise) to track requirements that have not yet been met, as appropriate; however, before officially proposing the introduction or promotion of a target, it should meet all of the necessary requirements. A target proposal must quote the corresponding requirements verbatim and respond to them as part of explaining how the target meets those requirements. (For the requirements that simply state that the target or the target developers must not do something, it suffices to acknowledge the requirement.)
+
+Several parts of this policy require providing target-specific documentation. Such documentation should typically appear in a subdirectory of the platform-support section of the `liboqs` manual, with a link from the target's entry in platform support.
+
+Note that a target must have already received approval for the next lower tier, and spent a reasonable amount of time at that tier, before making a proposal for promotion to the next higher tier; this is true even if a target meets the requirements for several tiers at once. This policy leaves the precise interpretation of "reasonable amount of time" up to the approving team; the team may scale the amount of time required based on their confidence in the target and its demonstrated track record at its current tier. At a minimum, multiple stable releases of `liboqs` should typically occur between promotions of a target.
+
+The availability or tier of a target in stable `liboqs` is not a hard stability guarantee about the future availability or tier of that target. Higher-level target tiers are an increasing commitment to the support of a target, and we will take that commitment and potential disruptions into account when evaluating the potential demotion or removal of a target that has been part of a stable release. The promotion or demotion of a target will not generally affect existing stable releases, only current development and future releases.
+
+In this policy, the words "must" and "must not" specify absolute requirements that a target must meet to qualify for a tier. The words "should" and "should not" specify requirements that apply in almost all cases, but for which the approving teams may grant an exception for good reason. The word "may" indicates something entirely optional, and does not indicate guidance or recommendations. This language is based on [IETF RFC 2119](https://datatracker.ietf.org/doc/html/rfc2119).
+
+## Platforms supported
+
+### Tier 1
+
+- x86_64/amd64/x64 for Ubuntu Linux (Noble)†
+- x86_64/amd64/x64 for MacOS (XCode 15)
+- aarch64 for Ubuntu (Noble)
+- aarch64 for MacOS (XCode 15 and 16)
+- armhf/ARM7 and aarch64 emulation on Ubuntu
+
+### Tier 2
+
+- x86_64/amd64/x64 for Windows (Visual Studio Toolchain) 2022 and 2025
+- armeabi-v7a, arm64-v8a, x86, x86_64 for Android
+- aarch64 for Apple iOS and tvOS (CMake `-DPLATFORM=OS64` and `TVOS`)
+- arm64, arm (32 bit), x86, x86_64, riscv32, riscv64 for Zephyr
+
+### Tier 3
+
+- x86 for Windows (Visual Studio Toolchain)
+- ppc641e for Ubuntu (Focal)
+- s390x for Ubuntu (Focal)
+- loongarch64 for Debian Linux (trixie)
+- NVIDIA GPU architectures 70, 75, 80, 86, 89, and 90 with a x86_64 CPU for Linux
--- a/README.md
+++ b/README.md
@ -1,22 +1,29 @@
-[AppVeyor](https://ci.appveyor.com/project/dstebila/liboqs): ![Build status image](https://ci.appveyor.com/api/projects/status/9d2ts78x88r8wnii/branch/main?svg=true), [CircleCI](https://circleci.com/gh/open-quantum-safe/liboqs/tree/main): ![Build status image](https://circleci.com/gh/open-quantum-safe/liboqs/tree/main.svg?style=svg)
-
 liboqs
 ======================

+[![Main Branch Tests](https://github.com/open-quantum-safe/liboqs/actions/workflows/commit-to-main.yml/badge.svg)](https://github.com/open-quantum-safe/liboqs/actions/workflows/commit-to-main.yml)
+[![Weekly Tests](https://github.com/open-quantum-safe/liboqs/actions/workflows/weekly.yml/badge.svg)](https://github.com/open-quantum-safe/liboqs/actions/workflows/weekly.yml)
+![Travis Build Status](https://img.shields.io/travis/com/open-quantum-safe/liboqs?logo=travis&label=Travis%20CI&labelColor=%23343B42&color=%232EBB4E)
+[![Coverage Status](https://coveralls.io/repos/github/open-quantum-safe/liboqs/badge.svg?branch=main)](https://coveralls.io/github/open-quantum-safe/liboqs?branch=main)
+
 liboqs is an open source C library for quantum-safe cryptographic algorithms.

- [Overview](#overview)
- [Status](#status)
-  * [Supported algorithms](#supported-algorithms)
-  * [Limitations and Security](#limitations-and-security)
- [Quickstart](#quickstart)
-  * [Linux / macOS](#linuxmacOS)
-  * [Windows](#windows)
-  * [Cross compilation](#cross-compilation)
- [Documentation](#documentation)
- [Contributing](#contributing)
- [License](#license)
- [Acknowledgements](#acknowledgements)
+- [liboqs](#liboqs)
+	- [Overview](#overview)
+	- [Status](#status)
+		- [Supported Algorithms](#supported-algorithms)
+			- [Key encapsulation mechanisms](#key-encapsulation-mechanisms)
+			- [Signature schemes](#signature-schemes)
+		- [Limitations and Security](#limitations-and-security)
+			- [Platform limitations](#platform-limitations)
+	- [Quickstart](#quickstart)
+		- [Linux and Mac](#linux-and-mac)
+		- [Windows](#windows)
+		- [Cross compilation](#cross-compilation)
+	- [Documentation](#documentation)
+	- [Contributing](#contributing)
+	- [License](#license)
+	- [Acknowledgements](#acknowledgements)

 ## Overview

@ -26,66 +33,99 @@ liboqs provides:
 - a common API for these algorithms
 - a test harness and benchmarking routines

-liboqs is part of the **Open Quantum Safe (OQS)** project led by [Douglas Stebila](https://www.douglas.stebila.ca/research/) and [Michele Mosca](http://faculty.iqc.uwaterloo.ca/mmosca/), which aims to develop and integrate into applications quantum-safe cryptography to facilitate deployment and testing in real world contexts. In particular, OQS provides prototype integrations of liboqs into TLS and SSH, through [OpenSSL](https://github.com/open-quantum-safe/openssl) and [OpenSSH](https://github.com/open-quantum-safe/openssh-portable).
+liboqs is part of the **Open Quantum Safe (OQS)** project, which aims to develop and integrate into applications quantum-safe cryptography to facilitate deployment and testing in real world contexts. In particular, OQS provides prototype integrations of liboqs into protocols like TLS, X.509, and S/MIME, through our [OpenSSL 3 Provider](https://github.com/open-quantum-safe/oqs-provider) and we provide a variety of other [post-quantum-enabled demos](https://github.com/open-quantum-safe/oqs-demos).

-More information on OQS can be found [here](https://openquantumsafe.org/) and in the [associated](https://openquantumsafe.org/papers/SAC-SteMos16.pdf) [whitepapers](https://openquantumsafe.org/papers/NISTPQC-CroPaqSte19.pdf).
+The OQS project is supported by the [Post-Quantum Cryptography Alliance](https://pqca.org/) as part of the [Linux Foundation](https://linuxfoundation.org/). More information about the Open Quantum Safe project can be found at [openquantumsafe.org](https://openquantumsafe.org/).
+
+OQS is running a survey to better understand our community. We would like to hear from organizations and individuals about their interest in and use of the Open Quantum Safe project. Please take a few minutes to fill out the survey: https://linuxfoundation.surveymonkey.com/r/oqssurvey

 ## Status

 ### Supported Algorithms

-Details on each supported algorithm can be found in the [docs/algorithms folder](https://github.com/open-quantum-safe/liboqs/tree/main/docs/algorithms).
+Details on each supported algorithm can be found in the [docs/algorithms](https://github.com/open-quantum-safe/liboqs/tree/main/docs/algorithms) folder.
+
+The list below indicates all algorithms currently supported by liboqs, including experimental algorithms and already excluding algorithm variants pruned during the NIST competition, such as Kyber-90s or Dilithium-AES.
+
+The only algorithms in `liboqs` that implement NIST standards are the [`ML-KEM`](https://csrc.nist.gov/pubs/fips/203/final) (final standard) and [`ML-DSA`](https://csrc.nist.gov/pubs/fips/204/final) (final standard) variants with their respective different bit strengths. `liboqs` will retain these algorithm names selected by NIST throughout the finishing stages of the standardization process, so users can rely on their presence going forward. If NIST changes the implementation details of these algorithms, `liboqs` will adjust the implementation so that users are protected from such potential changes.
+
+Falcon and SPHINCS+ have also been [selected for standardization](https://csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022), but the `liboqs` implementations of these algorithms are currently tracking Round 3 submissions and not NIST standards drafts.
+
+All names other than `ML-KEM` and `ML-DSA` are subject to change. `liboqs` makes available a [selection mechanism for algorithms on the NIST standards track, continued NIST competition, or purely experimental nature by way of the configuration variable OQS_ALGS_ENABLED](CONFIGURE.md#oQS_ALGS_ENABLED). By default `liboqs` is built supporting all, incl. experimental, PQ algorithms listed below.

 #### Key encapsulation mechanisms

- **BIKE**: BIKE1-L1-CPA, BIKE1-L3-CPA, BIKE1-L1-FO, BIKE1-L3-FO
+<!--- OQS_TEMPLATE_FRAGMENT_LIST_KEXS_START -->
+- **BIKE**: BIKE-L1, BIKE-L3, BIKE-L5
 - **Classic McEliece**: Classic-McEliece-348864†, Classic-McEliece-348864f†, Classic-McEliece-460896†, Classic-McEliece-460896f†, Classic-McEliece-6688128†, Classic-McEliece-6688128f†, Classic-McEliece-6960119†, Classic-McEliece-6960119f†, Classic-McEliece-8192128†, Classic-McEliece-8192128f†
 - **FrodoKEM**: FrodoKEM-640-AES, FrodoKEM-640-SHAKE, FrodoKEM-976-AES, FrodoKEM-976-SHAKE, FrodoKEM-1344-AES, FrodoKEM-1344-SHAKE
- **HQC**: HQC-128-1-CCA2, HQC-192-1-CCA2, HQC-192-2-CCA2, HQC-256-1-CCA2†, HQC-256-2-CCA2†, HQC-256-3-CCA2†
- **Kyber**: Kyber512, Kyber768, Kyber1024, Kyber512-90s, Kyber768-90s, Kyber1024-90s
- **NTRU**: NTRU-HPS-2048-509, NTRU-HPS-2048-677, NTRU-HPS-4096-821, NTRU-HRSS-701
- **NTRU-Prime**: ntrulpr653, ntrulpr761, ntrulpr857, sntrup653, sntrup761, sntrup857
- **SABER**: LightSaber-KEM, Saber-KEM, FireSaber-KEM
- **SIKE**: SIDH-p434, SIDH-p503, SIDH-p610, SIDH-p751, SIKE-p434, SIKE-p503, SIKE-p610, SIKE-p751, SIDH-p434-compressed, SIDH-p503-compressed, SIDH-p610-compressed, SIDH-p751-compressed, SIKE-p434-compressed, SIKE-p503-compressed, SIKE-p610-compressed, SIKE-p751-compressed
+- **HQC**: HQC-128, HQC-192, HQC-256
+- **Kyber**: Kyber512, Kyber768, Kyber1024
+- **ML-KEM**: ML-KEM-512, ML-KEM-768, ML-KEM-1024
+- **NTRU-Prime**: sntrup761
+<!--- OQS_TEMPLATE_FRAGMENT_LIST_KEXS_END -->

 #### Signature schemes

- **Dilithium**: Dilithium2, Dilithium2-AES, Dilithium3, Dilithium3-AES, Dilithium5, Dilithium5-AES
- **Falcon**: Falcon-512, Falcon-1024
- **Picnic**: Picnic-L1-FS, Picnic-L1-UR, Picnic-L1-full, Picnic-L3-FS, Picnic-L3-UR, Picnic-L3-full, Picnic-L5-FS, Picnic-L5-UR, Picnic-L5-full, Picnic3-L1, Picnic3-L3, Picnic3-L5
- **Rainbow**: Rainbow-I-Classic, Rainbow-I-Circumzenithal, Rainbow-I-Compressed, Rainbow-III-Classic†, Rainbow-III-Circumzenithal†, Rainbow-III-Compressed†, Rainbow-V-Classic†, Rainbow-V-Circumzenithal†, Rainbow-V-Compressed†
- **SPHINCS+-Haraka**: SPHINCS+-Haraka-128f-robust, SPHINCS+-Haraka-128f-simple, SPHINCS+-Haraka-128s-robust, SPHINCS+-Haraka-128s-simple, SPHINCS+-Haraka-192f-robust, SPHINCS+-Haraka-192f-simple, SPHINCS+-Haraka-192s-robust, SPHINCS+-Haraka-192s-simple, SPHINCS+-Haraka-256f-robust, SPHINCS+-Haraka-256f-simple, SPHINCS+-Haraka-256s-robust, SPHINCS+-Haraka-256s-simple
- **SPHINCS+-SHA256**: SPHINCS+-SHA256-128f-robust, SPHINCS+-SHA256-128f-simple, SPHINCS+-SHA256-128s-robust, SPHINCS+-SHA256-128s-simple, SPHINCS+-SHA256-192f-robust, SPHINCS+-SHA256-192f-simple, SPHINCS+-SHA256-192s-robust, SPHINCS+-SHA256-192s-simple, SPHINCS+-SHA256-256f-robust, SPHINCS+-SHA256-256f-simple, SPHINCS+-SHA256-256s-robust, SPHINCS+-SHA256-256s-simple
- **SPHINCS+-SHAKE256**: SPHINCS+-SHAKE256-128f-robust, SPHINCS+-SHAKE256-128f-simple, SPHINCS+-SHAKE256-128s-robust, SPHINCS+-SHAKE256-128s-simple, SPHINCS+-SHAKE256-192f-robust, SPHINCS+-SHAKE256-192f-simple, SPHINCS+-SHAKE256-192s-robust, SPHINCS+-SHAKE256-192s-simple, SPHINCS+-SHAKE256-256f-robust, SPHINCS+-SHAKE256-256f-simple, SPHINCS+-SHAKE256-256s-robust, SPHINCS+-SHAKE256-256s-simple
+<!--- OQS_TEMPLATE_FRAGMENT_LIST_SIGS_START -->
+- **CROSS**: cross-rsdp-128-balanced, cross-rsdp-128-fast, cross-rsdp-128-small†, cross-rsdp-192-balanced, cross-rsdp-192-fast, cross-rsdp-192-small†, cross-rsdp-256-balanced†, cross-rsdp-256-fast, cross-rsdp-256-small†, cross-rsdpg-128-balanced, cross-rsdpg-128-fast, cross-rsdpg-128-small, cross-rsdpg-192-balanced, cross-rsdpg-192-fast, cross-rsdpg-192-small†, cross-rsdpg-256-balanced, cross-rsdpg-256-fast, cross-rsdpg-256-small†
+- **CRYSTALS-Dilithium**: Dilithium2, Dilithium3, Dilithium5
+- **Falcon**: Falcon-512, Falcon-1024, Falcon-padded-512, Falcon-padded-1024
+- **MAYO**: MAYO-1, MAYO-2, MAYO-3, MAYO-5†
+- **ML-DSA**: ML-DSA-44, ML-DSA-65, ML-DSA-87
+- **SNOVA**: SNOVA\_24\_5\_4, SNOVA\_24\_5\_4\_SHAKE, SNOVA\_24\_5\_4\_esk, SNOVA\_24\_5\_4\_SHAKE\_esk, SNOVA\_37\_17\_2†, SNOVA\_25\_8\_3, SNOVA\_56\_25\_2†, SNOVA\_49\_11\_3†, SNOVA\_37\_8\_4†, SNOVA\_24\_5\_5†, SNOVA\_60\_10\_4†, SNOVA\_29\_6\_5†
+- **SPHINCS+-SHA2**: SPHINCS+-SHA2-128f-simple, SPHINCS+-SHA2-128s-simple, SPHINCS+-SHA2-192f-simple, SPHINCS+-SHA2-192s-simple, SPHINCS+-SHA2-256f-simple, SPHINCS+-SHA2-256s-simple
+- **SPHINCS+-SHAKE**: SPHINCS+-SHAKE-128f-simple, SPHINCS+-SHAKE-128s-simple, SPHINCS+-SHAKE-192f-simple, SPHINCS+-SHAKE-192s-simple, SPHINCS+-SHAKE-256f-simple, SPHINCS+-SHAKE-256s-simple
+- **UOV**: OV-Is, OV-Ip, OV-III, OV-V, OV-Is-pkc, OV-Ip-pkc, OV-III-pkc, OV-V-pkc, OV-Is-pkc-skc, OV-Ip-pkc-skc, OV-III-pkc-skc, OV-V-pkc-skc
+<!--- OQS_TEMPLATE_FRAGMENT_LIST_SIGS_END -->
+- **XMSS**: XMSS-SHA2_10_256, XMSS-SHA2_16_256, XMSS-SHA2_20_256, XMSS-SHAKE_10_256, XMSS-SHAKE_16_256, XMSS-SHAKE_20_256, XMSS-SHA2_10_512, XMSS-SHA2_16_512, XMSS-SHA2_20_512, XMSS-SHAKE_10_512, XMSS-SHAKE_16_512, XMSS-SHAKE_20_512, XMSS-SHA2_10_192, XMSS-SHA2_16_192, XMSS-SHA2_20_192, XMSS-SHAKE256_10_192, XMSS-SHAKE256_16_192, XMSS-SHAKE256_20_192, SHAKE256_10_256, SHAKE256_16_256, SHAKE256_20_256, XMSSMT-SHA2_20/2_256, XMSSMT-SHA2_20/4_256, XMSSMT-SHA2_40/2_256, XMSSMT-SHA2_40/4_256, XMSSMT-SHA2_40/8_256, XMSSMT-SHA2_60/3_256, XMSSMT-SHA2_60/6_256, XMSSMT-SHA2_60/12_256, XMSSMT-SHAKE_20/2_256, XMSSMT-SHAKE_20/4_256, XMSSMT-SHAKE_40/2_256, XMSSMT-SHAKE_40/4_256, XMSSMT-SHAKE_40/8_256, XMSSMT-SHAKE_60/3_256, XMSSMT-SHAKE_60/6_256, XMSSMT-SHAKE_60/12_256 
+- **LMS**: LMS_SHA256_H5_W1, LMS_SHA256_H5_W2, LMS_SHA256_H5_W4, LMS_SHA256_H5_W8, LMS_SHA256_H10_W1, LMS_SHA256_H10_W2, LMS_SHA256_H10_W4, LMS_SHA256_H10_W8, LMS_SHA256_H15_W1, LMS_SHA256_H15_W2, LMS_SHA256_H15_W4, LMS_SHA256_H15_W8, LMS_SHA256_H20_W1, LMS_SHA256_H20_W2, LMS_SHA256_H20_W4, LMS_SHA256_H20_W8, LMS_SHA256_H25_W1, LMS_SHA256_H25_W2, LMS_SHA256_H25_W4, LMS_SHA256_H25_W8, LMS_SHA256_H5_W8_H5_W8, LMS_SHA256_H10_W4_H5_W8, LMS_SHA256_H10_W8_H5_W8, LMS_SHA256_H10_W2_H10_W2, LMS_SHA256_H10_W4_H10_W4, LMS_SHA256_H10_W8_H10_W8, LMS_SHA256_H15_W8_H5_W8, LMS_SHA256_H15_W8_H10_W8, LMS_SHA256_H15_W8_H15_W8, LMS_SHA256_H20_W8_H5_W8, LMS_SHA256_H20_W8_H10_W8, LMS_SHA256_H20_W8_H15_W8, LMS_SHA256_H20_W8_H20_W8

-Note that algorithms marked with a dagger (†) have large stack usage and may cause failures when run on threads or in constrained environments.
+Note that for algorithms marked with a dagger (†), liboqs contains at least one implementation that uses a large amount of stack space; this may cause failures when run in threads or in constrained environments. For more information, consult the algorithm information sheets in the [docs/algorithms](https://github.com/open-quantum-safe/liboqs/tree/main/docs/algorithms) folder.

 ### Limitations and Security

-While at the time of this writing there are no vulnerabilities known in any of the quantum-safe algorithms used in this library, caution is advised when deploying quantum-safe algorithms as most of the algorithms and software have not been subject to the same degree of scrutiny as for currently deployed algorithms. Particular attention should be paid to guidance provided by the standards community, especially from the NIST [Post-Quantum Cryptography Standardization](https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Post-Quantum-Cryptography-Standardization) project.  As research advances, the supported algorithms may see rapid changes in their security, and may even prove insecure against both classical and quantum computers.
+While at the time of this writing there are no vulnerabilities known in any of the quantum-safe algorithms used in this library, caution is advised when deploying quantum-safe algorithms as most of the algorithms and software have not been subject to the same degree of scrutiny as for currently deployed algorithms. Particular attention should be paid to guidance provided by the standards community, especially from the NIST [Post-Quantum Cryptography Standardization](https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Post-Quantum-Cryptography-Standardization) project.  As research advances, the supported algorithms may see rapid changes in their security, and may even prove insecure against both classical and quantum computers. Moreover, note that the `sntrup761` is only included for interop testing.

-liboqs does not intend to "pick winners": algorithm support is informed by the NIST PQC standardization project. We strongly recommend that applications and protocols rely on the outcomes of ths effort when deploying post-quantum cryptography.
+liboqs does not intend to "pick winners": algorithm support is informed by the NIST PQC standardization project. We strongly recommend that applications and protocols rely on the outcomes of this effort when deploying post-quantum cryptography.

 We realize some parties may want to deploy quantum-safe cryptography prior to the conclusion of the NIST PQC standardization project.  We strongly recommend such attempts make use of so-called **hybrid cryptography**, in which quantum-safe public-key algorithms are used alongside traditional public key algorithms (like RSA or elliptic curves) so that the solution is at least no less secure than existing traditional cryptography.

 **WE DO NOT CURRENTLY RECOMMEND RELYING ON THIS LIBRARY IN A PRODUCTION ENVIRONMENT OR TO PROTECT ANY SENSITIVE DATA.** This library is meant to help with research and prototyping.  While we make a best-effort approach to avoid security bugs, this library has not received the level of auditing and analysis that would be necessary to rely on it for high security use.

+Please see [SECURITY.md](SECURITY.md#security-policy) for details on how to report a vulnerability and the OQS vulnerability response process.
+
+#### Platform limitations
+
+In order to optimize support effort,
+- not all algorithms are equally well supported on all platforms. In case of questions, it is first advised to review the [documentation files for each algorithm](docs/algorithms).
+- not all compilers are equally well supported. For example, at least v7.1.0 of the GNU compiler is required.
+
+#### Support limitations
+
+This project is not commercially supported. All guidelines and goals for liboqs are reflections of current practices, executed by a community of academic, part-time, and/or voluntary contributors on a best-effort basis and may change at any time. Any entity seeking more reliable commitments is strongly encouraged to join the OQS community and thus enhance the code and support that the community can provide.
+
+
 ## Quickstart

-### Linux/macOS
+### Linux and Mac

 1. Install dependencies:

 	On Ubuntu:

-		 sudo apt install astyle cmake gcc ninja-build libssl-dev python3-pytest python3-pytest-xdist unzip xsltproc doxygen graphviz
+		 sudo apt install astyle cmake gcc ninja-build libssl-dev python3-pytest python3-pytest-xdist unzip xsltproc doxygen graphviz python3-yaml valgrind

 	On macOS, using a package manager of your choice (we've picked Homebrew):

-		brew install cmake ninja openssl@1.1 wget doxygen graphviz astyle
-		pip3 install pytest pytest-xdist
+		brew install cmake ninja openssl@3 wget doxygen graphviz astyle valgrind
+		pip3 install pytest pytest-xdist pyyaml

-	Note that, if you want liboqs to use OpenSSL for various symmetric crypto algorithms (AES, SHA-2, etc.) then you must have OpenSSL version 1.1.1 or higher.
+	Using Nix:
+
+	    nix develop
+
+	Note that, if you want liboqs to use OpenSSL for various symmetric crypto algorithms (AES, SHA-2, etc.) then you must have OpenSSL installed (version 3.x recommended; EOL version 1.1.1 also still possible).

 2. Get the source:

@ -98,22 +138,26 @@ We realize some parties may want to deploy quantum-safe cryptography prior to th
 		cmake -GNinja ..
 		ninja

-Various `cmake` build options to customize the resultant artifacts are available and are [documented in the project Wiki](https://github.com/open-quantum-safe/liboqs/wiki/Customizing-liboqs). All supported options are also listed in the `.CMake/alg-support.cmake` file, and can be viewed by running `cmake -LAH ..` in the `build` directory.
+Various `cmake` build options to customize the resultant artifacts are available and are [documented in CONFIGURE.md](CONFIGURE.md#options-for-configuring-liboqs-builds). All supported options are also listed in the `.CMake/alg-support.cmake` file, and can be viewed by running `cmake -LAH -N ..` in the `build` directory.

 The following instructions assume we are in `build`.

-3. The main build result is `lib/liboqs.a`, a static library. The public headers are located in the `include` directory. There are also a variety of programs built under the `tests` directory:
+3. By default the main build result is `lib/liboqs.a`, a static library. If you want to build a shared/dynamic library, append [`-DBUILD_SHARED_LIBS=ON`](CONFIGURE.md#bUILD_SHARED_LIBS) to the `cmake -GNinja ..` command above and the result will be `lib/liboqs.so|dylib|dll`. The public headers are located in the `include` directory. There are also a variety of programs built under the `tests` directory:

 	- `test_kem`: Simple test harness for key encapsulation mechanisms
-	- `test_sig`: Simple test harness for key signature schemes
+	- `test_sig`: Simple test harness for signature schemes
+	- `test_sig_stfl`: Simple test harness for stateful signature schemes
 	- `test_kem_mem`: Simple test harness for checking memory consumption of key encapsulation mechanisms
-	- `test_sig_mem`: Simple test harness for checking memory consumption of key signature schemes
+	- `test_sig_mem`: Simple test harness for checking memory consumption of signature schemes
 	- `kat_kem`: Program that generates known answer test (KAT) values for key encapsulation mechanisms using the same procedure as the NIST submission requirements, for checking against submitted KAT values using `tests/test_kat.py`
 	- `kat_sig`: Program that generates known answer test (KAT) values for signature schemes using the same procedure as the NIST submission requirements, for checking against submitted KAT values using `tests/test_kat.py`
+	- `kat_sig_stfl`: Program for checking results against submitted KAT values using `tests/test_kat.py`
 	- `speed_kem`: Benchmarking program for key encapsulation mechanisms; see `./speed_kem --help` for usage instructions
 	- `speed_sig`: Benchmarking program for signature mechanisms; see `./speed_sig --help` for usage instructions
+	- `speed_sig_stfl`: Benchmarking program for stateful signature mechanisms; see `./speed_sig_stfl --help` for usage instructions
 	- `example_kem`: Minimal runnable example showing the usage of the KEM API
 	- `example_sig`: Minimal runnable example showing the usage of the signature API
+	- `example_sig_stfl`: Minimal runnable example showing the usage of the stateful signature API
 	- `test_aes`, `test_sha3`: Simple test harnesses for crypto sub-components
 	- `test_portability`: Simple test harnesses for checking cross-CPU code portability; requires presence of `qemu`; proper operation validated only on Ubuntu

@ -125,9 +169,12 @@ The following instructions assume we are in `build`.

 		ninja gen_docs

-	Then open `docs/doxygen/html/index.html` in your web browser.
+	Then open `docs/html/index.html` in your web browser.
+
+4. `ninja install` can be run to install the built library and `include` files to a location of choice, which can be specified by passing the `-DCMAKE_INSTALL_PREFIX=<dir>` option to `cmake` at configure time. Alternatively, `ninja package` can be run to create an install package.
+
+5. `ninja uninstall` can be run to remove all installation files.

-4. Finally, `ninja install` can be run to install the built library and `include` files to a location of choice, which can be specified by passing the `-DCMAKE_INSTALL_PREFIX=<dir>` option to `cmake` at configure time.

 ### Windows

@ -162,18 +209,26 @@ liboqs includes some third party libraries or modules that are licensed differen
 - `src/common/crypto/sha3/xkcp_low` : CC0 (public domain), except `brg_endian.h` and `KeccakP-1600-AVX2.s`
 - `src/common/crypto/sha3/xkcp_low/.../brg_endian.h` : BSD 3-Clause License
 - `src/common/crypto/sha3/xkcp_low/.../KeccakP-1600-AVX2.s` : BSD-like [CRYPTOGAMS license](http://www.openssl.org/~appro/cryptogams/)
+- `src/common/rand/rand_nist.c`: See file
 - `src/kem/bike/additional`: Apache License v2.0
 - `src/kem/classic_mceliece/pqclean_*`: public domain
- `src/kem/kyber/pqclean_*`: public domain
- `src/kem/ntru/pqclean_*`: public domain
- `src/kem/saber/pqclean_*`: public domain
- `src/sig/dilithium/pqclean_*`: public domain
- `src/sig/rainbow/pqclean_*`: CC0 (public domain)
+- `src/kem/kyber/pqcrystals-*`: public domain (CC0) or Apache License v2.0
+- `src/kem/kyber/pqclean_*`: public domain (CC0), and public domain (CC0) or Apache License v2.0, and public domain (CC0) or MIT, and MIT
+- `src/kem/kyber/libjade_*` public domain (CC0) or Apache License v2.
+- `src/kem/ml_kem/mlkem-native_*`: Apache License v2.0
+- `src/sig/dilithium/pqcrystals-*`: public domain (CC0) or Apache License v2.0
+- `src/sig/dilithium/pqclean_*`: public domain (CC0), and public domain (CC0) or Apache License v2.0, and public domain (CC0) or MIT, and MIT
+-  src/sig/falcon/pqclean_\*\_aarch64 : Apache License v2.0
+- `src/sig/mayo/*`: Apache License v2.0
+- `src/sig/ml_dsa/pqcrystals-*`: public domain (CC0) or Apache License v2.0
 - `src/sig/sphincs/pqclean_*`: CC0 (public domain)

 ## Acknowledgements

-Various companies, including Amazon Web Services, Cisco Systems, evolutionQ, IBM Research, and Microsoft Research have dedicated programmer time to contribute source code to OQS. [Various people](CONTRIBUTORS) have contributed source code to liboqs.
+The OQS project is supported by the [Post-Quantum Cryptography Alliance](https://pqca.org/) as part of the [Linux Foundation](https://linuxfoundation.org/).
+
+The OQS project was founded by Douglas Stebila and Michele Mosca at the University of Waterloo.  [Contributors to liboqs](https://github.com/open-quantum-safe/liboqs/blob/main/CONTRIBUTORS) include individual contributors, academics and researchers, and various companies, including Amazon Web Services, Cisco Systems, evolutionQ, IBM Research, Microsoft Research, SandboxAQ, and softwareQ.
+
+Financial support for the development of Open Quantum Safe has been provided by Amazon Web Services, the Canadian Centre for Cyber Security, Cisco, the Unitary Fund, the NGI Assure Fund, and VeriSign Inc.

-Financial support for the development of Open Quantum Safe has been provided by Amazon Web Services and the Canadian Centre for Cyber Security.
 Research projects which developed specific components of OQS have been supported by various research grants, including funding from the Natural Sciences and Engineering Research Council of Canada (NSERC); see the source papers for funding acknowledgments.
--- a/RELEASE.md
+++ b/RELEASE.md
@ -1,5 +1,5 @@
-liboqs version 0.6.0-rc3
-========================
+liboqs version 0.13.0
+=====================

 About
 -----
@ -10,49 +10,108 @@ The **Open Quantum Safe (OQS) project** has the goal of developing and prototypi

 liboqs can be used with the following Open Quantum Safe application integrations:

- **OQS-OpenSSL 1.1.1**: A prototype integration of liboqs-based authentication and key exchange into TLS 1.3 in our fork of OpenSSL 1.1.1; see the [OQS-OpenSSL-1\_1\_1-stable](https://github.com/open-quantum-safe/openssl/tree/OQS-OpenSSL_1_1_1-stable) branch of our OpenSSL fork's repository.
- **oqs-provider**: A standalone prototype of liboqs-based key exchange for TLS 1.3 using the OpenSSL 3 (alpha) provider integration mechanism.
+- **oqs-provider**: A standalone prototype [OpenSSL 3 provider](https://www.openssl.org/docs/manmaster/man7/provider.html) enabling liboqs-based quantum-safe and hybrid key authentication and exchange for TLS 1.3, X.509 certificate generation and CMS operations.
 - **OQS-BoringSSL**: A prototype integration of liboqs-based authentication and key exchange into TLS 1.3 in our fork of BoringSSL; see https://github.com/open-quantum-safe/boringssl.
+- **OQS-OpenSSH**: A prototype integration of liboqs-based authentication and key exchange into Secure Shell (SSH) version 2 in our fork of OpenSSH; see https://github.com/open-quantum-safe/openssh.

-Several [demos](https://github.com/open-quantum-safe/oqs-demos) are available for using the above libraries in applications, including Apache, Chromium, curl, haproxy, and nginx.  Performance of liboqs in several settings is measured at https://openquantumsafe.org/benchmarking/.
+Several [demos](https://github.com/open-quantum-safe/oqs-demos) are available for using the above libraries in applications, including Apache, Chromium, curl, haproxy, nginx, and Wireshark.

 liboqs can also be used in the following programming languages via language-specific wrappers:

 - C++, via https://github.com/open-quantum-safe/liboqs-cpp
 - Go, via https://github.com/open-quantum-safe/liboqs-go
 - Java, via https://github.com/open-quantum-safe/liboqs-java
- .NET, via https://github.com/open-quantum-safe/liboqs-dotnet
 - Python 3, via https://github.com/open-quantum-safe/liboqs-python
 - Rust, via https://github.com/open-quantum-safe/liboqs-rust

 Release notes
 =============

-This is release candidate 3 for version 0.6.0 of liboqs.  It was released on June 6, 2021.
+This is version 0.13.0 of liboqs. It was released on April 16, 2025.
+
+This release improves support for NIST Additional Signatures Round 2 candidates: CROSS and MAYO implementations are updated and support is added for UOV. This release also adds a new KEM API for deterministic key generation (only supported by ML-KEM at the moment). Finally, this release adds support for ML-KEM implementations from 2 new sources: formally verified portable C, AVX2, and AArch64 implementations from [PQCP's mlkem-native](https://github.com/pq-code-package/mlkem-native) and a GPU accelerated CUDA implementation from [Nvidia cuPQC](https://developer.nvidia.com/cupqc). 
+
+OQS is running a survey to better understand our community. We would like to hear from organizations and individuals about their interest in and use of the Open Quantum Safe project. Please take a few minutes to fill out the survey: https://linuxfoundation.surveymonkey.com/r/oqssurvey

 What's New
 ----------

-This release continues from the 0.5.0 release of liboqs. 
+This release continues from the 0.12.0 release of liboqs.

 ### Key encapsulation mechanisms

- Update Classic McEliece implementation
- Bug fixes in SIKE
- Bug fixes in HQC
- Change unsigned char to uint8_t in KEM API
- Fix wrong NIST level for Kyber768-90s
+- New API: Added a deterministic key generation and API for KEMs (only ML-KEM supported at the moment).
+- ML-KEM: Changed the default ML-KEM implementation to [PQCP's mlkem-native](https://github.com/pq-code-package/mlkem-native). There are three variants: Portable C, AVX2, and AArch64. Large parts of these implementations are formally verified: all of the C code is verified for memory and type safety using [CBMC](https://github.com/diffblue/cbmc) and the functional correctness of the core AArch64 assembly routines is verified using [HOL-Light](https://github.com/jrh13/hol-light). 
+- ML-KEM: Added support for the ML-KEM implementation from [Nvidia cuPQC](https://developer.nvidia.com/cupqc), a GPU accelerated cryptography library.
+- ML-KEM: Implementation from mlkem-native upstream updated to add Pair-wise Consistency Test (PCT) and Intel CET support.
+- ML-KEM: Improved testing of ML-KEM keys.
+- HQC: Disabled HQC by default until [a new security flaw](https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/Wiu4ZQo3fP8) is fixed.

 ### Digital signature schemes

- Update SPHINCS+ to Round 3 version
+- ML-DSA: Improved testing for ML-DSA.
+- CROSS: Updated to NIST Additional Signatures Round 2 version.
+- MAYO: Updated to NIST Additional Signatures Round 2 version.
+- UOV: Added support for UOV algorithm from NIST Additional Signatures Round 2.

 ### Other changes

- Improve random number generator when not relying on OpenSSL
- Improve run-time and compile-time guarding of optimized code
- Remove (unused) AES decryption code from common symmetric encryption code
- Replace AES plain C implementation with a constant-time version
- Update Windows cross-compiling toolchain
- **Build options changed**:
-	- By default, liboqs is now no longer built by default with CPU runtime feature detection and thus resulting executables may crash if not compiled suitably for the  CPU on which the code shall be executed.  For Docker files, we recommend setting [OQS\_DIST\_BUILD](https://github.com/open-quantum-safe/liboqs/wiki/Customizing-liboqs#OQS_DIST_BUILD) to obtain code able to handle different CPU feature sets. Also, [OQS\_OPT\_TARGET](https://github.com/open-quantum-safe/liboqs/wiki/Customizing-liboqs#oqs_opt_target) can be used to target a specific CPU at compile time. These flags are documented on the [build options wiki page](https://github.com/open-quantum-safe/liboqs/wiki/Customizing-liboqs).
+- Added support for loongarch64 architecture.
+
+---
+
+Detailed changelog
+------------------
+
+## What's Changed
+* Bump version to 0.12.1-dev by @dstebila in https://github.com/open-quantum-safe/liboqs/pull/2015
+* Add loongarch64 support by @zhaixiaojuan in https://github.com/open-quantum-safe/liboqs/pull/2010
+* Minor changes to ML_DSA ACVP tests by @abhinav-thales in https://github.com/open-quantum-safe/liboqs/pull/2007
+* Update upload-artifact action to v4 by @dstebila in https://github.com/open-quantum-safe/liboqs/pull/2017
+* Remove hardcoded build paths & modify basic workflow to build in random path by @iyanmv in https://github.com/open-quantum-safe/liboqs/pull/2019
+* Trigger liboqs-java and liboqs-rust downstream CI by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/2021
+* #1830 update scorecard to v5 (gh action 2.4.0) by @planetf1 in https://github.com/open-quantum-safe/liboqs/pull/1890
+* Update PQClean commit and delete patch for HQC by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/2026
+* Bump jinja2 from 3.1.4 to 3.1.5 in /scripts/copy_from_upstream in the pip group by @dependabot in https://github.com/open-quantum-safe/liboqs/pull/2036
+* Avoid unresolved symbols from libcrypto when compiled with OQS_DLOPEN_OPENSSL by @ueno in https://github.com/open-quantum-safe/liboqs/pull/2043
+* Update to public Ubuntu 24.04 ARM runner by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/2050
+* NVIDIA: Adding cuPQC as a backend for ML-KEM. by @stevenireeves in https://github.com/open-quantum-safe/liboqs/pull/2044
+* Update ACVP vectors for KEM and DSA by @abhinav-thales in https://github.com/open-quantum-safe/liboqs/pull/2051
+* CI: Check unresolved symbols when compiled with OQS_DLOPEN_OPENSSL by @ueno in https://github.com/open-quantum-safe/liboqs/pull/2058
+* Fix failing zephyr CI workflows, pinning v0.27.4 by @bhess in https://github.com/open-quantum-safe/liboqs/pull/2063
+* Update sig_stfl Doxygen documentation by @pablo-gf in https://github.com/open-quantum-safe/liboqs/pull/2059
+* Import ML-KEM from mlkem-native/PQ code package by @bhess in https://github.com/open-quantum-safe/liboqs/pull/2041
+* Update example files by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/2071
+* GitHub runner updates by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/2069
+* Disable cupqc-buildcheck by @praveksharma in https://github.com/open-quantum-safe/liboqs/pull/2075
+* Add threat model by @dstebila in https://github.com/open-quantum-safe/liboqs/pull/2033
+* Update CROSS to version 2.0 by @rtjk in https://github.com/open-quantum-safe/liboqs/pull/2078
+* improving CONTRIBUTING.md for maintainability [skip ci] by @baentsch in https://github.com/open-quantum-safe/liboqs/pull/2081
+* Ensure that building against liboqs build directory works by @levitte in https://github.com/open-quantum-safe/liboqs/pull/2086
+* Added alg_version details to test output by @pablo-gf in https://github.com/open-quantum-safe/liboqs/pull/2080
+* Add checks for ML-KEM keys by @abhinav-thales in https://github.com/open-quantum-safe/liboqs/pull/2009
+* Update actions/cache to v4.2.2 by @mkannwischer in https://github.com/open-quantum-safe/liboqs/pull/2093
+* Add Nix flake by @aidenfoxivey in https://github.com/open-quantum-safe/liboqs/pull/1970
+* Update MAYO to NIST round 2 by @bhess in https://github.com/open-quantum-safe/liboqs/pull/2095
+* Update mlkem-native to v1.0.0-beta by @mkannwischer in https://github.com/open-quantum-safe/liboqs/pull/2092
+* Add references to security response process by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/2077
+* Bump version to 0.13.0-dev [skip ci] by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/2099
+* Add UOV  by @mkannwischer in https://github.com/open-quantum-safe/liboqs/pull/2094
+* Add bitflip test for trivial SUF-CMA forgeries by @rtjk in https://github.com/open-quantum-safe/liboqs/pull/2090
+* Update MAYO version in algorithm datasheet by @bhess in https://github.com/open-quantum-safe/liboqs/pull/2103
+* Add DeriveKeyPair API by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/2070
+* Update nist-round in UOV and MAYO data sheet by @bhess in https://github.com/open-quantum-safe/liboqs/pull/2105
+* build: search unistd.h separately from sys/random.h for getentropy by @mkroening in https://github.com/open-quantum-safe/liboqs/pull/2104
+* Add support caveat by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/2114
+* Temporarily disable HQC by @dstebila in https://github.com/open-quantum-safe/liboqs/pull/2122
+* Fix PR workflow runs by @SWilson4 in https://github.com/open-quantum-safe/liboqs/pull/2123
+
+## New Contributors
+* @zhaixiaojuan made their first contribution in https://github.com/open-quantum-safe/liboqs/pull/2010
+* @stevenireeves made their first contribution in https://github.com/open-quantum-safe/liboqs/pull/2044
+* @pablo-gf made their first contribution in https://github.com/open-quantum-safe/liboqs/pull/2059
+* @levitte made their first contribution in https://github.com/open-quantum-safe/liboqs/pull/2086
+* @mkannwischer made their first contribution in https://github.com/open-quantum-safe/liboqs/pull/2093
+* @mkroening made their first contribution in https://github.com/open-quantum-safe/liboqs/pull/2104
+
+**Full Changelog**: https://github.com/open-quantum-safe/liboqs/compare/0.12.0...0.13.0
--- a/SECURITY.md
+++ b/SECURITY.md
@ -0,0 +1,35 @@
+# Security Policy
+
+## Supported Versions
+
+We only support the most recent release.
+
+Using any code prior to 0.12.0 is strongly discouraged due to a [known security vulnerability in HQC](https://github.com/open-quantum-safe/liboqs/security/advisories/GHSA-gpf4-vrrw-r8v7).
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.13.0  | :white_check_mark: |
+| < 0.13  | :x:                |
+
+## Reporting a Vulnerability
+
+Please follow [this information to report a vulnerability](https://openquantumsafe.org/liboqs/security.html#reporting-security-bugs).
+
+## Threat Model
+
+Some timing-based side-channel attacks are within the scope of our threat model. OQS tests for secret-dependent branches and memory accesses on Linux on x86\_64. All test failures are documented as either "passes," which we have assessed to be false positives, or "issues," which may constitute non–constant-time behaviour. The [algorithm datasheets](https://github.com/open-quantum-safe/liboqs/tree/main/docs/algorithms) indicate whether or not an implementation passes our constant-time tests, as well as whether or not it is expected to pass. Details about passes and issues are available in the [tests/constant_time directory](https://github.com/open-quantum-safe/liboqs/tree/main/tests/constant_time). These tests do not encompass all classes of non–constant-time behaviour; for example, they do not detect possible variable-time instructions, such as `DIV`. Reports of non–constant-time behaviour that fall outside this scope will be considered on a case-by-case basis, with a priority on [Tier 1 platforms](https://github.com/open-quantum-safe/liboqs/blob/main/PLATFORMS.md#tier-1).
+
+The following types of attacks are outside the scope of our threat model:
+
+- same physical system side channel
+- CPU / hardware flaws
+- physical fault injection attacks (including Rowhammer-style attacks)
+- physical observation side channels (such as power consumption, electromagnetic emissions)
+
+Mitigations for security issues outside the stated threat model may still be applied depending on the nature of the issue and the mitigation.
+
+(Based in part on https://openssl-library.org/policies/general/security-policy/index.html)
+
+## Security Response Process
+
+Security reports for liboqs will be handled in accordance with the [OQS security response process](https://github.com/open-quantum-safe/tsc/blob/main/security/response-process.md). Please also see the general [support disclaimer](README.md#support-limitations) for liboqs.
--- a/appveyor.yml
+++ b/appveyor.yml
@ -1,60 +0,0 @@
-version: 1.0.{build}
-
-# TODO: Support Visual Studio 2017
-image: Visual Studio 2019
-
-platform: x64
-
-branches:
-  except:
-    - /main-new-.*/
-
-environment:
-  matrix:
-    - BUILD_SHARED: ON
-      COMPILER: cygwin
-    - BUILD_SHARED: OFF
-      COMPILER: cygwin
-    - BUILD_SHARED: ON
-      OQS_USE_OPENSSL: ON
-      COMPILER: cygwin
-    - BUILD_SHARED: OFF
-      COMPILER: msvc2019
-    - BUILD_SHARED: OFF
-      COMPILER: msvc2019
-      OQS_USE_OPENSSL: ON
-    - BUILD_SHARED: ON
-      COMPILER: msvc2019
-    - BUILD_SHARED: OFF
-      COMPILER: msys2
-    - BUILD_SHARED: ON
-      COMPILER: msys2
-
-for:
-  - matrix:
-      only:
-        - OQS_USE_OPENSSL: ON
-    before_build:
-      - cmd: |-
-             choco install openssl
-             SET "OPENSSL_ROOT_DIR=C:\OpenSSL-Win64"
-
-build_script:
-  - cmd: '%APPVEYOR_BUILD_FOLDER%\appveyor_build.bat'
-
-before_test:
-  - cmd: |-
-         SET "PATH=C:\Python37-x64;C:\Python37-x64\Scripts;%PATH%"
-         pip.exe install pytest pytest-xdist
-
-test_script:
-  - cmd: |-
-         cd %APPVEYOR_BUILD_FOLDER%
-         set PATH=%APPVEYOR_BUILD_FOLDER%\build\bin;c:\cygwin64\bin;%PATH%
-         if not exist tmp (mkdir tmp) 
-         python -m pytest --numprocesses=auto -vv --maxfail=10 --ignore=tests/test_code_conventions.py --junitxml=build\test-results\pytest\test-results.xml
-
-after_test:
-  - ps: |-
-        $wc = New-Object 'System.Net.WebClient'
-        $wc.UploadFile("https://ci.appveyor.com/api/testresults/xunit/$($env:APPVEYOR_JOB_ID)", (Resolve-Path .\build\test-results\pytest\test-results.xml))
--- a/appveyor_build.bat
+++ b/appveyor_build.bat
@ -1,20 +0,0 @@
-@echo off
-IF %COMPILER%==cygwin (
-    @echo on
-    SET "PATH=C:\cywin64\bin;c:\cygwin64;%PATH%"
-    c:\cygwin64\bin\bash.exe -lc "setup-x86_64.exe -qnNdO -R C:/cygwin64 -l C:/cygwin/var/cache/setup -P openssl -P libssl-devel -P ninja -P cmake -P gcc && cd ${APPVEYOR_BUILD_FOLDER} && openssl version && cygcheck -c && pwd && mkdir build && cd build && cmake .. -GNinja -DCMAKE_C_COMPILER=gcc -DOQS_DIST_BUILD=ON -DOQS_ENABLE_SIG_SPHINCS=OFF -DOQS_ENABLE_SIG_RAINBOW=OFF -DBUILD_SHARED_LIBS=%BUILD_SHARED% -DOQS_USE_OPENSSL=%OQS_USE_OPENSSL% && ninja "
-)
-IF %COMPILER%==msys2 (
-    @echo on
-    SET "PATH=C:\msys64\mingw64\bin;%PATH%"
-    bash -lc "cd ${APPVEYOR_BUILD_FOLDER} && mkdir build && cd build && cmake .. -GNinja -DOQS_DIST_BUILD=ON -DOQS_ENABLE_SIG_SPHINCS=OFF -DOQS_ENABLE_SIG_RAINBOW=OFF -DBUILD_SHARED_LIBS=%BUILD_SHARED% -DOQS_USE_OPENSSL=%OQS_USE_OPENSSL% && ninja"
-)
-IF %COMPILER%==msvc2019 (
-    @echo on
-    CALL "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Auxiliary\Build\vcvars64.bat"
-    mkdir build
-    cd build
-    REM SPHINCS and Rainbow cause a big slowdown in the tests
-    cmake .. -GNinja -DOQS_DIST_BUILD=ON -DOQS_ENABLE_SIG_SPHINCS=OFF -DOQS_ENABLE_SIG_RAINBOW=OFF -DBUILD_SHARED_LIBS=%BUILD_SHARED% -DOQS_USE_OPENSSL=%OQS_USE_OPENSSL%
-    ninja
-)
--- a/cpp/sig_linking_test.cpp
+++ b/cpp/sig_linking_test.cpp
@ -0,0 +1,182 @@
+/*
+ * example_sig.cpp
+ *
+ * Minimal C++ example of using a post-quantum signature implemented in liboqs.
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+#include <cstdint>
+#include <cstdlib>
+#include <cstring>
+#include <iostream>
+#include <memory>
+
+#include <oqs/oqs.h>
+
+constexpr size_t MESSAGE_LEN = 50;
+
+/* Cleaning up memory etc */
+void cleanup_stack(uint8_t *secret_key, size_t secret_key_len);
+
+struct OQSSecureDeleter {
+    size_t length;
+
+    explicit OQSSecureDeleter(size_t len) : length(len) {}
+
+    void operator()(uint8_t* ptr) const {
+        if (ptr) {
+            OQS_MEM_secure_free(ptr, length);
+        }
+    }
+};
+
+struct OQSInsecureDeleter {
+	void operator()(uint8_t* ptr) {
+		if (ptr) {
+			OQS_MEM_insecure_free(ptr);
+		}
+	}
+};
+
+struct OQSSigDeleter {
+    void operator()(OQS_SIG* sig) {
+        if (sig) {
+            OQS_SIG_free(sig);
+        }
+    }
+};
+
+
+/* This function gives an example of the signing operations
+ * using only compile-time macros and allocating variables
+ * statically on the stack, calling a specific algorithm's functions
+ * directly.
+ *
+ * The macros OQS_SIG_dilithium_2_length_* and the functions OQS_SIG_dilithium_2_*
+ * are only defined if the algorithm dilithium_2 was enabled at compile-time
+ * which must be checked using the OQS_ENABLE_SIG_dilithium_2 macro.
+ *
+ * <oqs/oqsconfig.h>, which is included in <oqs/oqs.h>, contains macros
+ * indicating which algorithms were enabled when this instance of liboqs
+ * was compiled.
+ */
+static OQS_STATUS example_stack(void) {
+
+#ifdef OQS_ENABLE_SIG_dilithium_2
+
+	OQS_STATUS rc;
+
+	uint8_t public_key[OQS_SIG_dilithium_2_length_public_key];
+	uint8_t secret_key[OQS_SIG_dilithium_2_length_secret_key];
+	uint8_t message[MESSAGE_LEN];
+	uint8_t signature[OQS_SIG_dilithium_2_length_signature];
+	size_t message_len = MESSAGE_LEN;
+	size_t signature_len;
+
+	// let's create a random test message to sign
+	OQS_randombytes(message, message_len);
+
+	rc = OQS_SIG_dilithium_2_keypair(public_key, secret_key);
+	if (rc != OQS_SUCCESS) {
+		std::cerr << "ERROR: OQS_SIG_dilithium_2_keypair failed!" << std::endl;
+		cleanup_stack(secret_key, OQS_SIG_dilithium_2_length_secret_key);
+		return OQS_ERROR;
+	}
+	rc = OQS_SIG_dilithium_2_sign(signature, &signature_len, message, message_len, secret_key);
+	if (rc != OQS_SUCCESS) {
+		std::cerr << "ERROR: OQS_SIG_dilithium_2_sign failed!" << std::endl;
+		cleanup_stack(secret_key, OQS_SIG_dilithium_2_length_secret_key);
+		return OQS_ERROR;
+	}
+	rc = OQS_SIG_dilithium_2_verify(message, message_len, signature, signature_len, public_key);
+	if (rc != OQS_SUCCESS) {
+		std::cerr << "ERROR: OQS_SIG_dilithium_2_verify failed!" << std::endl;
+		cleanup_stack(secret_key, OQS_SIG_dilithium_2_length_secret_key);
+		return OQS_ERROR;
+	}
+
+	std::cout << "[example_stack] OQS_SIG_dilithium_2 operations completed" << std::endl;
+	cleanup_stack(secret_key, OQS_SIG_dilithium_2_length_secret_key);
+	return OQS_SUCCESS; // success!
+
+#else
+
+	std::cout << "[example_stack] OQS_SIG_dilithium_2 was not enabled at compile-time" << std::endl;
+	return OQS_SUCCESS;
+
+#endif
+}
+
+/* This function gives an example of the signing operations,
+ * allocating variables dynamically on the heap and calling the generic
+ * OQS_SIG object.
+ *
+ * This does not require the use of compile-time macros to check if the
+ * algorithm in question was enabled at compile-time; instead, the caller
+ * must check that the OQS_SIG object returned is not nullptr.
+ */
+static OQS_STATUS example_heap(void) {
+
+#ifdef OQS_ENABLE_SIG_dilithium_2
+
+	size_t message_len = MESSAGE_LEN;
+	size_t signature_len;
+	OQS_STATUS rc;
+
+	std::unique_ptr<OQS_SIG, OQSSigDeleter> sig(OQS_SIG_new((OQS_SIG_alg_dilithium_2)));
+	if (sig == nullptr) {
+		throw std::runtime_error("[example_heap]  OQS_SIG_alg_dilithium_2 was not enabled at compile-time.");
+	}
+	std::unique_ptr<uint8_t[], OQSInsecureDeleter> public_key(static_cast<uint8_t*>(malloc(sig->length_public_key)));
+	std::unique_ptr<uint8_t[], OQSSecureDeleter> secret_key(static_cast<uint8_t*>(malloc(sig->length_secret_key)), OQSSecureDeleter(sig->length_secret_key));
+	std::unique_ptr<uint8_t[], OQSInsecureDeleter> message(static_cast<uint8_t*>(malloc(message_len)));
+	std::unique_ptr<uint8_t[], OQSInsecureDeleter> signature(static_cast<uint8_t*>(malloc(sig->length_signature)));
+	if ((public_key == nullptr) || (secret_key == nullptr) || (message == nullptr) || (signature == nullptr)) {
+		throw std::runtime_error("ERROR: malloc failed!");
+	}
+
+	// let's create a random test message to sign
+	OQS_randombytes(message.get(), message_len);
+
+	rc = OQS_SIG_keypair(sig.get(), public_key.get(), secret_key.get());
+	if (rc != OQS_SUCCESS) {
+		throw std::runtime_error("ERROR: OQS_SIG_keypair failed!");
+	}
+	rc = OQS_SIG_sign(sig.get(), signature.get(), &signature_len, message.get(), message_len, secret_key.get());
+	if (rc != OQS_SUCCESS) {
+		throw std::runtime_error("ERROR: OQS_SIG_sign failed!");
+	}
+	rc = OQS_SIG_verify(sig.get(), message.get(), message_len, signature.get(), signature_len, public_key.get());
+	if (rc != OQS_SUCCESS) {
+		throw std::runtime_error("ERROR: OQS_SIG_verify failed!");
+	}
+
+	std::cout << "[example_heap]  OQS_SIG_dilithium_2 operations completed." << std::endl;
+	return OQS_SUCCESS; // success
+#else
+
+	std::cout << "[example_heap] OQS_SIG_dilithium_2 was not enabled at compile-time." << std::endl;
+	return OQS_SUCCESS;
+
+#endif
+}
+
+int main() {
+	OQS_init();
+	try {
+		example_stack();
+		example_heap();
+	}
+	catch (std::exception e) {
+		std::cerr << e.what() << std::endl;
+		OQS_destroy();
+		return EXIT_FAILURE;
+	}
+	OQS_destroy();
+	return EXIT_SUCCESS;
+}
+
+void cleanup_stack(uint8_t *secret_key, size_t secret_key_len) {
+	OQS_MEM_cleanse(secret_key, secret_key_len);
+}
--- a/docs/.Doxyfile
+++ b/docs/.Doxyfile
--- a/docs/FUZZING.md
+++ b/docs/FUZZING.md
@ -0,0 +1,77 @@
+# Fuzzing
+
+Fuzz testing is an automated software testing method that injects invalid, 
+malformed, or unexpected inputs to reveal defects and vulnerabilities. A fuzzing 
+tool monitors the system for exceptions like crashes, information leakage, or 
+errors, helping developers identify and fix bugs and security loopholes.
+
+## Current state of fuzzing in liboqs
+- [ ] kem 
+  - [ ] bike
+  - [ ] classic_mceliece
+  - [ ] frodokem
+  - [ ] hqc
+  - [ ] kyber
+  - [ ] ml_kem
+  - [ ] ntruprime
+- [ ] sig
+  - [x] dilithium
+  - [x] falcon
+  - [x] mayo
+  - [x] ml_dsa
+  - [x] sphincs
+- [ ] sig_stfl
+  - [ ] lms
+  - [ ] sig_stfl
+  - [ ] xmss
+
+## Building and running fuzz tests
+
+Building fuzz tests is very similar to building normally with some optional
+steps to target different types of bugs. The most basic ways to build the
+fuzz tests is as follows;
+
+```bash
+mkdir build && cd build
+cmake -GNinja ..  -DOQS_BUILD_FUZZ_TESTS=ON
+ninja -j$(nproc)
+```
+
+You'll now be able to run a fuzz test e.g.
+```bash
+./tests/fuzz_test_dilithium2
+#9764	NEW    cov: 4 ft: 708 corp: 100/318b lim: 43 exec/s: 9764 rss: 362Mb L: 41/41 MS: 4 EraseBytes-InsertRepeatedBytes-CMP-ChangeBit- DE: "\0004m\372"-
+...
+```
+The fuzzer will run indefinetely or;
+- until it finds a bug and crashes,
+- you manually stop the fuzzer i.e. CTRL-C
+- you set a timeout using the command line.
+
+For more details on the available command line args please consult the [libfuzzer docs](https://llvm.org/docs/LibFuzzer.html).
+
+## Sanitizers
+It is a common pattern to combine fuzzing with various sanitizers to catch different bugs.
+One of the simpler sanitizers is the fuzzing sanitizer, which will instrument the code
+for coverage driven fuzzing. To enable this simply add this to your environment variables
+before configuring cmake;
+
+```
+export CFLAGS=-fsanitize=fuzzer-no-link
+```
+
+It is common to combine the fuzzer sanitizer with either the [address](https://clang.llvm.org/docs/AddressSanitizer.html)
+or the [undefined behaviour sanitizer](https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html). To
+add these simply add the relevant flags to BOTH the CFLAGS and LDFLAGS e.g.
+
+```
+export CFLAGS=-fsanitize=fuzzer-no-link,address
+export LDFLAGS=-fsanitize=address
+```
+
+Then rerun cmake as normal i.e.
+```bash
+mkdir build && cd build
+cmake -GNinja ..  -DOQS_BUILD_FUZZ_TESTS=ON
+ninja -j$(nproc)
+```
--- a/docs/PROCEDURES.md
+++ b/docs/PROCEDURES.md
@ -0,0 +1,69 @@
+# Additional procedures for code maintenance 
+
+## Managing pinned dependencies
+
+The OpenSSF, via the [scorecard](https://securityscorecards.dev/) project recommends that projects pin any
+dependencies they use:
+
+* to ensure reproducibility
+* to reduce the risk for rogue dependency updates to compromise software
+
+It's important to note that this requires any changes to dependencies are properly reviewed, and
+these changes, by design, should not be automatic in themselves, though automated tools may provide recommendations.
+
+### Python dependencies
+
+Python dependencies used in the build process such as within `.github/workflows` should be pinned to a specific version to ensure reproducibility.
+
+This is achieved by:
+
+* Ensuring the required hash is in the `requirements.txt`.
+* Using the `--require-hashes` option on any `pip install` command line which causes pip to require hashes for all dependencies.
+
+To add a new, or changed dependency:
+
+* Ensure the `pip-compile` tool is installed via the [pip-tools](https://pypi.org/project/pip-tools/) package.
+* Update `requirements.in` with added, modified, or deleted dependencies. 
+* Update requirements.txt using `pip-compile --generate-hashes --output-file=requirements.txt requirements.in`.
+* Verify correct functionality.
+* Check in both `requirements.txt` and `requirements.in`.
+
+ Note: `requirements.in` acts purely as a template in this process. It is not used during the installation of a dependency.
+
+### Github Actions
+
+All actions used in `.github/worfklows` should pin the exact version of the action they are using, for
+example a step such as:
+
+```yaml
+- name: Checkout code
+  uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # pin@v4
+```
+
+The exact hash specified after `@` is the git commit hash within the repo where the action is found.
+
+The [pin github action](https://github.com/mheap/pin-github-action) tool can be used to maintain these
+by, for example, running:
+
+```shell
+pin-github-action unix.yml
+```
+
+This will add the appropriate hash if not present, along with a comment, and also update each hash in accordance with any existing comment.
+
+For major updates, update the comment ie `pin@v4` to `pin@v5` and the tool will attempt to find the new hash.
+
+The comment should not be removed, and should exclusively be used for updating the version.
+
+A full explanation of how the tool operates can be found in the [documentation](https://github.com/mheap/pin-github-action).
+
+To help in explanation here's an example of a similar code fragment between tool executions:
+
+* Original entry is `uses: actions/checkout@v3`
+* run `pin-github-action unix.yml`
+* We now see `uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3`
+* later we want to go to v4, so update the text to `uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v4`
+* Now run `pin-github-action unix.yml` to correct the sha
+* File now shows `uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4`
+
+When changes have been made, correct functionality of the Github actions should be verified by reviewing the Github action logs and outputs. The SHA inserted by the tool can be searched for in Github to check it is associated with the expected version.
--- a/docs/algorithms/kem/bike.md
+++ b/docs/algorithms/kem/bike.md
@ -1,30 +1,53 @@
-BIKE
-====
+# BIKE

- **Algorithm type**: Key Encapsulation Mechanism
- **Main cryptographic assumption**: quasi-cyclic syndrome decoding (QCSD)
- **Scheme authors**: Nicolas Aragon, Paulo Barreto, Slim Bettaieb, Loic Bidoux, Olivier Blazy, Jean-Christophe Deneuville, Phillipe Gaborit, Shay Gueron, Tim Guneysu, Carlos Aguilar Melchor, Rafael Misoczki, Edoardo Persichetti, Nicolas Sendrier, Jean-Pierre Tillich, Gilles Zemor
+- **Algorithm type**: Key encapsulation mechanism.
+- **Main cryptographic assumption**: QC-MDPC (Quasi-Cyclic Moderate Density Parity-Check).
+- **Principal submitters**: Nicolas Aragon, Paulo Barreto, Slim Bettaieb, Loic Bidoux, Olivier Blazy, Jean-Christophe Deneuville, Phillipe Gaborit, Santosh Gosh, Shay Gueron, Tim Güneysu, Carlos Aguilar Melchor, Rafael Misoczki, Edoardo Persichetti, Nicolas Sendrier, Jean-Pierre Tillich, Valentin Vasseur, Gilles Zémor.
 - **Authors' website**: http://bikesuite.org/
- **Version**: 3.2
- **Added to liboqs by**: Shay Gueron and Nir Drucker.
+- **Specification version**: 5.1.
+- **Primary Source**<a name="primary-source"></a>:
+  - **Source**: https://github.com/awslabs/bike-kem
+  - **Implementation license (SPDX-Identifier)**: Apache-2.0
+- **Ancestors of primary source**:
+  - https://bikesuite.org/files/v5.0/Reference_Implementation.2022.10.04.1.zip

-Implementation
--------------
+## Parameter set summary

- **Source of implementation**: https://bikesuite.org/additional.html
- **Implementation version**: BIKE-1 L1/3 with the BGF decoder (as defined in "QC-MDPC decoders with several shades of gray" at https://eprint.iacr.org/2019/1423) 
-  - BIKE-1-FO L1/3 that matches [BIKE's v3.2](https://bikesuite.org/files/round2/spec/BIKE-Spec-2020.02.07.1.pdf)
-  - BIKE-1-CPA L1/3 that matches BIKE Round-1 (and BIKE v3.0) for backward compatibility
- **License**: Apache 2.0 License
- **Constant-time**: Yes
- **Optimizations**: Portable C with optional use (selected at compile-time, enabled by default if available) of AVX2 instructions
+|  Parameter set  | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Ciphertext size (bytes) |   Shared secret size (bytes) | Keypair seed size (bytes)   |
+|:---------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|--------------------------:|-----------------------------:|:----------------------------|
+|     BIKE-L1     | NA                    | IND-CPA          |                    1 |                      1541 |                      5223 |                      1573 |                           32 | NA                          |
+|     BIKE-L3     | NA                    | IND-CPA          |                    3 |                      3083 |                     10105 |                      3115 |                           32 | NA                          |
+|     BIKE-L5     | NA                    | IND-CPA          |                    5 |                      5122 |                     16494 |                      5154 |                           32 | NA                          |

-Parameter sets
--------------
+## BIKE-L1 implementation characteristics

-| Parameter set       | Security model | Claimed NIST security level | Public key size (bytes) | Secret key size (bytes) | Ciphertext size (bytes) | Shared secret size (bytes) |
-|---------------------|:--------------:|:---------------------------:|:-----------------------:|:-----------------------:|:-----------------------:|:--------------------------:|
-| BIKE1-L1-CPA        |     IND-CPA    |              1              |           2542          |          3110          |           2542          |             32             |
-| BIKE1-L3-CPA        |     IND-CPA    |              3              |           4964          |          5788          |           4964          |             32             |
-| BIKE1-L1-FO         |     IND-CCA    |              1              |           2946          |          6460          |           2946          |             32             |
-| BIKE1-L3-FO         |     IND-CCA    |              3              |           6206          |         13236          |           6206          |             32             |
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?‡   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:----------------------|
+| [Primary Source](#primary-source) | master                   | 64-bit little-endian        | Linux,Darwin                    | None                    | True                               | True                                           | False                 |
+| [Primary Source](#primary-source) | master                   | x86\_64                     | Linux,Darwin                    | AVX2,AVX512,PCLMUL,SSE2 | True                               | True                                           | False                 |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+ ‡For an explanation of what this denotes, consult the [Explanation of Terms](#explanation-of-terms) section at the end of this file.
+
+## BIKE-L3 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | master                   | 64-bit little-endian        | Linux,Darwin                    | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | master                   | x86\_64                     | Linux,Darwin                    | AVX2,AVX512,PCLMUL,SSE2 | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## BIKE-L5 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | master                   | 64-bit little-endian        | Linux,Darwin                    | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | master                   | x86\_64                     | Linux,Darwin                    | AVX2,AVX512,PCLMUL,SSE2 | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## Explanation of Terms
+
+- **Large Stack Usage**: Implementations identified as having such may cause failures when running in threads or in constrained environments.
--- a/docs/algorithms/kem/bike.yml
+++ b/docs/algorithms/kem/bike.yml
@ -0,0 +1,138 @@
+name: BIKE
+type: kem
+principal-submitters:
+- Nicolas Aragon
+- Paulo Barreto
+- Slim Bettaieb
+- Loic Bidoux
+- Olivier Blazy
+- Jean-Christophe Deneuville
+- Phillipe Gaborit
+- Santosh Gosh
+- Shay Gueron
+- Tim Güneysu
+- Carlos Aguilar Melchor
+- Rafael Misoczki
+- Edoardo Persichetti
+- Nicolas Sendrier
+- Jean-Pierre Tillich
+- Valentin Vasseur
+- Gilles Zémor
+crypto-assumption: QC-MDPC (Quasi-Cyclic Moderate Density Parity-Check)
+website: http://bikesuite.org/
+nist-round: 4
+spec-version: 5.1
+primary-upstream:
+  source: https://github.com/awslabs/bike-kem
+  spdx-license-identifier: Apache-2.0
+upstream-ancestors:
+- https://bikesuite.org/files/v5.0/Reference_Implementation.2022.10.04.1.zip
+parameter-sets:
+- name: BIKE-L1
+  claimed-nist-level: 1
+  claimed-security: IND-CPA
+  length-public-key: 1541
+  length-ciphertext: 1573
+  length-secret-key: 5223
+  length-shared-secret: 32
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: master
+    supported-platforms:
+    - architecture: 64-bit little-endian
+      operating_systems:
+      - Linux
+      - Darwin
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: master
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+      - avx512
+      - pclmul
+      - sse2
+    common-crypto:
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: BIKE-L3
+  claimed-nist-level: 3
+  claimed-security: IND-CPA
+  length-ciphertext: 3115
+  length-public-key: 3083
+  length-secret-key: 10105
+  length-shared-secret: 32
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: master
+    supported-platforms:
+    - architecture: 64-bit little-endian
+      operating_systems:
+      - Linux
+      - Darwin
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: master
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+      - avx512
+      - pclmul
+      - sse2
+    common-crypto:
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: BIKE-L5
+  claimed-nist-level: 5
+  claimed-security: IND-CPA
+  length-ciphertext: 5154
+  length-public-key: 5122
+  length-secret-key: 16494
+  length-shared-secret: 32
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: master
+    supported-platforms:
+    - architecture: 64-bit little-endian
+      operating_systems:
+      - Linux
+      - Darwin
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: master
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+      - avx512
+      - pclmul
+      - sse2
+    common-crypto:
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
--- a/docs/algorithms/kem/classic_mceliece.md
+++ b/docs/algorithms/kem/classic_mceliece.md
@ -1,30 +1,128 @@
 # Classic McEliece

- **Algorithm type**: key encapsulation mechanism
- **Main cryptographic assumption**: Niederreiter's dual version of McEliece's public key encryption using binary Goppa codes
- **Scheme authors**: Daniel J. Bernstein, Tung Chou, Tanja Lange, Ingo von Maurich, Rafael Misoczki, Ruben Niederhagen, Edoardo Persichetti, Christiane Peters, Peter Schwabe, Nicolas Sendrier, Jakub Szefer, Wen Wang
+- **Algorithm type**: Key encapsulation mechanism.
+- **Main cryptographic assumption**: Niederreiter's dual version of McEliece's public key encryption using binary Goppa codes.
+- **Principal submitters**: Daniel J. Bernstein, Tung Chou, Tanja Lange, Ingo von Maurich, Rafael Misoczki, Ruben Niederhagen, Edoardo Persichetti, Christiane Peters, Peter Schwabe, Nicolas Sendrier, Jakub Szefer, Wen Wang.
 - **Authors' website**: https://classic.mceliece.org
- **Version**: SUPERCOP-20191221
+- **Specification version**: SUPERCOP-20221025.
+- **Primary Source**<a name="primary-source"></a>:
+  - **Source**: https://github.com/PQClean/PQClean/commit/1eacfdafc15ddc5d5759d0b85b4cef26627df181
+  - **Implementation license (SPDX-Identifier)**: Public domain
+- **Ancestors of primary source**:
+  - SUPERCOP-20221025 "clean" and "avx2" implementations

-## Implementation
+## Advisories

- **Source of implementation**: SUPERCOP-20191221, "vec" and "avx" implementations
- **Implementation version**: https://github.com/PQClean/PQClean.git, master, 19b438ba5c7c3a6f2194cd8bda14821dc33c64a3
- **License**: Public domain
- **Constant-time**: Yes
- **Optimizations**: Portable C with AVX2, BMI1, POPCNT instructions (if available at run-time)
+- Classic-McEliece-460896, Classic-McEliece-460896f, Classic-McEliece-6960119, and Classic-McEliece-6960119f parameter sets fail memory leak testing on x86-64 when building with ``clang`` using optimization level ``-O2`` and ``-O3``. Care is advised when using the algorithm at higher optimization levels, and any other compiler and architecture.
+- Current implementation of the algorithm may not be constant-time. Additionally, environment specific constant-time leaks may not be documented; please report potential constant-time leaks when found.

-## Parameter sets
+## Parameter set summary

-| Parameter set             | Security model | Claimed NIST security level | Public key size (bytes) | Secret key size (bytes) | Ciphertext size (bytes) | Shared secret size (bytes) |
-| ------------------------- | -------------- | --------------------------- | ----------------------- | ----------------------- | ----------------------- | -------------------------- |
-| Classic-McEliece-348864   | IND-CCA2       | 1                           | 261120                  | 6452                    | 128                     | 32                         |
-| Classic-McEliece-348864f  | IND-CCA2       | 1                           | 261120                  | 6452                    | 128                     | 32                         |
-| Classic-McEliece-460896   | IND-CCA2       | 3                           | 524160                  | 13568                   | 188                     | 32                         |
-| Classic-McEliece-460896f  | IND-CCA2       | 3                           | 524160                  | 13568                   | 188                     | 32                         |
-| Classic-McEliece-6688128  | IND-CCA2       | 5                           | 1044992                 | 13892                   | 240                     | 32                         |
-| Classic-McEliece-6688128f | IND-CCA2       | 5                           | 1044992                 | 13892                   | 240                     | 32                         |
-| Classic-McEliece-6960119  | IND-CCA2       | 5                           | 1047319                 | 13908                   | 226                     | 32                         |
-| Classic-McEliece-6960119f | IND-CCA2       | 5                           | 1047319                 | 13908                   | 226                     | 32                         |
-| Classic-McEliece-8192128  | IND-CCA2       | 5                           | 1357824                 | 14080                   | 240                     | 32                         |
-| Classic-McEliece-8192128f | IND-CCA2       | 5                           | 1357824                 | 14080                   | 240                     | 32                         |
+|       Parameter set       | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Ciphertext size (bytes) |   Shared secret size (bytes) | Keypair seed size (bytes)   |
+|:-------------------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|--------------------------:|-----------------------------:|:----------------------------|
+|  Classic-McEliece-348864  | NA                    | IND-CCA2         |                    1 |                    261120 |                      6492 |                        96 |                           32 | NA                          |
+| Classic-McEliece-348864f  | NA                    | IND-CCA2         |                    1 |                    261120 |                      6492 |                        96 |                           32 | NA                          |
+|  Classic-McEliece-460896  | NA                    | IND-CCA2         |                    3 |                    524160 |                     13608 |                       156 |                           32 | NA                          |
+| Classic-McEliece-460896f  | NA                    | IND-CCA2         |                    3 |                    524160 |                     13608 |                       156 |                           32 | NA                          |
+| Classic-McEliece-6688128  | NA                    | IND-CCA2         |                    5 |                   1044992 |                     13932 |                       208 |                           32 | NA                          |
+| Classic-McEliece-6688128f | NA                    | IND-CCA2         |                    5 |                   1044992 |                     13932 |                       208 |                           32 | NA                          |
+| Classic-McEliece-6960119  | NA                    | IND-CCA2         |                    5 |                   1047319 |                     13948 |                       194 |                           32 | NA                          |
+| Classic-McEliece-6960119f | NA                    | IND-CCA2         |                    5 |                   1047319 |                     13948 |                       194 |                           32 | NA                          |
+| Classic-McEliece-8192128  | NA                    | IND-CCA2         |                    5 |                   1357824 |                     14120 |                       208 |                           32 | NA                          |
+| Classic-McEliece-8192128f | NA                    | IND-CCA2         |                    5 |                   1357824 |                     14120 |                       208 |                           32 | NA                          |
+
+## Classic-McEliece-348864 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?‡   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:----------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | False                              | False                                          | True                  |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2,POPCNT             | False                              | False                                          | True                  |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+ ‡For an explanation of what this denotes, consult the [Explanation of Terms](#explanation-of-terms) section at the end of this file.
+
+## Classic-McEliece-348864f implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | False                              | False                                          | True                 |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2,POPCNT,BMI1        | False                              | False                                          | True                 |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## Classic-McEliece-460896 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | False                              | False                                          | True                 |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2,POPCNT             | False                              | False                                          | True                 |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## Classic-McEliece-460896f implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | False                              | False                                          | True                 |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2,POPCNT,BMI1        | False                              | False                                          | True                 |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## Classic-McEliece-6688128 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | False                              | False                                          | True                 |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2,POPCNT             | False                              | False                                          | True                 |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## Classic-McEliece-6688128f implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | False                              | False                                          | True                 |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2,POPCNT,BMI1        | False                              | False                                          | True                 |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## Classic-McEliece-6960119 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | False                              | False                                          | True                 |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2,POPCNT             | False                              | False                                          | True                 |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## Classic-McEliece-6960119f implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | False                              | False                                          | True                 |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2,POPCNT,BMI1        | False                              | False                                          | True                 |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## Classic-McEliece-8192128 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | False                              | False                                          | True                 |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2,POPCNT             | False                              | False                                          | True                 |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## Classic-McEliece-8192128f implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | False                              | False                                          | True                 |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2,POPCNT,BMI1        | False                              | False                                          | True                 |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## Explanation of Terms
+
+- **Large Stack Usage**: Implementations identified as having such may cause failures when running in threads or in constrained environments.
--- a/docs/algorithms/kem/classic_mceliece.yml
+++ b/docs/algorithms/kem/classic_mceliece.yml
@ -0,0 +1,381 @@
+name: Classic McEliece
+type: kem
+principal-submitters:
+- Daniel J. Bernstein
+- Tung Chou
+- Tanja Lange
+- Ingo von Maurich
+- Rafael Misoczki
+- Ruben Niederhagen
+- Edoardo Persichetti
+- Christiane Peters
+- Peter Schwabe
+- Nicolas Sendrier
+- Jakub Szefer
+- Wen Wang
+crypto-assumption: Niederreiter's dual version of McEliece's public key encryption
+  using binary Goppa codes
+website: https://classic.mceliece.org
+nist-round: 3
+spec-version: SUPERCOP-20221025
+upstream-ancestors:
+- SUPERCOP-20221025 "clean" and "avx2" implementations
+advisories:
+- Classic-McEliece-460896, Classic-McEliece-460896f, Classic-McEliece-6960119, and
+  Classic-McEliece-6960119f parameter sets fail memory leak testing on x86-64 when
+  building with ``clang`` using optimization level ``-O2`` and ``-O3``. Care is advised
+  when using the algorithm at higher optimization levels, and any other compiler and
+  architecture.
+- Current implementation of the algorithm may not be constant-time. Additionally,
+  environment specific constant-time leaks may not be documented; please report potential
+  constant-time leaks when found.
+parameter-sets:
+- name: Classic-McEliece-348864
+  claimed-nist-level: 1
+  claimed-security: IND-CCA2
+  length-public-key: 261120
+  length-ciphertext: 96
+  length-secret-key: 6492
+  length-shared-secret: 32
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - AES: liboqs
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: true
+    upstream: primary-upstream
+  - upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+      - popcnt
+    common-crypto:
+    - AES: liboqs
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: true
+    upstream: primary-upstream
+- name: Classic-McEliece-348864f
+  claimed-nist-level: 1
+  claimed-security: IND-CCA2
+  length-public-key: 261120
+  length-ciphertext: 96
+  length-secret-key: 6492
+  length-shared-secret: 32
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - AES: liboqs
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: true
+    upstream: primary-upstream
+  - upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+      - popcnt
+      - bmi1
+    common-crypto:
+    - AES: liboqs
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: true
+    upstream: primary-upstream
+- name: Classic-McEliece-460896
+  claimed-nist-level: 3
+  claimed-security: IND-CCA2
+  length-public-key: 524160
+  length-ciphertext: 156
+  length-secret-key: 13608
+  length-shared-secret: 32
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - AES: liboqs
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: true
+    upstream: primary-upstream
+  - upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+      - popcnt
+    common-crypto:
+    - AES: liboqs
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: true
+    upstream: primary-upstream
+- name: Classic-McEliece-460896f
+  claimed-nist-level: 3
+  claimed-security: IND-CCA2
+  length-public-key: 524160
+  length-ciphertext: 156
+  length-secret-key: 13608
+  length-shared-secret: 32
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - AES: liboqs
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: true
+    upstream: primary-upstream
+  - upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+      - popcnt
+      - bmi1
+    common-crypto:
+    - AES: liboqs
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: true
+    upstream: primary-upstream
+- name: Classic-McEliece-6688128
+  claimed-nist-level: 5
+  claimed-security: IND-CCA2
+  length-public-key: 1044992
+  length-ciphertext: 208
+  length-secret-key: 13932
+  length-shared-secret: 32
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - AES: liboqs
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: true
+    upstream: primary-upstream
+  - upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+      - popcnt
+    common-crypto:
+    - AES: liboqs
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: true
+    upstream: primary-upstream
+- name: Classic-McEliece-6688128f
+  claimed-nist-level: 5
+  claimed-security: IND-CCA2
+  length-public-key: 1044992
+  length-ciphertext: 208
+  length-secret-key: 13932
+  length-shared-secret: 32
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - AES: liboqs
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: true
+    upstream: primary-upstream
+  - upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+      - popcnt
+      - bmi1
+    common-crypto:
+    - AES: liboqs
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: true
+    upstream: primary-upstream
+- name: Classic-McEliece-6960119
+  claimed-nist-level: 5
+  claimed-security: IND-CCA2
+  length-public-key: 1047319
+  length-ciphertext: 194
+  length-secret-key: 13948
+  length-shared-secret: 32
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - AES: liboqs
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: true
+    upstream: primary-upstream
+  - upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+      - popcnt
+    common-crypto:
+    - AES: liboqs
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: true
+    upstream: primary-upstream
+- name: Classic-McEliece-6960119f
+  claimed-nist-level: 5
+  claimed-security: IND-CCA2
+  length-public-key: 1047319
+  length-ciphertext: 194
+  length-secret-key: 13948
+  length-shared-secret: 32
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - AES: liboqs
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: true
+    upstream: primary-upstream
+  - upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+      - popcnt
+      - bmi1
+    common-crypto:
+    - AES: liboqs
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: true
+    upstream: primary-upstream
+- name: Classic-McEliece-8192128
+  claimed-nist-level: 5
+  claimed-security: IND-CCA2
+  length-public-key: 1357824
+  length-ciphertext: 208
+  length-secret-key: 14120
+  length-shared-secret: 32
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - AES: liboqs
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: true
+    upstream: primary-upstream
+  - upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+      - popcnt
+    common-crypto:
+    - AES: liboqs
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: true
+    upstream: primary-upstream
+- name: Classic-McEliece-8192128f
+  claimed-nist-level: 5
+  claimed-security: IND-CCA2
+  length-public-key: 1357824
+  length-ciphertext: 208
+  length-secret-key: 14120
+  length-shared-secret: 32
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - AES: liboqs
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: true
+    upstream: primary-upstream
+  - upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+      - popcnt
+      - bmi1
+    common-crypto:
+    - AES: liboqs
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: true
+    upstream: primary-upstream
+auxiliary-submitters: []
+primary-upstream:
+  spdx-license-identifier: Public domain
+  source: https://github.com/PQClean/PQClean/commit/1eacfdafc15ddc5d5759d0b85b4cef26627df181
--- a/docs/algorithms/kem/frodokem.md
+++ b/docs/algorithms/kem/frodokem.md
@ -1,29 +1,82 @@
-FrodoKEM
-========
+# FrodoKEM

- **Algorithm type**: key encapsulation mechanism
- **Main cryptographic assumption**: learning with errors (LWE)
- **Scheme authors**: Michael Naehrig, Erdem Alkim, Joppe Bos, Léo Ducas, Karen Easterbrook, Brian LaMacchia, Patrick Longa, Ilya Mironov, Valeria Nikolaenko, Christopher Peikert, Ananth Raghunathan, Douglas Stebila
+- **Algorithm type**: Key encapsulation mechanism.
+- **Main cryptographic assumption**: learning with errors (LWE).
+- **Principal submitters**: Michael Naehrig, Erdem Alkim, Joppe Bos, Léo Ducas, Karen Easterbrook, Brian LaMacchia, Patrick Longa, Ilya Mironov, Valeria Nikolaenko, Christopher Peikert, Ananth Raghunathan, Douglas Stebila.
 - **Authors' website**: https://frodokem.org/
- **Version**: NIST Round 3 submission
+- **Specification version**: NIST Round 3 submission.
+- **Primary Source**<a name="primary-source"></a>:
+  - **Source**: https://github.com/microsoft/PQCrypto-LWEKE/commit/b6609d30a9982318d7f2937aa3c7b92147b917a2
+  - **Implementation license (SPDX-Identifier)**: MIT

-Implementation
--------------

- **Source of implementation**: https://github.com/Microsoft/PQCrypto-LWEKE
- **Implementation version**: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db
- **License**: MIT License
- **Constant-time**: Yes
- **Optimizations**: Portable C with optional use of AVX2 and AESNI instructions (selected at compile-time, enabled by default if available)
+## Parameter set summary

-Parameter sets
--------------
+|    Parameter set    | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Ciphertext size (bytes) |   Shared secret size (bytes) | Keypair seed size (bytes)   |
+|:-------------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|--------------------------:|-----------------------------:|:----------------------------|
+|  FrodoKEM-640-AES   | NA                    | IND-CCA2         |                    1 |                      9616 |                     19888 |                      9720 |                           16 | NA                          |
+| FrodoKEM-640-SHAKE  | NA                    | IND-CCA2         |                    1 |                      9616 |                     19888 |                      9720 |                           16 | NA                          |
+|  FrodoKEM-976-AES   | NA                    | IND-CCA2         |                    3 |                     15632 |                     31296 |                     15744 |                           24 | NA                          |
+| FrodoKEM-976-SHAKE  | NA                    | IND-CCA2         |                    3 |                     15632 |                     31296 |                     15744 |                           24 | NA                          |
+|  FrodoKEM-1344-AES  | NA                    | IND-CCA2         |                    5 |                     21520 |                     43088 |                     21632 |                           32 | NA                          |
+| FrodoKEM-1344-SHAKE | NA                    | IND-CCA2         |                    5 |                     21520 |                     43088 |                     21632 |                           32 | NA                          |

-| Parameter set       | Security model | Claimed NIST security level | Public key size (bytes) | Secret key size (bytes) | Ciphertext size (bytes) | Shared secret size (bytes) |
-|---------------------|:--------------:|:---------------------------:|:-----------------------:|:-----------------------:|:-----------------------:|:--------------------------:|
-| FrodoKEM-640-AES    |     IND-CCA    |              1              |           9616          |          19888          |           9720          |             16             |
-| FrodoKEM-640-SHAKE  |     IND-CCA    |              1              |           9616          |          19888          |           9720          |             16             |
-| FrodoKEM-976-AES    |     IND-CCA    |              3              |          15632          |          31296          |          15744          |             24             |
-| FrodoKEM-976-SHAKE  |     IND-CCA    |              3              |          15632          |          31296          |          15744          |             24             |
-| FrodoKEM-1344-AES   |     IND-CCA    |              5              |          21520          |          43088          |          21632          |             32             |
-| FrodoKEM-1344-SHAKE |     IND-CCA    |              5              |          21520          |          43088          |          21632          |             32             |
+## FrodoKEM-640-AES implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?‡   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:----------------------|
+| [Primary Source](#primary-source) | master                   | All                         | All                             | None                    | True                               | True                                           | False                 |
+| [Primary Source](#primary-source) | master                   | x86\_64                     | Linux,Darwin,Windows            | AVX2                    | True                               | True                                           | False                 |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+ ‡For an explanation of what this denotes, consult the [Explanation of Terms](#explanation-of-terms) section at the end of this file.
+
+## FrodoKEM-640-SHAKE implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | master                   | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | master                   | x86\_64                     | Linux,Darwin,Windows            | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## FrodoKEM-976-AES implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | master                   | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | master                   | x86\_64                     | Linux,Darwin,Windows            | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## FrodoKEM-976-SHAKE implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | master                   | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | master                   | x86\_64                     | Linux,Darwin,Windows            | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## FrodoKEM-1344-AES implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | master                   | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | master                   | x86\_64                     | Linux,Darwin,Windows            | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## FrodoKEM-1344-SHAKE implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | master                   | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | master                   | x86\_64                     | Linux,Darwin,Windows            | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## Explanation of Terms
+
+- **Large Stack Usage**: Implementations identified as having such may cause failures when running in threads or in constrained environments.
--- a/docs/algorithms/kem/frodokem.yml
+++ b/docs/algorithms/kem/frodokem.yml
@ -0,0 +1,227 @@
+name: FrodoKEM
+type: kem
+principal-submitters:
+- Michael Naehrig
+- Erdem Alkim
+- Joppe Bos
+- Léo Ducas
+- Karen Easterbrook
+- Brian LaMacchia
+- Patrick Longa
+- Ilya Mironov
+- Valeria Nikolaenko
+- Christopher Peikert
+- Ananth Raghunathan
+- Douglas Stebila
+crypto-assumption: learning with errors (LWE)
+website: https://frodokem.org/
+nist-round: 3
+spec-version: NIST Round 3 submission
+primary-upstream:
+  source: https://github.com/microsoft/PQCrypto-LWEKE/commit/b6609d30a9982318d7f2937aa3c7b92147b917a2
+  spdx-license-identifier: MIT
+parameter-sets:
+- name: FrodoKEM-640-AES
+  claimed-nist-level: 1
+  claimed-security: IND-CCA2
+  length-public-key: 9616
+  length-ciphertext: 9720
+  length-secret-key: 19888
+  length-shared-secret: 16
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: master
+    supported-platforms: all
+    common-crypto:
+    - AES: liboqs
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: master
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      - Windows
+      required_flags:
+      - avx2
+    common-crypto:
+    - AES: liboqs
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: FrodoKEM-640-SHAKE
+  claimed-nist-level: 1
+  claimed-security: IND-CCA2
+  length-public-key: 9616
+  length-ciphertext: 9720
+  length-secret-key: 19888
+  length-shared-secret: 16
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: master
+    supported-platforms: all
+    common-crypto:
+    - AES: liboqs
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: master
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      - Windows
+      required_flags:
+      - avx2
+    common-crypto:
+    - AES: liboqs
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: FrodoKEM-976-AES
+  claimed-nist-level: 3
+  claimed-security: IND-CCA2
+  length-public-key: 15632
+  length-ciphertext: 15744
+  length-secret-key: 31296
+  length-shared-secret: 24
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: master
+    supported-platforms: all
+    common-crypto:
+    - AES: liboqs
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: master
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      - Windows
+      required_flags:
+      - avx2
+    common-crypto:
+    - AES: liboqs
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: FrodoKEM-976-SHAKE
+  claimed-nist-level: 3
+  claimed-security: IND-CCA2
+  length-public-key: 15632
+  length-ciphertext: 15744
+  length-secret-key: 31296
+  length-shared-secret: 24
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: master
+    supported-platforms: all
+    common-crypto:
+    - AES: liboqs
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: master
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      - Windows
+      required_flags:
+      - avx2
+    common-crypto:
+    - AES: liboqs
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: FrodoKEM-1344-AES
+  claimed-nist-level: 5
+  claimed-security: IND-CCA2
+  length-public-key: 21520
+  length-ciphertext: 21632
+  length-secret-key: 43088
+  length-shared-secret: 32
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: master
+    supported-platforms: all
+    common-crypto:
+    - AES: liboqs
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: master
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      - Windows
+      required_flags:
+      - avx2
+    common-crypto:
+    - AES: liboqs
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: FrodoKEM-1344-SHAKE
+  claimed-nist-level: 5
+  claimed-security: IND-CCA2
+  length-public-key: 21520
+  length-ciphertext: 21632
+  length-secret-key: 43088
+  length-shared-secret: 32
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: master
+    supported-platforms: all
+    common-crypto:
+    - AES: liboqs
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: master
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      - Windows
+      required_flags:
+      - avx2
+    common-crypto:
+    - AES: liboqs
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
--- a/docs/algorithms/kem/hqc.md
+++ b/docs/algorithms/kem/hqc.md
@ -1,23 +1,51 @@
 # HQC

- **Algorithm type**: key encapsulation mechanism
- **Main cryptographic assumption**: Syndrome decoding of structure codes (Hamming Quasi-Cyclic)
- **Scheme authors**: Carlos Aguilar Melchor, Nicolas Aragon, Slim Bettaieb, Loïc Bidoux, Olivier Blazy, Jurjen Bos, Jean-Christophe Deneuville, Arnaud Dion, Philippe Gaborit, Jérôme Lacan, Edoardo Persichetti, Jean-Marc Robert, Rascal Véron, Gilles Zémor
- **Authors' website**: http://pqc-hqc.org
- **Version**: 2020/10/01
+- **Algorithm type**: Key encapsulation mechanism.
+- **Main cryptographic assumption**: Syndrome decoding of structure codes (Hamming Quasi-Cyclic).
+- **Principal submitters**: Carlos Aguilar Melchor, Nicolas Aragon, Slim Bettaieb, Loïc Bidoux, Olivier Blazy, Jurjen Bos, Jean-Christophe Deneuville, Arnaud Dion, Philippe Gaborit, Jérôme Lacan, Edoardo Persichetti, Jean-Marc Robert, Pascal Véron, Gilles Zémor.
+- **Authors' website**: https://pqc-hqc.org/
+- **Specification version**: 2023-04-30.
+- **Primary Source**<a name="primary-source"></a>:
+  - **Source**: https://github.com/PQClean/PQClean/commit/1eacfdafc15ddc5d5759d0b85b4cef26627df181
+  - **Implementation license (SPDX-Identifier)**: Public domain
+- **Ancestors of primary source**:
+  - https://github.com/SWilson4/package-pqclean/tree/8db1b24b/hqc, which takes it from:
+  - submission 2023-04-30 at https://pqc-hqc.org/implementation.html

-## Implementation
+## Parameter set summary

- **Source of implementation**: hqc-submission_2020-10-01 via https://github.com/jschanck/package-pqclean/tree/c9181076/hqc
- **Implementation version**: https://github.com/PQClean/PQClean.git, master, 19b438ba5c7c3a6f2194cd8bda14821dc33c64a3
- **License**: Public domain
- **Constant-time**: Yes
- **Optimizations**: Portable C with AVX2, BMI1, PCLMULQDQ instructions (if available at run-time)
+|  Parameter set  | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Ciphertext size (bytes) |   Shared secret size (bytes) | Keypair seed size (bytes)   |
+|:---------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|--------------------------:|-----------------------------:|:----------------------------|
+|     HQC-128     | NA                    | IND-CCA2         |                    1 |                      2249 |                      2305 |                      4433 |                           64 | NA                          |
+|     HQC-192     | NA                    | IND-CCA2         |                    3 |                      4522 |                      4586 |                      8978 |                           64 | NA                          |
+|     HQC-256     | NA                    | IND-CCA2         |                    5 |                      7245 |                      7317 |                     14421 |                           64 | NA                          |

-## Parameter sets
+## HQC-128 implementation characteristics

-| Parameter set | Security model | Claimed NIST security level | Public key size (bytes) | Secret key size (bytes) | Ciphertext size (bytes) | Shared secret size (bytes) |
-| ------------- | -------------- | --------------------------- | ----------------------- | ----------------------- | ----------------------- | -------------------------- |
-| HQC-128       | IND-CCA2       | 1                           | 2249                    | 2289                    | 4481                    | 64                         |
-| HQC-192       | IND-CCA2       | 3                           | 4522                    | 4562                    | 9026                    | 64                         |
-| HQC-256       | IND-CCA2       | 5                           | 7245                    | 7285                    | 14469                   | 64                         |
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?‡   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:----------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | False                 |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+ ‡For an explanation of what this denotes, consult the [Explanation of Terms](#explanation-of-terms) section at the end of this file.
+
+## HQC-192 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## HQC-256 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## Explanation of Terms
+
+- **Large Stack Usage**: Implementations identified as having such may cause failures when running in threads or in constrained environments.
--- a/docs/algorithms/kem/hqc.yml
+++ b/docs/algorithms/kem/hqc.yml
@ -0,0 +1,79 @@
+name: HQC
+type: kem
+principal-submitters:
+- Carlos Aguilar Melchor
+- Nicolas Aragon
+- Slim Bettaieb
+- Loïc Bidoux
+- Olivier Blazy
+- Jurjen Bos
+- Jean-Christophe Deneuville
+- Arnaud Dion
+- Philippe Gaborit
+- Jérôme Lacan
+- Edoardo Persichetti
+- Jean-Marc Robert
+- Pascal Véron
+- Gilles Zémor
+crypto-assumption: Syndrome decoding of structure codes (Hamming Quasi-Cyclic)
+website: https://pqc-hqc.org/
+nist-round: 4
+spec-version: 2023-04-30
+upstream-ancestors:
+- https://github.com/SWilson4/package-pqclean/tree/8db1b24b/hqc
+- submission 2023-04-30 at https://pqc-hqc.org/implementation.html
+parameter-sets:
+- name: HQC-128
+  claimed-nist-level: 1
+  claimed-security: IND-CCA2
+  length-public-key: 2249
+  length-ciphertext: 4433
+  length-secret-key: 2305
+  length-shared-secret: 64
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+    upstream: primary-upstream
+- name: HQC-192
+  claimed-nist-level: 3
+  claimed-security: IND-CCA2
+  length-ciphertext: 8978
+  length-public-key: 4522
+  length-secret-key: 4586
+  length-shared-secret: 64
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+    upstream: primary-upstream
+- name: HQC-256
+  claimed-nist-level: 5
+  claimed-security: IND-CCA2
+  length-ciphertext: 14421
+  length-public-key: 7245
+  length-secret-key: 7317
+  length-shared-secret: 64
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+    upstream: primary-upstream
+primary-upstream:
+  spdx-license-identifier: Public domain
+  source: https://github.com/PQClean/PQClean/commit/1eacfdafc15ddc5d5759d0b85b4cef26627df181
--- a/docs/algorithms/kem/kyber.md
+++ b/docs/algorithms/kem/kyber.md
@ -1,26 +1,68 @@
-# CRYSTALS-Kyber
+# Kyber

- **Algorithm type**: key encapsulation mechanism
- **Main cryptographic assumption**: module learning with errors (MLWE)
- **Scheme authors**: Roberto Avanzi, Joppe Bos, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe, Gregor Seiler, Damien Stehle
- **Authors' website**: https://pq-crystals.org/kyber
- **Version**: NIST Round 3 submission
+- **Algorithm type**: Key encapsulation mechanism.
+- **Main cryptographic assumption**: Module LWE+R with base ring Z[x]/(3329, x^256+1).
+- **Principal submitters**: Peter Schwabe.
+- **Auxiliary submitters**: Roberto Avanzi, Joppe Bos, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, John M. Schanck, Gregor Seiler, Damien Stehlé.
+- **Authors' website**: https://pq-crystals.org/
+- **Specification version**: NIST Round 3 submission.
+- **Primary Source**<a name="primary-source"></a>:
+  - **Source**: https://github.com/pq-crystals/kyber/commit/441c0519a07e8b86c8d079954a6b10bd31d29efc with copy_from_upstream patches
+  - **Implementation license (SPDX-Identifier)**: CC0-1.0 or Apache-2.0
+- **Optimized Implementation sources**: https://github.com/pq-crystals/kyber/commit/441c0519a07e8b86c8d079954a6b10bd31d29efc with copy_from_upstream patches
+  - **oldpqclean-aarch64**:<a name="oldpqclean-aarch64"></a>
+      - **Source**: https://github.com/PQClean/PQClean/commit/8e220a87308154d48fdfac40abbb191ac7fce06a with copy_from_upstream patches
+      - **Implementation license (SPDX-Identifier)**: CC0-1.0 and (CC0-1.0 or Apache-2.0) and (CC0-1.0 or MIT) and MIT
+- **Formally-verified Implementation sources**: 
+  - **libjade**:<a name="libjade"></a>
+      - **Source**: https://github.com/formosa-crypto/libjade/tree/release/2023.05-2 with copy_from_upstream patches
+      - **Implementation license (SPDX-Identifier)**: CC0-1.0 OR Apache-2.0

-## Implementation

- **Source of implementation**: https://github.com/pq-crystals/kyber
- **Implementation version**: https://github.com/pq-crystals/kyber.git, master, 8e9308bd0f25fa698e4f37aba216249261f8b352
- **License**: Public domain
- **Constant-time**: Yes
- **Optimizations**: Portable C with AES, AVX2, BMI2, POPCNT, SSE2, SSSE3 instructions (if available at run-time)
+## Parameter set summary

-## Parameter sets
+|  Parameter set  | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Ciphertext size (bytes) |   Shared secret size (bytes) | Keypair seed size (bytes)   |
+|:---------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|--------------------------:|-----------------------------:|:----------------------------|
+|    Kyber512     | NA                    | IND-CCA2         |                    1 |                       800 |                      1632 |                       768 |                           32 | NA                          |
+|    Kyber768     | NA                    | IND-CCA2         |                    3 |                      1184 |                      2400 |                      1088 |                           32 | NA                          |
+|    Kyber1024    | NA                    | IND-CCA2         |                    5 |                      1568 |                      3168 |                      1568 |                           32 | NA                          |

-| Parameter set | Security model | Claimed NIST security level | Public key size (bytes) | Secret key size (bytes) | Ciphertext size (bytes) | Shared secret size (bytes) |
-| ------------- | -------------- | --------------------------- | ----------------------- | ----------------------- | ----------------------- | -------------------------- |
-| Kyber512      | IND-CCA2       | 1                           | 800                     | 1632                    | 768                     | 32                         |
-| Kyber768      | IND-CCA2       | 3                           | 1184                    | 2400                    | 1088                    | 32                         |
-| Kyber1024     | IND-CCA2       | 5                           | 1568                    | 3168                    | 1568                    | 32                         |
-| Kyber512-90s  | IND-CCA2       | 1                           | 800                     | 1632                    | 768                     | 32                         |
-| Kyber768-90s  | IND-CCA2       | 3                           | 1184                    | 2400                    | 1088                    | 32                         |
-| Kyber1024-90s | IND-CCA2       | 5                           | 1568                    | 3168                    | 1568                    | 32                         |
+## Kyber512 implementation characteristics
+
+|           Implementation source           | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?‡   |
+|:-----------------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:----------------------|
+|     [Primary Source](#primary-source)     | ref                      | All                         | All                             | None                    | True                               | True                                           | False                 |
+|     [Primary Source](#primary-source)     | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2,BMI2,POPCNT        | True                               | True                                           | False                 |
+| [oldpqclean-aarch64](#oldpqclean-aarch64) | aarch64                  | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                 |
+|            [libjade](#libjade)            | ref                      | x86\_64                     | Linux,Darwin                    | None                    | True                               | False                                          | False                 |
+|            [libjade](#libjade)            | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2,BMI2,POPCNT        | True                               | False                                          | False                 |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+ ‡For an explanation of what this denotes, consult the [Explanation of Terms](#explanation-of-terms) section at the end of this file.
+
+## Kyber768 implementation characteristics
+
+|           Implementation source           | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:-----------------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+|     [Primary Source](#primary-source)     | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
+|     [Primary Source](#primary-source)     | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2,BMI2,POPCNT        | True                               | True                                           | False                |
+| [oldpqclean-aarch64](#oldpqclean-aarch64) | aarch64                  | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                |
+|            [libjade](#libjade)            | ref                      | x86\_64                     | Linux,Darwin                    | None                    | True                               | False                                          | False                |
+|            [libjade](#libjade)            | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2,BMI2,POPCNT        | True                               | False                                          | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## Kyber1024 implementation characteristics
+
+|           Implementation source           | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:-----------------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+|     [Primary Source](#primary-source)     | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
+|     [Primary Source](#primary-source)     | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2,BMI2,POPCNT        | True                               | True                                           | False                |
+| [oldpqclean-aarch64](#oldpqclean-aarch64) | aarch64                  | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## Explanation of Terms
+
+- **Large Stack Usage**: Implementations identified as having such may cause failures when running in threads or in constrained environments.
--- a/docs/algorithms/kem/kyber.yml
+++ b/docs/algorithms/kem/kyber.yml
@ -0,0 +1,217 @@
+name: Kyber
+type: kem
+principal-submitters:
+- Peter Schwabe
+auxiliary-submitters:
+- Roberto Avanzi
+- Joppe Bos
+- Léo Ducas
+- Eike Kiltz
+- Tancrède Lepoint
+- Vadim Lyubashevsky
+- John M. Schanck
+- Gregor Seiler
+- Damien Stehlé
+crypto-assumption: Module LWE+R with base ring Z[x]/(3329, x^256+1)
+website: https://pq-crystals.org/
+nist-round: 3
+spec-version: NIST Round 3 submission
+primary-upstream:
+  source: https://github.com/pq-crystals/kyber/commit/441c0519a07e8b86c8d079954a6b10bd31d29efc
+    with copy_from_upstream patches
+  spdx-license-identifier: CC0-1.0 or Apache-2.0
+optimized-upstreams:
+  oldpqclean-aarch64:
+    source: https://github.com/PQClean/PQClean/commit/8e220a87308154d48fdfac40abbb191ac7fce06a
+      with copy_from_upstream patches
+    spdx-license-identifier: CC0-1.0 and (CC0-1.0 or Apache-2.0) and (CC0-1.0 or MIT)
+      and MIT
+formally-verified-upstreams:
+  libjade:
+    source: https://github.com/formosa-crypto/libjade/tree/release/2023.05-2 with
+      copy_from_upstream patches
+    spdx-license-identifier: CC0-1.0 OR Apache-2.0
+parameter-sets:
+- name: Kyber512
+  claimed-nist-level: 1
+  claimed-security: IND-CCA2
+  length-public-key: 800
+  length-ciphertext: 768
+  length-secret-key: 1632
+  length-shared-secret: 32
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: ref
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+      - bmi2
+      - popcnt
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: oldpqclean-aarch64
+    upstream-id: aarch64
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: libjade
+    upstream-id: ref
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: libjade
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+      - bmi2
+      - popcnt
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+- name: Kyber768
+  claimed-nist-level: 3
+  claimed-security: IND-CCA2
+  length-public-key: 1184
+  length-ciphertext: 1088
+  length-secret-key: 2400
+  length-shared-secret: 32
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: ref
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+      - bmi2
+      - popcnt
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: oldpqclean-aarch64
+    upstream-id: aarch64
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: libjade
+    upstream-id: ref
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: libjade
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+      - bmi2
+      - popcnt
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+- name: Kyber1024
+  claimed-nist-level: 5
+  claimed-security: IND-CCA2
+  length-public-key: 1568
+  length-ciphertext: 1568
+  length-secret-key: 3168
+  length-shared-secret: 32
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: ref
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+      - bmi2
+      - popcnt
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: oldpqclean-aarch64
+    upstream-id: aarch64
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
--- a/docs/algorithms/kem/ml_kem.md
+++ b/docs/algorithms/kem/ml_kem.md
@ -0,0 +1,63 @@
+# ML-KEM
+
+- **Algorithm type**: Key encapsulation mechanism.
+- **Main cryptographic assumption**: Module LWE+R with base ring Z[x]/(3329, x^256+1).
+- **Principal submitters**: Peter Schwabe.
+- **Auxiliary submitters**: Roberto Avanzi, Joppe Bos, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, John M. Schanck, Gregor Seiler, Damien Stehlé.
+- **Authors' website**: https://pq-crystals.org/kyber/ and https://csrc.nist.gov/pubs/fips/203
+- **Specification version**: ML-KEM.
+- **Primary Source**<a name="primary-source"></a>:
+  - **Source**: https://github.com/pq-code-package/mlkem-native/commit/048fc2a7a7b4ba0ad4c989c1ac82491aa94d5bfa
+  - **Implementation license (SPDX-Identifier)**: CC0-1.0 or Apache-2.0
+- **Optimized Implementation sources**: https://github.com/pq-code-package/mlkem-native/commit/048fc2a7a7b4ba0ad4c989c1ac82491aa94d5bfa
+  - **cupqc-cuda**:<a name="cupqc-cuda"></a>
+      - **Source**: https://github.com/open-quantum-safe/liboqs-cupqc-meta/commit/b026f4e5475cd9c20c2082c7d9bad80e5b0ba89e
+      - **Implementation license (SPDX-Identifier)**: Apache-2.0
+
+
+## Parameter set summary
+
+|  Parameter set  | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Ciphertext size (bytes) |   Shared secret size (bytes) |   Keypair seed size (bytes) |
+|:---------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|--------------------------:|-----------------------------:|----------------------------:|
+|   ML-KEM-512    | NA                    | IND-CCA2         |                    1 |                       800 |                      1632 |                       768 |                           32 |                          64 |
+|   ML-KEM-768    | NA                    | IND-CCA2         |                    3 |                      1184 |                      2400 |                      1088 |                           32 |                          64 |
+|   ML-KEM-1024   | NA                    | IND-CCA2         |                    5 |                      1568 |                      3168 |                      1568 |                           32 |                          64 |
+
+## ML-KEM-512 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?‡   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:----------------------|
+| [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                 |
+| [Primary Source](#primary-source) | x86\_64                  | x86\_64                     | Linux,Darwin                    | AVX2,BMI2,POPCNT        | True                               | True                                           | False                 |
+| [Primary Source](#primary-source) | aarch64                  | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                 |
+|     [cupqc-cuda](#cupqc-cuda)     | cuda                     | CUDA                        | Linux,Darwin                    | None                    | False                              | False                                          | False                 |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+ ‡For an explanation of what this denotes, consult the [Explanation of Terms](#explanation-of-terms) section at the end of this file.
+
+## ML-KEM-768 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | x86\_64                  | x86\_64                     | Linux,Darwin                    | AVX2,BMI2,POPCNT        | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | aarch64                  | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                |
+|     [cupqc-cuda](#cupqc-cuda)     | cuda                     | CUDA                        | Linux,Darwin                    | None                    | False                              | False                                          | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## ML-KEM-1024 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | x86\_64                  | x86\_64                     | Linux,Darwin                    | AVX2,BMI2,POPCNT        | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | aarch64                  | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                |
+|     [cupqc-cuda](#cupqc-cuda)     | cuda                     | CUDA                        | Linux,Darwin                    | None                    | False                              | False                                          | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## Explanation of Terms
+
+- **Large Stack Usage**: Implementations identified as having such may cause failures when running in threads or in constrained environments.
--- a/docs/algorithms/kem/ml_kem.yml
+++ b/docs/algorithms/kem/ml_kem.yml
@ -0,0 +1,194 @@
+name: ML-KEM
+type: kem
+principal-submitters:
+- Peter Schwabe
+auxiliary-submitters:
+- Roberto Avanzi
+- Joppe Bos
+- Léo Ducas
+- Eike Kiltz
+- Tancrède Lepoint
+- Vadim Lyubashevsky
+- John M. Schanck
+- Gregor Seiler
+- Damien Stehlé
+crypto-assumption: Module LWE+R with base ring Z[x]/(3329, x^256+1)
+website: https://pq-crystals.org/kyber/ and https://csrc.nist.gov/pubs/fips/203
+nist-round: FIPS203
+spec-version: ML-KEM
+primary-upstream:
+  source: https://github.com/pq-code-package/mlkem-native/commit/048fc2a7a7b4ba0ad4c989c1ac82491aa94d5bfa
+  spdx-license-identifier: CC0-1.0 or Apache-2.0
+optimized-upstreams:
+  cupqc-cuda:
+    source: https://github.com/open-quantum-safe/liboqs-cupqc-meta/commit/b026f4e5475cd9c20c2082c7d9bad80e5b0ba89e
+    spdx-license-identifier: Apache-2.0
+parameter-sets:
+- name: ML-KEM-512
+  claimed-nist-level: 1
+  claimed-security: IND-CCA2
+  length-public-key: 800
+  length-ciphertext: 768
+  length-secret-key: 1632
+  length-shared-secret: 32
+  length-keypair-seed: 64
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: ref
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: x86_64
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+      - bmi2
+      - popcnt
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: aarch64
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: cupqc-cuda
+    upstream-id: cuda
+    supported-platforms:
+    - architecture: CUDA
+      operating_systems:
+      - Linux
+      - Darwin
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+- name: ML-KEM-768
+  claimed-nist-level: 3
+  claimed-security: IND-CCA2
+  length-public-key: 1184
+  length-ciphertext: 1088
+  length-secret-key: 2400
+  length-shared-secret: 32
+  length-keypair-seed: 64
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: ref
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: x86_64
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+      - bmi2
+      - popcnt
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: aarch64
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: cupqc-cuda
+    upstream-id: cuda
+    supported-platforms:
+    - architecture: CUDA
+      operating_systems:
+      - Linux
+      - Darwin
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+- name: ML-KEM-1024
+  claimed-nist-level: 5
+  claimed-security: IND-CCA2
+  length-public-key: 1568
+  length-ciphertext: 1568
+  length-secret-key: 3168
+  length-shared-secret: 32
+  length-keypair-seed: 64
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: ref
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: x86_64
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+      - bmi2
+      - popcnt
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: aarch64
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: cupqc-cuda
+    upstream-id: cuda
+    supported-platforms:
+    - architecture: CUDA
+      operating_systems:
+      - Linux
+      - Darwin
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
--- a/docs/algorithms/kem/ntru.md
+++ b/docs/algorithms/kem/ntru.md
@ -1,24 +0,0 @@
-# NTRU
-
- **Algorithm type**: key encapsulation mechanism
- **Main cryptographic assumption**: NTRU
- **Scheme authors**: John M. Schanck, Cong Chen, Oussama Danba, Jeffrey Hoffstein, Andreas Hülsing, Joost Rijneveld, Peter Schwabe, William Whyte, Zhenfei Zhang
- **Authors' website**: https://ntru.org
- **Version**: NIST Round 3 submission
-
-## Implementation
-
- **Source of implementation**: https://github.com/jschanck/ntru/tree/a43a4457
- **Implementation version**: https://github.com/PQClean/PQClean.git, master, 19b438ba5c7c3a6f2194cd8bda14821dc33c64a3
- **License**: Public domain
- **Constant-time**: Yes
- **Optimizations**: Portable C with AVX2, BMI2 instructions (if available at run-time)
-
-## Parameter sets
-
-| Parameter set     | Security model | Claimed NIST security level | Public key size (bytes) | Secret key size (bytes) | Ciphertext size (bytes) | Shared secret size (bytes) |
-| ----------------- | -------------- | --------------------------- | ----------------------- | ----------------------- | ----------------------- | -------------------------- |
-| NTRU-HPS-2048-509 | IND-CCA2       | 1                           | 699                     | 935                     | 699                     | 32                         |
-| NTRU-HPS-2048-677 | IND-CCA2       | 3                           | 930                     | 1234                    | 930                     | 32                         |
-| NTRU-HPS-4096-821 | IND-CCA2       | 5                           | 1230                    | 1590                    | 1230                    | 32                         |
-| NTRU-HRSS-701     | IND-CCA2       | 3                           | 1138                    | 1450                    | 1138                    | 32                         |
--- a/docs/algorithms/kem/ntruprime.md
+++ b/docs/algorithms/kem/ntruprime.md
@ -1,26 +1,34 @@
 # NTRU-Prime

- **Algorithm type**: key encapsulation mechanism
- **Main cryptographic assumption**: NTRU
- **Scheme authors**: Daniel J. Bernstein, Billy Bob Brumley, Ming-Shing Chen, Chitchanok Chuengsatiansup, Tanja Lange, Adrian Marotzke, Bo-Yuan Peng, Nicola Tuveri, Christine van Vredendaal, Bo-Yin Yang
+- **Algorithm type**: Key encapsulation mechanism.
+- **Main cryptographic assumption**: NTRU.
+- **Principal submitters**: Daniel J. Bernstein, Billy Bob Brumley, Ming-Shing Chen, Chitchanok Chuengsatiansup, Tanja Lange, Adrian Marotzke, Bo-Yuan Peng, Nicola Tuveri, Christine van Vredendaal, Bo-Yin Yang.
 - **Authors' website**: https://ntruprime.cr.yp.to
- **Version**: supercop-20200826
+- **Specification version**: supercop-20200826.
+- **Primary Source**<a name="primary-source"></a>:
+  - **Source**: https://github.com/PQClean/PQClean/commit/4c9e5a3aa715cc8d1d0e377e4e6e682ebd7602d6
+  - **Implementation license (SPDX-Identifier)**: Public domain
+- **Ancestors of primary source**:
+  - https://github.com/jschanck/package-pqclean/tree/4d9f08c3/ntruprime, which takes it from:
+  - supercop-20210604

-## Implementation
+## Parameter set summary

- **Source of implementation**: SUPERCOP-20200826
- **Implementation version**: https://github.com/PQClean/PQClean.git, master, 19b438ba5c7c3a6f2194cd8bda14821dc33c64a3
- **License**: Public domain
- **Constant-time**: Yes
- **Optimizations**: Portable C with AVX2 instructions (if available at run-time)
+|  Parameter set  | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Ciphertext size (bytes) |   Shared secret size (bytes) | Keypair seed size (bytes)   |
+|:---------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|--------------------------:|-----------------------------:|:----------------------------|
+|    sntrup761    | NA                    | IND-CCA2         |                    2 |                      1158 |                      1763 |                      1039 |                           32 | NA                          |

-## Parameter sets
+## sntrup761 implementation characteristics

-| Parameter set | Security model | Claimed NIST security level | Public key size (bytes) | Secret key size (bytes) | Ciphertext size (bytes) | Shared secret size (bytes) |
-| ------------- | -------------- | --------------------------- | ----------------------- | ----------------------- | ----------------------- | -------------------------- |
-| ntrulpr653    | IND-CCA2       | 2                           | 897                     | 1125                    | 1025                    | 32                         |
-| ntrulpr761    | IND-CCA2       | 3                           | 1039                    | 1294                    | 1167                    | 32                         |
-| ntrulpr857    | IND-CCA2       | 4                           | 1184                    | 1463                    | 1312                    | 32                         |
-| sntrup653     | IND-CCA2       | 2                           | 994                     | 1518                    | 897                     | 32                         |
-| sntrup761     | IND-CCA2       | 3                           | 1158                    | 1763                    | 1039                    | 32                         |
-| sntrup857     | IND-CCA2       | 4                           | 1322                    | 1999                    | 1184                    | 32                         |
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?‡   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:----------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | False                 |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | False                              | True                                           | False                 |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+ ‡For an explanation of what this denotes, consult the [Explanation of Terms](#explanation-of-terms) section at the end of this file.
+
+## Explanation of Terms
+
+- **Large Stack Usage**: Implementations identified as having such may cause failures when running in threads or in constrained environments.
--- a/docs/algorithms/kem/ntruprime.yml
+++ b/docs/algorithms/kem/ntruprime.yml
@ -0,0 +1,57 @@
+name: NTRU-Prime
+type: kem
+principal-submitters:
+- Daniel J. Bernstein
+- Billy Bob Brumley
+- Ming-Shing Chen
+- Chitchanok Chuengsatiansup
+- Tanja Lange
+- Adrian Marotzke
+- Bo-Yuan Peng
+- Nicola Tuveri
+- Christine van Vredendaal
+- Bo-Yin Yang
+crypto-assumption: NTRU
+website: https://ntruprime.cr.yp.to
+nist-round: 3
+spec-version: supercop-20200826
+upstream-ancestors:
+- https://github.com/jschanck/package-pqclean/tree/4d9f08c3/ntruprime
+- supercop-20210604
+parameter-sets:
+- name: sntrup761
+  claimed-nist-level: 2
+  claimed-security: IND-CCA2
+  length-ciphertext: 1039
+  length-public-key: 1158
+  length-secret-key: 1763
+  length-shared-secret: 32
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - AES: liboqs
+    - SHA2: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+    upstream: primary-upstream
+  - upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+    common-crypto:
+    - AES: liboqs
+    - SHA2: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+    upstream: primary-upstream
+primary-upstream:
+  spdx-license-identifier: Public domain
+  source: https://github.com/PQClean/PQClean/commit/4c9e5a3aa715cc8d1d0e377e4e6e682ebd7602d6
--- a/docs/algorithms/kem/saber.md
+++ b/docs/algorithms/kem/saber.md
@ -1,23 +0,0 @@
-# SABER
-
- **Algorithm type**: key encapsulation mechanism
- **Main cryptographic assumption**: module learning with rounding
- **Scheme authors**: Jan-Pieter D'Anvers, Angshuman Karmakar, Sujoy Sinha Roy, Frederic Vercauteren
- **Authors' website**: https://www.esat.kuleuven.be/cosic/pqcrypto/saber/
- **Version**: NIST Round 3 submission
-
-## Implementation
-
- **Source of implementation**: https://github.com/KULeuven-COSIC/SABER/tree/509cc5ec3a7e12a751ccdd2ef5bd6e54e00bd350 via https://github.com/jschanck/package-pqclean/tree/1ae84c3c/saber
- **Implementation version**: https://github.com/PQClean/PQClean.git, master, 19b438ba5c7c3a6f2194cd8bda14821dc33c64a3
- **License**: Public domain
- **Constant-time**: Yes
- **Optimizations**: Portable C with AVX2 instructions (if available at run-time)
-
-## Parameter sets
-
-| Parameter set  | Security model | Claimed NIST security level | Public key size (bytes) | Secret key size (bytes) | Ciphertext size (bytes) | Shared secret size (bytes) |
-| -------------- | -------------- | --------------------------- | ----------------------- | ----------------------- | ----------------------- | -------------------------- |
-| LightSaber-KEM | IND-CCA2       | 1                           | 672                     | 1568                    | 736                     | 32                         |
-| Saber-KEM      | IND-CCA2       | 3                           | 992                     | 2304                    | 1088                    | 32                         |
-| FireSaber-KEM  | IND-CCA2       | 5                           | 1312                    | 3040                    | 1472                    | 32                         |
--- a/docs/algorithms/kem/sike.md
+++ b/docs/algorithms/kem/sike.md
@ -1,45 +0,0 @@
-SIKE
-====
-
- **Algorithm type**: key encapsulation mechanism
- **Main cryptographic assumption**: (supersingular) isogeny walk problem
- **Scheme authors**: David Jao, Reza Azarderakhsh, Matthew Campagna, Craig Costello, Luca De Feo, Basil Hess, Amir Jalali, Brian Koziel, Brian LaMacchia, Patrick Longa, Michael Naehrig, Joost Renes, Vladimir Soukharev, David Urbanik
- **Authors' website**: http://sike.org/
- **Version**: 3.4
- **Added to liboqs by**: Christian Paquin
-
-Implementation
--------------
-
- **Source of implementation**: https://github.com/Microsoft/PQCrypto-SIDH
- **Implementation version**: https://github.com/microsoft/PQCrypto-SIDH/commit/10b0f4dca695751290e5ddf5b297a9a2f0563287 (bugfix on v3.4)
- **License**: MIT License
- **Constant-time**: Yes
- **Optimizations**: Portable C, with assembly optimizations on AMD64 and selected parameter sets on ARM64 (selected at compile-time, enabled by default if available)
-
-Parameter sets
--------------
-
-| Parameter set        | Security model | Claimed NIST security level | Public key size (bytes) | Secret key size (bytes) | Ciphertext size (bytes) | Shared secret size (bytes) |
-|----------------------|:--------------:|:---------------------------:|:-----------------------:|:-----------------------:|:-----------------------:|:--------------------------:|
-| SIDH-p434            |     IND-CPA    |              1              |           330           |            28           |           330           |             110            |
-| SIDH-p434-compressed |     IND-CPA    |              1              |           197           |            28           |           197           |             110            |
-| SIDH-p503            |     IND-CPA    |              2              |           378           |            32           |           378           |             126            |
-| SIDH-p503-compressed |     IND-CPA    |              2              |           225           |            32           |           225           |             126            |
-| SIDH-p610            |     IND-CPA    |              3              |           462           |            39           |           462           |             154            |
-| SIDH-p610-compressed |     IND-CPA    |              3              |           274           |            39           |           274           |             154            |
-| SIDH-p751            |     IND-CPA    |              5              |           564           |            48           |           564           |             188            |
-| SIDH-p751-compressed |     IND-CPA    |              5              |           335           |            48           |           335           |             188            |
-| SIKE-p434            |     IND-CCA    |              1              |           330           |           374           |           346           |             16             |
-| SIKE-p434-compressed |     IND-CCA    |              1              |           197           |           350           |           236           |             16             |
-| SIKE-p503            |     IND-CCA    |              2              |           378           |           434           |           402           |             24             |
-| SIKE-p503-compressed |     IND-CCA    |              2              |           225           |           407           |           280           |             24             |
-| SIKE-p610            |     IND-CCA    |              3              |           462           |           524           |           486           |             24             |
-| SIKE-p610-compressed |     IND-CCA    |              3              |           274           |           491           |           336           |             24             |
-| SIKE-p751            |     IND-CCA    |              5              |           564           |           644           |           596           |             32             |
-| SIKE-p751-compressed |     IND-CCA    |              5              |           335           |           602           |           410           |             32             |
-
-Additional comments
-------------------
-
-No KAT are available for SIDH.
--- a/docs/algorithms/sig/cross.md
+++ b/docs/algorithms/sig/cross.md
@ -0,0 +1,203 @@
+# CROSS
+
+- **Algorithm type**: Digital signature scheme.
+- **Main cryptographic assumption**: hardness of the restricted syndrome decoding problem for random linear codes on a finite field.
+- **Principal submitters**: Marco Baldi, Alessandro Barenghi, Michele Battagliola, Sebastian Bitzer, Patrick Karl, Felice Manganiello, Alessio Pavoni, Gerardo Pelosi, Paolo Santini, Jonas Schupp, Edoardo Signorini, Freeman Slaughter, Antonia Wachter-Zeh, Violetta Weger.
+- **Auxiliary submitters**: Marco Gianvecchio.
+- **Authors' website**: https://www.cross-crypto.com/
+- **Specification version**: 2.0 + PQClean and OQS patches.
+- **Primary Source**<a name="primary-source"></a>:
+  - **Source**: https://github.com/CROSS-signature/CROSS-lib-oqs/commit/efd17279e75308b000bda7c7f58866620d652bc1
+  - **Implementation license (SPDX-Identifier)**: CC0-1.0
+
+
+## Parameter set summary
+
+|      Parameter set       | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Signature size (bytes) |
+|:------------------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|-------------------------:|
+| cross-rsdp-128-balanced  | NA                    | EUF-CMA          |                    1 |                        77 |                        32 |                    13152 |
+|   cross-rsdp-128-fast    | NA                    | EUF-CMA          |                    1 |                        77 |                        32 |                    18432 |
+|   cross-rsdp-128-small   | NA                    | EUF-CMA          |                    1 |                        77 |                        32 |                    12432 |
+| cross-rsdp-192-balanced  | NA                    | EUF-CMA          |                    3 |                       115 |                        48 |                    29853 |
+|   cross-rsdp-192-fast    | NA                    | EUF-CMA          |                    3 |                       115 |                        48 |                    41406 |
+|   cross-rsdp-192-small   | NA                    | EUF-CMA          |                    3 |                       115 |                        48 |                    28391 |
+| cross-rsdp-256-balanced  | NA                    | EUF-CMA          |                    5 |                       153 |                        64 |                    53527 |
+|   cross-rsdp-256-fast    | NA                    | EUF-CMA          |                    5 |                       153 |                        64 |                    74590 |
+|   cross-rsdp-256-small   | NA                    | EUF-CMA          |                    5 |                       153 |                        64 |                    50818 |
+| cross-rsdpg-128-balanced | NA                    | EUF-CMA          |                    1 |                        54 |                        32 |                     9120 |
+|   cross-rsdpg-128-fast   | NA                    | EUF-CMA          |                    1 |                        54 |                        32 |                    11980 |
+|  cross-rsdpg-128-small   | NA                    | EUF-CMA          |                    1 |                        54 |                        32 |                     8960 |
+| cross-rsdpg-192-balanced | NA                    | EUF-CMA          |                    3 |                        83 |                        48 |                    22464 |
+|   cross-rsdpg-192-fast   | NA                    | EUF-CMA          |                    3 |                        83 |                        48 |                    26772 |
+|  cross-rsdpg-192-small   | NA                    | EUF-CMA          |                    3 |                        83 |                        48 |                    20452 |
+| cross-rsdpg-256-balanced | NA                    | EUF-CMA          |                    5 |                       106 |                        64 |                    40100 |
+|   cross-rsdpg-256-fast   | NA                    | EUF-CMA          |                    5 |                       106 |                        64 |                    48102 |
+|  cross-rsdpg-256-small   | NA                    | EUF-CMA          |                    5 |                       106 |                        64 |                    36454 |
+
+## cross-rsdp-128-balanced implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?‡   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:----------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | False                 |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | False                 |
+
+Are implementations chosen based on runtime CPU feature detection? **No**.
+
+ ‡For an explanation of what this denotes, consult the [Explanation of Terms](#explanation-of-terms) section at the end of this file.
+
+## cross-rsdp-128-fast implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **No**.
+
+## cross-rsdp-128-small implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | True                 |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | True                 |
+
+Are implementations chosen based on runtime CPU feature detection? **No**.
+
+## cross-rsdp-192-balanced implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **No**.
+
+## cross-rsdp-192-fast implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **No**.
+
+## cross-rsdp-192-small implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | True                 |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | True                 |
+
+Are implementations chosen based on runtime CPU feature detection? **No**.
+
+## cross-rsdp-256-balanced implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | True                 |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | True                 |
+
+Are implementations chosen based on runtime CPU feature detection? **No**.
+
+## cross-rsdp-256-fast implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **No**.
+
+## cross-rsdp-256-small implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | True                 |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | True                 |
+
+Are implementations chosen based on runtime CPU feature detection? **No**.
+
+## cross-rsdpg-128-balanced implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **No**.
+
+## cross-rsdpg-128-fast implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **No**.
+
+## cross-rsdpg-128-small implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **No**.
+
+## cross-rsdpg-192-balanced implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **No**.
+
+## cross-rsdpg-192-fast implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **No**.
+
+## cross-rsdpg-192-small implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | True                 |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | True                 |
+
+Are implementations chosen based on runtime CPU feature detection? **No**.
+
+## cross-rsdpg-256-balanced implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **No**.
+
+## cross-rsdpg-256-fast implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **No**.
+
+## cross-rsdpg-256-small implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | True                 |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | All                             | AVX2                    | True                               | True                                           | True                 |
+
+Are implementations chosen based on runtime CPU feature detection? **No**.
+
+## Explanation of Terms
+
+- **Large Stack Usage**: Implementations identified as having such may cause failures when running in threads or in constrained environments.
--- a/docs/algorithms/sig/cross.yml
+++ b/docs/algorithms/sig/cross.yml
@ -0,0 +1,532 @@
+name: CROSS
+type: signature
+principal-submitters:
+- Marco Baldi
+- Alessandro Barenghi
+- Michele Battagliola
+- Sebastian Bitzer
+- Patrick Karl
+- Felice Manganiello
+- Alessio Pavoni
+- Gerardo Pelosi
+- Paolo Santini
+- Jonas Schupp
+- Edoardo Signorini
+- Freeman Slaughter
+- Antonia Wachter-Zeh
+- Violetta Weger
+auxiliary-submitters:
+- Marco Gianvecchio
+crypto-assumption: hardness of the restricted syndrome decoding problem for random
+  linear codes on a finite field
+website: https://www.cross-crypto.com/
+nist-round: 2
+spec-version: 2.0 + PQClean and OQS patches
+primary-upstream:
+  source: https://github.com/CROSS-signature/CROSS-lib-oqs/commit/efd17279e75308b000bda7c7f58866620d652bc1
+  spdx-license-identifier: CC0-1.0
+parameter-sets:
+- name: cross-rsdp-128-balanced
+  oqs_alg: OQS_SIG_alg_cross_rsdp_128_balanced
+  claimed-nist-level: 1
+  claimed-security: EUF-CMA
+  length-public-key: 77
+  length-secret-key: 32
+  length-signature: 13152
+  implementations-switch-on-runtime-cpu-features: false
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: cross-rsdp-128-fast
+  oqs_alg: OQS_SIG_alg_cross_rsdp_128_fast
+  claimed-nist-level: 1
+  claimed-security: EUF-CMA
+  length-public-key: 77
+  length-secret-key: 32
+  length-signature: 18432
+  implementations-switch-on-runtime-cpu-features: false
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: cross-rsdp-128-small
+  oqs_alg: OQS_SIG_alg_cross_rsdp_128_small
+  claimed-nist-level: 1
+  claimed-security: EUF-CMA
+  length-public-key: 77
+  length-secret-key: 32
+  length-signature: 12432
+  implementations-switch-on-runtime-cpu-features: false
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
+- name: cross-rsdp-192-balanced
+  oqs_alg: OQS_SIG_alg_cross_rsdp_192_balanced
+  claimed-nist-level: 3
+  claimed-security: EUF-CMA
+  length-public-key: 115
+  length-secret-key: 48
+  length-signature: 29853
+  implementations-switch-on-runtime-cpu-features: false
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: cross-rsdp-192-fast
+  oqs_alg: OQS_SIG_alg_cross_rsdp_192_fast
+  claimed-nist-level: 3
+  claimed-security: EUF-CMA
+  length-public-key: 115
+  length-secret-key: 48
+  length-signature: 41406
+  implementations-switch-on-runtime-cpu-features: false
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: cross-rsdp-192-small
+  oqs_alg: OQS_SIG_alg_cross_rsdp_192_small
+  claimed-nist-level: 3
+  claimed-security: EUF-CMA
+  length-public-key: 115
+  length-secret-key: 48
+  length-signature: 28391
+  implementations-switch-on-runtime-cpu-features: false
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
+- name: cross-rsdp-256-balanced
+  oqs_alg: OQS_SIG_alg_cross_rsdp_256_balanced
+  claimed-nist-level: 5
+  claimed-security: EUF-CMA
+  length-public-key: 153
+  length-secret-key: 64
+  length-signature: 53527
+  implementations-switch-on-runtime-cpu-features: false
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
+- name: cross-rsdp-256-fast
+  oqs_alg: OQS_SIG_alg_cross_rsdp_256_fast
+  claimed-nist-level: 5
+  claimed-security: EUF-CMA
+  length-public-key: 153
+  length-secret-key: 64
+  length-signature: 74590
+  implementations-switch-on-runtime-cpu-features: false
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: cross-rsdp-256-small
+  oqs_alg: OQS_SIG_alg_cross_rsdp_256_small
+  claimed-nist-level: 5
+  claimed-security: EUF-CMA
+  length-public-key: 153
+  length-secret-key: 64
+  length-signature: 50818
+  implementations-switch-on-runtime-cpu-features: false
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
+- name: cross-rsdpg-128-balanced
+  oqs_alg: OQS_SIG_alg_cross_rsdpg_128_balanced
+  claimed-nist-level: 1
+  claimed-security: EUF-CMA
+  length-public-key: 54
+  length-secret-key: 32
+  length-signature: 9120
+  implementations-switch-on-runtime-cpu-features: false
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: cross-rsdpg-128-fast
+  oqs_alg: OQS_SIG_alg_cross_rsdpg_128_fast
+  claimed-nist-level: 1
+  claimed-security: EUF-CMA
+  length-public-key: 54
+  length-secret-key: 32
+  length-signature: 11980
+  implementations-switch-on-runtime-cpu-features: false
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: cross-rsdpg-128-small
+  oqs_alg: OQS_SIG_alg_cross_rsdpg_128_small
+  claimed-nist-level: 1
+  claimed-security: EUF-CMA
+  length-public-key: 54
+  length-secret-key: 32
+  length-signature: 8960
+  implementations-switch-on-runtime-cpu-features: false
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: cross-rsdpg-192-balanced
+  oqs_alg: OQS_SIG_alg_cross_rsdpg_192_balanced
+  claimed-nist-level: 3
+  claimed-security: EUF-CMA
+  length-public-key: 83
+  length-secret-key: 48
+  length-signature: 22464
+  implementations-switch-on-runtime-cpu-features: false
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: cross-rsdpg-192-fast
+  oqs_alg: OQS_SIG_alg_cross_rsdpg_192_fast
+  claimed-nist-level: 3
+  claimed-security: EUF-CMA
+  length-public-key: 83
+  length-secret-key: 48
+  length-signature: 26772
+  implementations-switch-on-runtime-cpu-features: false
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: cross-rsdpg-192-small
+  oqs_alg: OQS_SIG_alg_cross_rsdpg_192_small
+  claimed-nist-level: 3
+  claimed-security: EUF-CMA
+  length-public-key: 83
+  length-secret-key: 48
+  length-signature: 20452
+  implementations-switch-on-runtime-cpu-features: false
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
+- name: cross-rsdpg-256-balanced
+  oqs_alg: OQS_SIG_alg_cross_rsdpg_256_balanced
+  claimed-nist-level: 5
+  claimed-security: EUF-CMA
+  length-public-key: 106
+  length-secret-key: 64
+  length-signature: 40100
+  implementations-switch-on-runtime-cpu-features: false
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: cross-rsdpg-256-fast
+  oqs_alg: OQS_SIG_alg_cross_rsdpg_256_fast
+  claimed-nist-level: 5
+  claimed-security: EUF-CMA
+  length-public-key: 106
+  length-secret-key: 64
+  length-signature: 48102
+  implementations-switch-on-runtime-cpu-features: false
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: cross-rsdpg-256-small
+  oqs_alg: OQS_SIG_alg_cross_rsdpg_256_small
+  claimed-nist-level: 5
+  claimed-security: EUF-CMA
+  length-public-key: 106
+  length-secret-key: 64
+  length-signature: 36454
+  implementations-switch-on-runtime-cpu-features: false
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
--- a/docs/algorithms/sig/dilithium.md
+++ b/docs/algorithms/sig/dilithium.md
@ -1,26 +1,60 @@
 # CRYSTALS-Dilithium

- **Algorithm type**: signature
+- **Algorithm type**: Digital signature scheme.
 - **Main cryptographic assumption**: hardness of lattice problems over module lattices.
- **Scheme authors**: Vadim Lyubashevsky, Leo Ducas, Eike Kiltz, Tancrede Lepoint, Peter Schwabe, Gregor Seiler, Damien Stehle
+- **Principal submitters**: Vadim Lyubashevsky.
+- **Auxiliary submitters**: Shi Bai, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Peter Schwabe, Gregor Seiler, Damien Stehlé.
 - **Authors' website**: https://pq-crystals.org/dilithium/
- **Version**: 3.1
+- **Specification version**: 3.1.
+- **Primary Source**<a name="primary-source"></a>:
+  - **Source**: https://github.com/pq-crystals/dilithium/commit/3e9b9f1412f6c7435dbeb4e10692ea58f181ee51 with copy_from_upstream patches
+  - **Implementation license (SPDX-Identifier)**: CC0-1.0 or Apache-2.0
+- **Optimized Implementation sources**: https://github.com/pq-crystals/dilithium/commit/3e9b9f1412f6c7435dbeb4e10692ea58f181ee51 with copy_from_upstream patches
+  - **oldpqclean-aarch64**:<a name="oldpqclean-aarch64"></a>
+      - **Source**: https://github.com/PQClean/PQClean/commit/8e220a87308154d48fdfac40abbb191ac7fce06a with copy_from_upstream patches
+      - **Implementation license (SPDX-Identifier)**: CC0-1.0 and (CC0-1.0 or Apache-2.0) and (CC0-1.0 or MIT) and MIT

-## Implementation

- **Source of implementation**: https://github.com/pq-crystals/dilithium
- **Implementation version**: https://github.com/pq-crystals/dilithium.git, master, 9dddb2a0537734e749ec2c8d4f952cb90cd9e67b
- **License**: public domain
- **Constant-time**: Yes
- **Optimizations**: Portable C with AES, AVX2, POPCNT, SSE2, SSSE3 instructions (if available at run-time)
+## Parameter set summary

-## Parameter sets
+|  Parameter set  | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Signature size (bytes) |
+|:---------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|-------------------------:|
+|   Dilithium2    | NA                    | SUF-CMA          |                    2 |                      1312 |                      2528 |                     2420 |
+|   Dilithium3    | NA                    | SUF-CMA          |                    3 |                      1952 |                      4000 |                     3293 |
+|   Dilithium5    | NA                    | SUF-CMA          |                    5 |                      2592 |                      4864 |                     4595 |

-| Parameter set  | Security model | Claimed NIST security level | Public key size (bytes) | Secret key size (bytes) | Signature size (bytes) |
-| -------------- | -------------- | --------------------------- | ----------------------- | ----------------------- | ---------------------- |
-| Dilithium2     | EUF-CMA        | 2                           | 1312                    | 2528                    | 2420                   |
-| Dilithium3     | EUF-CMA        | 3                           | 1952                    | 4000                    | 3293                   |
-| Dilithium5     | EUF-CMA        | 5                           | 2592                    | 4864                    | 4595                   |
-| Dilithium2-AES | EUF-CMA        | 2                           | 1312                    | 2528                    | 2420                   |
-| Dilithium3-AES | EUF-CMA        | 3                           | 1952                    | 4000                    | 3293                   |
-| Dilithium5-AES | EUF-CMA        | 5                           | 2592                    | 4864                    | 4595                   |
+## Dilithium2 implementation characteristics
+
+|           Implementation source           | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?‡   |
+|:-----------------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:----------------------|
+|     [Primary Source](#primary-source)     | ref                      | All                         | All                             | None                    | True                               | True                                           | False                 |
+|     [Primary Source](#primary-source)     | avx2                     | x86\_64                     | Darwin,Linux                    | AVX2,POPCNT             | True                               | True                                           | False                 |
+| [oldpqclean-aarch64](#oldpqclean-aarch64) | aarch64                  | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                 |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+ ‡For an explanation of what this denotes, consult the [Explanation of Terms](#explanation-of-terms) section at the end of this file.
+
+## Dilithium3 implementation characteristics
+
+|           Implementation source           | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:-----------------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+|     [Primary Source](#primary-source)     | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
+|     [Primary Source](#primary-source)     | avx2                     | x86\_64                     | Darwin,Linux                    | AVX2,POPCNT             | True                               | True                                           | False                |
+| [oldpqclean-aarch64](#oldpqclean-aarch64) | aarch64                  | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## Dilithium5 implementation characteristics
+
+|           Implementation source           | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:-----------------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+|     [Primary Source](#primary-source)     | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
+|     [Primary Source](#primary-source)     | avx2                     | x86\_64                     | Darwin,Linux                    | AVX2,POPCNT             | True                               | True                                           | False                |
+| [oldpqclean-aarch64](#oldpqclean-aarch64) | aarch64                  | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## Explanation of Terms
+
+- **Large Stack Usage**: Implementations identified as having such may cause failures when running in threads or in constrained environments.
--- a/docs/algorithms/sig/dilithium.yml
+++ b/docs/algorithms/sig/dilithium.yml
@ -0,0 +1,159 @@
+name: CRYSTALS-Dilithium
+type: signature
+principal-submitters:
+- Vadim Lyubashevsky
+auxiliary-submitters:
+- Shi Bai
+- Léo Ducas
+- Eike Kiltz
+- Tancrède Lepoint
+- Peter Schwabe
+- Gregor Seiler
+- Damien Stehlé
+crypto-assumption: hardness of lattice problems over module lattices
+website: https://pq-crystals.org/dilithium/
+nist-round: 3
+spec-version: 3.1
+primary-upstream:
+  source: https://github.com/pq-crystals/dilithium/commit/3e9b9f1412f6c7435dbeb4e10692ea58f181ee51
+    with copy_from_upstream patches
+  spdx-license-identifier: CC0-1.0 or Apache-2.0
+optimized-upstreams:
+  oldpqclean-aarch64:
+    source: https://github.com/PQClean/PQClean/commit/8e220a87308154d48fdfac40abbb191ac7fce06a
+      with copy_from_upstream patches
+    spdx-license-identifier: CC0-1.0 and (CC0-1.0 or Apache-2.0) and (CC0-1.0 or MIT)
+      and MIT
+parameter-sets:
+- name: Dilithium2
+  oqs_alg: OQS_SIG_alg_dilithium_2
+  claimed-nist-level: 2
+  claimed-security: SUF-CMA
+  length-public-key: 1312
+  length-secret-key: 2528
+  length-signature: 2420
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: ref
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Darwin
+      - Linux
+      required_flags:
+      - avx2
+      - popcnt
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: oldpqclean-aarch64
+    upstream-id: aarch64
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+- name: Dilithium3
+  oqs_alg: OQS_SIG_alg_dilithium_3
+  claimed-nist-level: 3
+  claimed-security: SUF-CMA
+  length-public-key: 1952
+  length-secret-key: 4000
+  length-signature: 3293
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: ref
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Darwin
+      - Linux
+      required_flags:
+      - avx2
+      - popcnt
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: oldpqclean-aarch64
+    upstream-id: aarch64
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+- name: Dilithium5
+  oqs_alg: OQS_SIG_alg_dilithium_5
+  claimed-nist-level: 5
+  claimed-security: SUF-CMA
+  length-public-key: 2592
+  length-secret-key: 4864
+  length-signature: 4595
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: ref
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Darwin
+      - Linux
+      required_flags:
+      - avx2
+      - popcnt
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: oldpqclean-aarch64
+    upstream-id: aarch64
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
--- a/docs/algorithms/sig/falcon.md
+++ b/docs/algorithms/sig/falcon.md
@ -1,22 +1,71 @@
 # Falcon

- **Algorithm type**: signature
- **Main cryptographic assumption**: hardness of NTRU lattice problems
- **Scheme authors**: Thomas Prest, Pierre-Alain Fouque, Jeffrey Hoffstein, Paul Kirchner, Vadim Lyubashevsky, Thomas Pornin, Thomas Ricosset, Gregor Seiler, William Whyte, Zhenfei Zhang
+- **Algorithm type**: Digital signature scheme.
+- **Main cryptographic assumption**: hardness of NTRU lattice problems.
+- **Principal submitters**: Thomas Prest.
+- **Auxiliary submitters**: Pierre-Alain Fouque, Jeffrey Hoffstein, Paul Kirchner, Vadim Lyubashevsky, Thomas Pornin, Thomas Prest, Thomas Ricosset, Gregor Seiler, William Whyte, Zhenfei Zhang.
 - **Authors' website**: https://falcon-sign.info
- **Version**: 20201018
+- **Specification version**: 20211101.
+- **Primary Source**<a name="primary-source"></a>:
+  - **Source**: https://github.com/PQClean/PQClean/commit/1eacfdafc15ddc5d5759d0b85b4cef26627df181
+  - **Implementation license (SPDX-Identifier)**: MIT
+- **Optimized Implementation sources**: https://github.com/PQClean/PQClean/commit/1eacfdafc15ddc5d5759d0b85b4cef26627df181
+  - **pqclean-aarch64**:<a name="pqclean-aarch64"></a>
+      - **Source**: https://github.com/PQClean/PQClean/commit/7707d1bcc8ae7f9ffd296dd13b1d76d2767d14f8
+      - **Implementation license (SPDX-Identifier)**: Apache-2.0

-## Implementation

- **Source of implementation**: supercop-20201018 via https://github.com/jschanck/package-pqclean/tree/cea1fa5a/falcon
- **Implementation version**: https://github.com/PQClean/PQClean.git, master, 19b438ba5c7c3a6f2194cd8bda14821dc33c64a3
- **License**: CC0 1.0 Universal
- **Constant-time**: Yes
- **Optimizations**: Portable C with AVX2 instructions (if available at run-time)
+## Parameter set summary

-## Parameter sets
+|   Parameter set    | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Signature size (bytes) |
+|:------------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|-------------------------:|
+|     Falcon-512     | NA                    | EUF-CMA          |                    1 |                       897 |                      1281 |                      752 |
+|    Falcon-1024     | NA                    | EUF-CMA          |                    5 |                      1793 |                      2305 |                     1462 |
+| Falcon-padded-512  | NA                    | EUF-CMA          |                    1 |                       897 |                      1281 |                      666 |
+| Falcon-padded-1024 | NA                    | EUF-CMA          |                    5 |                      1793 |                      2305 |                     1280 |

-| Parameter set | Security model | Claimed NIST security level | Public key size (bytes) | Secret key size (bytes) | Signature size (bytes) |
-| ------------- | -------------- | --------------------------- | ----------------------- | ----------------------- | ---------------------- |
-| Falcon-512    | EUF-CMA        | 1                           | 897                     | 1281                    | 690                    |
-| Falcon-1024   | EUF-CMA        | 5                           | 1793                    | 2305                    | 1330                   |
+## Falcon-512 implementation characteristics
+
+|        Implementation source        | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?‡   |
+|:-----------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:----------------------|
+|  [Primary Source](#primary-source)  | clean                    | All                         | All                             | None                    | True                               | True                                           | False                 |
+|  [Primary Source](#primary-source)  | avx2                     | x86\_64                     | All                             | AVX2                    | False                              | False                                          | False                 |
+| [pqclean-aarch64](#pqclean-aarch64) | aarch64                  | ARM64\_V8                   | Linux,Darwin                    | None                    | False                              | False                                          | False                 |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+ ‡For an explanation of what this denotes, consult the [Explanation of Terms](#explanation-of-terms) section at the end of this file.
+
+## Falcon-1024 implementation characteristics
+
+|        Implementation source        | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:-----------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+|  [Primary Source](#primary-source)  | clean                    | All                         | All                             | None                    | True                               | True                                           | False                |
+|  [Primary Source](#primary-source)  | avx2                     | x86\_64                     | All                             | AVX2                    | False                              | False                                          | False                |
+| [pqclean-aarch64](#pqclean-aarch64) | aarch64                  | ARM64\_V8                   | Linux,Darwin                    | None                    | False                              | False                                          | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## Falcon-padded-512 implementation characteristics
+
+|        Implementation source        | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:-----------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+|  [Primary Source](#primary-source)  | clean                    | All                         | All                             | None                    | True                               | True                                           | False                |
+|  [Primary Source](#primary-source)  | avx2                     | x86\_64                     | All                             | AVX2                    | False                              | False                                          | False                |
+| [pqclean-aarch64](#pqclean-aarch64) | aarch64                  | ARM64\_V8                   | Linux,Darwin                    | None                    | False                              | False                                          | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## Falcon-padded-1024 implementation characteristics
+
+|        Implementation source        | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:-----------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+|  [Primary Source](#primary-source)  | clean                    | All                         | All                             | None                    | True                               | True                                           | False                |
+|  [Primary Source](#primary-source)  | avx2                     | x86\_64                     | All                             | AVX2                    | False                              | False                                          | False                |
+| [pqclean-aarch64](#pqclean-aarch64) | aarch64                  | ARM64\_V8                   | Linux,Darwin                    | None                    | False                              | False                                          | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## Explanation of Terms
+
+- **Large Stack Usage**: Implementations identified as having such may cause failures when running in threads or in constrained environments.
--- a/docs/algorithms/sig/falcon.yml
+++ b/docs/algorithms/sig/falcon.yml
@ -0,0 +1,185 @@
+name: Falcon
+type: signature
+principal-submitters:
+- Thomas Prest
+auxiliary-submitters:
+- Pierre-Alain Fouque
+- Jeffrey Hoffstein
+- Paul Kirchner
+- Vadim Lyubashevsky
+- Thomas Pornin
+- Thomas Prest
+- Thomas Ricosset
+- Gregor Seiler
+- William Whyte
+- Zhenfei Zhang
+crypto-assumption: hardness of NTRU lattice problems
+website: https://falcon-sign.info
+nist-round: 3
+spec-version: 20211101
+primary-upstream:
+  source: https://github.com/PQClean/PQClean/commit/1eacfdafc15ddc5d5759d0b85b4cef26627df181
+  spdx-license-identifier: MIT
+  upstream-ancestors:
+  - https://www.falcon-sign.info
+optimized-upstreams:
+  pqclean-aarch64:
+    source: https://github.com/PQClean/PQClean/commit/7707d1bcc8ae7f9ffd296dd13b1d76d2767d14f8
+    spdx-license-identifier: Apache-2.0
+parameter-sets:
+- name: Falcon-512
+  claimed-nist-level: 1
+  claimed-security: EUF-CMA
+  length-public-key: 897
+  length-secret-key: 1281
+  length-signature: 752
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: pqclean-aarch64
+    upstream-id: aarch64
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+- name: Falcon-1024
+  claimed-nist-level: 5
+  claimed-security: EUF-CMA
+  length-public-key: 1793
+  length-secret-key: 2305
+  length-signature: 1462
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: pqclean-aarch64
+    upstream-id: aarch64
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+- name: Falcon-padded-512
+  claimed-nist-level: 1
+  claimed-security: EUF-CMA
+  length-public-key: 897
+  length-secret-key: 1281
+  length-signature: 666
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: pqclean-aarch64
+    upstream-id: aarch64
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+- name: Falcon-padded-1024
+  claimed-nist-level: 5
+  claimed-security: EUF-CMA
+  length-public-key: 1793
+  length-secret-key: 2305
+  length-signature: 1280
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: pqclean-aarch64
+    upstream-id: aarch64
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
--- a/docs/algorithms/sig/mayo.md
+++ b/docs/algorithms/sig/mayo.md
@ -0,0 +1,66 @@
+# MAYO
+
+- **Algorithm type**: Digital signature scheme.
+- **Main cryptographic assumption**: multivariable quadratic equations, oil and vinegar.
+- **Principal submitters**: Ward Beullens, Fabio Campos, Sofía Celi, Basil Hess, Matthias J. Kannwischer.
+- **Authors' website**: https://pqmayo.org
+- **Specification version**: NIST Round 2 (February 2025).
+- **Primary Source**<a name="primary-source"></a>:
+  - **Source**: https://github.com/PQCMayo/MAYO-C/commit/4b7cd94c96b9522864efe40c6ad1fa269584a807 with copy_from_upstream patches
+  - **Implementation license (SPDX-Identifier)**: Apache-2.0
+
+
+## Parameter set summary
+
+|  Parameter set  | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Signature size (bytes) |
+|:---------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|-------------------------:|
+|     MAYO-1      | NA                    | EUF-CMA          |                    1 |                      1420 |                        24 |                      454 |
+|     MAYO-2      | NA                    | EUF-CMA          |                    1 |                      4912 |                        24 |                      186 |
+|     MAYO-3      | NA                    | EUF-CMA          |                    3 |                      2986 |                        32 |                      681 |
+|     MAYO-5      | NA                    | EUF-CMA          |                    5 |                      5554 |                        40 |                      964 |
+
+## MAYO-1 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?‡   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:----------------------|
+| [Primary Source](#primary-source) | opt                      | All                         | All                             | None                    | True                               | True                                           | False                 |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Darwin,Linux                    | AVX2                    | True                               | True                                           | False                 |
+| [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Darwin,Linux                    | None                    | True                               | False                                          | False                 |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+ ‡For an explanation of what this denotes, consult the [Explanation of Terms](#explanation-of-terms) section at the end of this file.
+
+## MAYO-2 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | opt                      | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Darwin,Linux                    | AVX2                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Darwin,Linux                    | None                    | True                               | False                                          | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## MAYO-3 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | opt                      | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Darwin,Linux                    | AVX2                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Darwin,Linux                    | None                    | True                               | False                                          | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## MAYO-5 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | opt                      | All                         | All                             | None                    | True                               | True                                           | True                 |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Darwin,Linux                    | AVX2                    | True                               | True                                           | True                 |
+| [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Darwin,Linux                    | None                    | True                               | False                                          | True                 |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## Explanation of Terms
+
+- **Large Stack Usage**: Implementations identified as having such may cause failures when running in threads or in constrained environments.
--- a/docs/algorithms/sig/mayo.yml
+++ b/docs/algorithms/sig/mayo.yml
@ -0,0 +1,195 @@
+name: MAYO
+type: signature
+principal-submitters:
+- Ward Beullens
+- Fabio Campos
+- Sofía Celi
+- Basil Hess
+- Matthias J. Kannwischer
+crypto-assumption: multivariable quadratic equations, oil and vinegar
+website: https://pqmayo.org
+nist-round: 2
+spec-version: NIST Round 2 (February 2025)
+primary-upstream:
+  source: https://github.com/PQCMayo/MAYO-C/commit/4b7cd94c96b9522864efe40c6ad1fa269584a807
+    with copy_from_upstream patches
+  spdx-license-identifier: Apache-2.0
+parameter-sets:
+- name: MAYO-1
+  claimed-nist-level: 1
+  claimed-security: EUF-CMA
+  length-public-key: 1420
+  length-secret-key: 24
+  length-signature: 454
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: opt
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Darwin
+      - Linux
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: neon
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Darwin
+      - Linux
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+- name: MAYO-2
+  claimed-nist-level: 1
+  claimed-security: EUF-CMA
+  length-public-key: 4912
+  length-secret-key: 24
+  length-signature: 186
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: opt
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Darwin
+      - Linux
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: neon
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Darwin
+      - Linux
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+- name: MAYO-3
+  claimed-nist-level: 3
+  claimed-security: EUF-CMA
+  length-public-key: 2986
+  length-secret-key: 32
+  length-signature: 681
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: opt
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Darwin
+      - Linux
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: neon
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Darwin
+      - Linux
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+- name: MAYO-5
+  claimed-nist-level: 5
+  claimed-security: EUF-CMA
+  length-public-key: 5554
+  length-secret-key: 40
+  length-signature: 964
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: opt
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Darwin
+      - Linux
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
+  - upstream: primary-upstream
+    upstream-id: neon
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Darwin
+      - Linux
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: true
--- a/docs/algorithms/sig/ml_dsa.md
+++ b/docs/algorithms/sig/ml_dsa.md
@ -0,0 +1,53 @@
+# ML-DSA
+
+- **Algorithm type**: Digital signature scheme.
+- **Main cryptographic assumption**: hardness of lattice problems over module lattices.
+- **Principal submitters**: Vadim Lyubashevsky.
+- **Auxiliary submitters**: Shi Bai, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Peter Schwabe, Gregor Seiler, Damien Stehlé.
+- **Authors' website**: https://pq-crystals.org/dilithium/ and https://csrc.nist.gov/pubs/fips/204/final
+- **Specification version**: ML-DSA.
+- **Primary Source**<a name="primary-source"></a>:
+  - **Source**: https://github.com/pq-crystals/dilithium/commit/444cdcc84eb36b66fe27b3a2529ee48f6d8150c2 with copy_from_upstream patches
+  - **Implementation license (SPDX-Identifier)**: CC0-1.0 or Apache-2.0
+
+
+## Parameter set summary
+
+|  Parameter set  | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Signature size (bytes) |
+|:---------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|-------------------------:|
+|    ML-DSA-44    | NA                    | SUF-CMA          |                    2 |                      1312 |                      2560 |                     2420 |
+|    ML-DSA-65    | NA                    | SUF-CMA          |                    3 |                      1952 |                      4032 |                     3309 |
+|    ML-DSA-87    | NA                    | SUF-CMA          |                    5 |                      2592 |                      4896 |                     4627 |
+
+## ML-DSA-44 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?‡   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:----------------------|
+| [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                 |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Darwin,Linux                    | AVX2,POPCNT             | True                               | True                                           | False                 |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+ ‡For an explanation of what this denotes, consult the [Explanation of Terms](#explanation-of-terms) section at the end of this file.
+
+## ML-DSA-65 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Darwin,Linux                    | AVX2,POPCNT             | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## ML-DSA-87 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Darwin,Linux                    | AVX2,POPCNT             | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## Explanation of Terms
+
+- **Large Stack Usage**: Implementations identified as having such may cause failures when running in threads or in constrained environments.
--- a/docs/algorithms/sig/ml_dsa.yml
+++ b/docs/algorithms/sig/ml_dsa.yml
@ -0,0 +1,114 @@
+name: ML-DSA
+type: signature
+principal-submitters:
+- Vadim Lyubashevsky
+auxiliary-submitters:
+- Shi Bai
+- Léo Ducas
+- Eike Kiltz
+- Tancrède Lepoint
+- Peter Schwabe
+- Gregor Seiler
+- Damien Stehlé
+crypto-assumption: hardness of lattice problems over module lattices
+website: https://pq-crystals.org/dilithium/ and https://csrc.nist.gov/pubs/fips/204/final
+nist-round: FIPS204
+spec-version: ML-DSA
+primary-upstream:
+  source: https://github.com/pq-crystals/dilithium/commit/444cdcc84eb36b66fe27b3a2529ee48f6d8150c2
+    with copy_from_upstream patches
+  spdx-license-identifier: CC0-1.0 or Apache-2.0
+parameter-sets:
+- name: ML-DSA-44
+  claimed-nist-level: 2
+  claimed-security: SUF-CMA
+  length-public-key: 1312
+  length-secret-key: 2560
+  length-signature: 2420
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: ref
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Darwin
+      - Linux
+      required_flags:
+      - avx2
+      - popcnt
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: ML-DSA-65
+  claimed-nist-level: 3
+  claimed-security: SUF-CMA
+  length-public-key: 1952
+  length-secret-key: 4032
+  length-signature: 3309
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: ref
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Darwin
+      - Linux
+      required_flags:
+      - avx2
+      - popcnt
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: ML-DSA-87
+  claimed-nist-level: 5
+  claimed-security: SUF-CMA
+  length-public-key: 2592
+  length-secret-key: 4896
+  length-signature: 4627
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: ref
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Darwin
+      - Linux
+      required_flags:
+      - avx2
+      - popcnt
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
--- a/docs/algorithms/sig/picnic.md
+++ b/docs/algorithms/sig/picnic.md
@ -1,41 +0,0 @@
-Picnic
-======
-
- **Algorithm type**: signature
- **Main cryptographic assumption**: hash function security (ROM/QROM), key recovery attacks on the lowMC block cipher
- **Scheme authors**: Greg Zaverucha, Melissa Chase, David Derler, Steven Goldfeder, Claudio Orlandi, Sebastian Ramacher, Christian Rechberger, Daniel Slamanig, Jonathan Katz, Xiao Wang, Vladmir Kolesnikov
- **Authors' website**: https://microsoft.github.io/Picnic/
- **Version**: 3.0.3
- **Added to liboqs by**: Christian Paquin
-
-Implementation
--------------
-
- **Source of implementation**: https://github.com/IAIK/Picnic
- **Implementation version**: https://github.com/IAIK/Picnic/tree/v3.0.4
- **License**: MIT License
- **Constant-time**: Yes
- **Optimizations**: Portable C with optional use of AVX2 and SSE2 instructions (selected at compile-time, enabled by default if available)
-
-Parameter sets
--------------
-
-| Parameter set   | Security model | Claimed NIST security level | Public key size (bytes) | Secret key size (bytes) | Signature size (bytes) |
-|-----------------|:--------------:|:---------------------------:|:-----------------------:|:-----------------------:|:----------------------:|
-| picnic_L1_FS    |     EUF-CMA    |              1              |            33           |            49           |          34036         |
-| picnic_L1_UR    |     EUF-CMA    |              1              |            33           |            49           |          53965         |
-| picnic_L1_full  |     EUF-CMA    |              1              |            35           |            52           |          32065         |
-| picnic_L3_FS    |     EUF-CMA    |              3              |            49           |            73           |          76776         |
-| picnic_L3_UR    |     EUF-CMA    |              3              |            49           |            73           |         121849         |
-| picnic_L3_full  |     EUF-CMA    |              3              |            49           |            73           |          71183         |
-| picnic_L5_FS    |     EUF-CMA    |              5              |            65           |            97           |         132860         |
-| picnic_L5_UR    |     EUF-CMA    |              5              |            65           |            97           |         209510         |
-| picnic_L5_full  |     EUF-CMA    |              5              |            65           |            97           |         126290         |
-| picnic3_L1      |     EUF-CMA    |              1              |            35           |            52           |          14612         |
-| picnic3_L3      |     EUF-CMA    |              3              |            49           |            73           |          35028         |
-| picnic3_L5      |     EUF-CMA    |              5              |            65           |            97           |          61028         |
-
-Additional comments
-------------------
-
-The original Picnic implementation includes optimizations that are not currently being built in liboqs. See src/sig/picnic/external/README.md for details.
--- a/docs/algorithms/sig/rainbow.md
+++ b/docs/algorithms/sig/rainbow.md
@ -1,32 +0,0 @@
-# Rainbow
-
- **Algorithm type**: signature
- **Main cryptographic assumption**: multivariable polynomials, unbalanced oil and vinegar
- **Scheme authors**: Jintai Ding, Ming-Shing Chen, Albrecht Petzoldt, Dieter Schmidt, Bo-Yin Yang
- **Version**: NIST Round 3 submission
-
-## Implementation
-
- **Source of implementation**: https://github.com/fast-crypto-lab/rainbow-submission-round2/commit/173ada0e077e1b9dbd8e4a78994f87acc0c92263
- **Implementation version**: https://github.com/PQClean/PQClean.git, master, 19b438ba5c7c3a6f2194cd8bda14821dc33c64a3
- **License**: CC0 1.0
- **Constant-time**: Yes
- **Optimizations**: Portable C
-
-## Parameter sets
-
-| Parameter set              | Security model | Claimed NIST security level | Public key size (bytes) | Secret key size (bytes) | Signature size (bytes) |
-| -------------------------- | -------------- | --------------------------- | ----------------------- | ----------------------- | ---------------------- |
-| Rainbow-I-Classic          | EUF-CMA        | 1                           | 161600                  | 103648                  | 66                     |
-| Rainbow-I-Circumzenithal   | EUF-CMA        | 1                           | 60192                   | 103648                  | 66                     |
-| Rainbow-I-Compressed       | EUF-CMA        | 1                           | 60192                   | 64                      | 66                     |
-| Rainbow-III-Classic        | EUF-CMA        | 3                           | 882080                  | 626048                  | 164                    |
-| Rainbow-III-Circumzenithal | EUF-CMA        | 3                           | 264608                  | 626048                  | 164                    |
-| Rainbow-III-Compressed     | EUF-CMA        | 3                           | 264608                  | 64                      | 164                    |
-| Rainbow-V-Classic          | EUF-CMA        | 5                           | 1930600                 | 1408736                 | 212                    |
-| Rainbow-V-Circumzenithal   | EUF-CMA        | 5                           | 536136                  | 1408736                 | 212                    |
-| Rainbow-V-Compressed       | EUF-CMA        | 5                           | 536136                  | 64                      | 212                    |
-
-## Security considerations
-
-In October 2020, Beullens announced [improved cryptanalysis of Rainbow](https://eprint.iacr.org/2020/1343.pdf) that somewhat reduces the security of the Round 2 and Round 3 parameters.  [As of October 28, 2020](https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/70We3SNi7Ss), the scheme authors have acknowledged the attack and are preparing a response.
--- a/docs/algorithms/sig/snova.md
+++ b/docs/algorithms/sig/snova.md
@ -0,0 +1,154 @@
+# SNOVA
+
+- **Algorithm type**: Digital signature scheme.
+- **Main cryptographic assumption**: multivariable quadratic equations, oil and vinegar.
+- **Principal submitters**: Lih-Chung Wang, Chun-Yen Chou, Jintai Ding, Yen-Liang Kuan, Jan Adriaan Leegwater, Ming-Siou Li, Bo-Shu Tseng, Po-En Tseng, Chia-Chun Wang.
+- **Authors' website**: https://snova.pqclab.org/
+- **Specification version**: Round 2.
+- **Primary Source**<a name="primary-source"></a>:
+  - **Source**: https://github.com/vacuas/SNOVA/commit/1c3ca6f4f7286c0bde98d7d6f222cf63b9d52bff
+  - **Implementation license (SPDX-Identifier)**: MIT
+
+
+## Parameter set summary
+
+|        Parameter set        | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Signature size (bytes) |
+|:---------------------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|-------------------------:|
+|       SNOVA\_24\_5\_4       | NA                    | EUF-CMA          |                    1 |                      1016 |                        48 |                      248 |
+|   SNOVA\_24\_5\_4\_SHAKE    | NA                    | EUF-CMA          |                    1 |                      1016 |                        48 |                      248 |
+|    SNOVA\_24\_5\_4\_esk     | NA                    | EUF-CMA          |                    1 |                      1016 |                     36848 |                      248 |
+| SNOVA\_24\_5\_4\_SHAKE\_esk | NA                    | EUF-CMA          |                    1 |                      1016 |                     36848 |                      248 |
+|      SNOVA\_37\_17\_2       | NA                    | EUF-CMA          |                    1 |                      9842 |                        48 |                      124 |
+|       SNOVA\_25\_8\_3       | NA                    | EUF-CMA          |                    1 |                      2320 |                        48 |                      165 |
+|      SNOVA\_56\_25\_2       | NA                    | EUF-CMA          |                    3 |                     31266 |                        48 |                      178 |
+|      SNOVA\_49\_11\_3       | NA                    | EUF-CMA          |                    3 |                      6006 |                        48 |                      286 |
+|       SNOVA\_37\_8\_4       | NA                    | EUF-CMA          |                    3 |                      4112 |                        48 |                      376 |
+|       SNOVA\_24\_5\_5       | NA                    | EUF-CMA          |                    3 |                      1579 |                        48 |                      379 |
+|      SNOVA\_60\_10\_4       | NA                    | EUF-CMA          |                    5 |                      8016 |                        48 |                      576 |
+|       SNOVA\_29\_6\_5       | NA                    | EUF-CMA          |                    5 |                      2716 |                        48 |                      454 |
+
+## SNOVA\_24\_5\_4 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?‡   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:----------------------|
+| [Primary Source](#primary-source) | opt                      | All                         | All                             | None                    | True                               | True                                           | False                 |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux                           | AVX2                    | True                               | True                                           | False                 |
+| [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Darwin,Linux                    | None                    | True                               | True                                           | False                 |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+ ‡For an explanation of what this denotes, consult the [Explanation of Terms](#explanation-of-terms) section at the end of this file.
+
+## SNOVA\_24\_5\_4\_SHAKE implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | opt                      | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux                           | AVX2                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Darwin,Linux                    | None                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## SNOVA\_24\_5\_4\_esk implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | opt                      | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux                           | AVX2                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Darwin,Linux                    | None                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## SNOVA\_24\_5\_4\_SHAKE\_esk implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | opt                      | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux                           | AVX2                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Darwin,Linux                    | None                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## SNOVA\_37\_17\_2 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | opt                      | All                         | All                             | None                    | True                               | True                                           | True                 |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux                           | AVX2                    | True                               | True                                           | True                 |
+| [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Darwin,Linux                    | None                    | True                               | True                                           | True                 |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## SNOVA\_25\_8\_3 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | opt                      | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux                           | AVX2                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Darwin,Linux                    | None                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## SNOVA\_56\_25\_2 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | opt                      | All                         | All                             | None                    | True                               | True                                           | True                 |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux                           | AVX2                    | True                               | True                                           | True                 |
+| [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Darwin,Linux                    | None                    | True                               | True                                           | True                 |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## SNOVA\_49\_11\_3 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | opt                      | All                         | All                             | None                    | True                               | True                                           | True                 |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux                           | AVX2                    | True                               | True                                           | True                 |
+| [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Darwin,Linux                    | None                    | True                               | True                                           | True                 |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## SNOVA\_37\_8\_4 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | opt                      | All                         | All                             | None                    | True                               | True                                           | True                 |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux                           | AVX2                    | True                               | True                                           | True                 |
+| [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Darwin,Linux                    | None                    | True                               | True                                           | True                 |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## SNOVA\_24\_5\_5 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | opt                      | All                         | All                             | None                    | True                               | True                                           | True                 |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux                           | AVX2                    | True                               | True                                           | True                 |
+| [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Darwin,Linux                    | None                    | True                               | True                                           | True                 |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## SNOVA\_60\_10\_4 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | opt                      | All                         | All                             | None                    | True                               | True                                           | True                 |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux                           | AVX2                    | True                               | True                                           | True                 |
+| [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Darwin,Linux                    | None                    | True                               | True                                           | True                 |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## SNOVA\_29\_6\_5 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | opt                      | All                         | All                             | None                    | True                               | True                                           | True                 |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux                           | AVX2                    | True                               | True                                           | True                 |
+| [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Darwin,Linux                    | None                    | True                               | True                                           | True                 |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## Explanation of Terms
+
+- **Large Stack Usage**: Implementations identified as having such may cause failures when running in threads or in constrained environments.
--- a/docs/algorithms/sig/snova.yml
+++ b/docs/algorithms/sig/snova.yml
@ -0,0 +1,560 @@
+name: SNOVA
+type: signature
+principal-submitters:
+- Lih-Chung Wang
+- Chun-Yen Chou
+- Jintai Ding
+- Yen-Liang Kuan
+- Jan Adriaan Leegwater
+- Ming-Siou Li
+- Bo-Shu Tseng
+- Po-En Tseng
+- Chia-Chun Wang
+crypto-assumption: multivariable quadratic equations, oil and vinegar
+website: https://snova.pqclab.org/
+nist-round: 2
+spec-version: Round 2
+primary-upstream:
+  source: https://github.com/vacuas/SNOVA/commit/1c3ca6f4f7286c0bde98d7d6f222cf63b9d52bff
+  spdx-license-identifier: MIT
+parameter-sets:
+- name: SNOVA_24_5_4
+  oqs_alg: OQS_SIG_alg_snova_24_5_4
+  claimed-nist-level: 1
+  claimed-security: EUF-CMA
+  length-public-key: 1016
+  length-secret-key: 48
+  length-signature: 248
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: opt
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: neon
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Darwin
+      - Linux
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: SNOVA_24_5_4_SHAKE
+  oqs_alg: OQS_SIG_alg_SNOVA_24_5_4_SHAKE
+  claimed-nist-level: 1
+  claimed-security: EUF-CMA
+  length-public-key: 1016
+  length-secret-key: 48
+  length-signature: 248
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: opt
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: neon
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Darwin
+      - Linux
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: SNOVA_24_5_4_esk
+  oqs_alg: OQS_SIG_alg_snova_24_5_4_esk
+  claimed-nist-level: 1
+  claimed-security: EUF-CMA
+  length-public-key: 1016
+  length-secret-key: 36848
+  length-signature: 248
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: opt
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: neon
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Darwin
+      - Linux
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: SNOVA_24_5_4_SHAKE_esk
+  oqs_alg: OQS_SIG_alg_SNOVA_24_5_4_SHAKE_esk
+  claimed-nist-level: 1
+  claimed-security: EUF-CMA
+  length-public-key: 1016
+  length-secret-key: 36848
+  length-signature: 248
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: opt
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: neon
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Darwin
+      - Linux
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: SNOVA_37_17_2
+  oqs_alg: OQS_SIG_alg_SNOVA_37_17_2
+  claimed-nist-level: 1
+  claimed-security: EUF-CMA
+  length-public-key: 9842
+  length-secret-key: 48
+  length-signature: 124
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: opt
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
+  - upstream: primary-upstream
+    upstream-id: neon
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Darwin
+      - Linux
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
+- name: SNOVA_25_8_3
+  oqs_alg: OQS_SIG_alg_SNOVA_25_8_3
+  claimed-nist-level: 1
+  claimed-security: EUF-CMA
+  length-public-key: 2320
+  length-secret-key: 48
+  length-signature: 165
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: opt
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: neon
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Darwin
+      - Linux
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: SNOVA_56_25_2
+  oqs_alg: OQS_SIG_alg_snova_56_25_2
+  claimed-nist-level: 3
+  claimed-security: EUF-CMA
+  length-public-key: 31266
+  length-secret-key: 48
+  length-signature: 178
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: opt
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
+  - upstream: primary-upstream
+    upstream-id: neon
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Darwin
+      - Linux
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
+- name: SNOVA_49_11_3
+  oqs_alg: OQS_SIG_alg_snova_49_11_3
+  claimed-nist-level: 3
+  claimed-security: EUF-CMA
+  length-public-key: 6006
+  length-secret-key: 48
+  length-signature: 286
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: opt
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
+  - upstream: primary-upstream
+    upstream-id: neon
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Darwin
+      - Linux
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
+- name: SNOVA_37_8_4
+  oqs_alg: OQS_SIG_alg_snova_37_8_4
+  claimed-nist-level: 3
+  claimed-security: EUF-CMA
+  length-public-key: 4112
+  length-secret-key: 48
+  length-signature: 376
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: opt
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
+  - upstream: primary-upstream
+    upstream-id: neon
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Darwin
+      - Linux
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
+- name: SNOVA_24_5_5
+  oqs_alg: OQS_SIG_alg_SNOVA_24_5_5
+  claimed-nist-level: 3
+  claimed-security: EUF-CMA
+  length-public-key: 1579
+  length-secret-key: 48
+  length-signature: 379
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: opt
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
+  - upstream: primary-upstream
+    upstream-id: neon
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Darwin
+      - Linux
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
+- name: SNOVA_60_10_4
+  oqs_alg: OQS_SIG_alg_snova_60_10_4
+  claimed-nist-level: 5
+  claimed-security: EUF-CMA
+  length-public-key: 8016
+  length-secret-key: 48
+  length-signature: 576
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: opt
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
+  - upstream: primary-upstream
+    upstream-id: neon
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Darwin
+      - Linux
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
+- name: SNOVA_29_6_5
+  oqs_alg: OQS_SIG_alg_SNOVA_29_6_5
+  claimed-nist-level: 5
+  claimed-security: EUF-CMA
+  length-public-key: 2716
+  length-secret-key: 48
+  length-signature: 454
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: opt
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
+  - upstream: primary-upstream
+    upstream-id: neon
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Darwin
+      - Linux
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: true
--- a/docs/algorithms/sig/sphincs.md
+++ b/docs/algorithms/sig/sphincs.md
@ -1,56 +1,147 @@
 # SPHINCS+

- **Algorithm type**: signature
- **Main cryptographic assumption**: hash-based signatures
- **Scheme authors**: Andreas Hulsing, Daniel J. Bernstein, Christoph Dobraunig, Maria Eichlseder, Scott Fluhrer, Stefan-Lukas Gazdag, Panos Kampanakis, Stefan Kolbl, Tanja Lange, Martin M Lauridsen, Florian Mendel, Ruben Niederhagen, Christian Rechberger, Joost Rijneveld, Peter Schwabe, Jean-Philippe Aumasson
+- **Algorithm type**: Digital signature scheme.
+- **Main cryptographic assumption**: hash-based signatures.
+- **Principal submitters**: Andreas Hülsing.
+- **Auxiliary submitters**: Jean-Philippe Aumasson, Daniel J. Bernstein,, Ward Beullens, Christoph Dobraunig, Maria Eichlseder, Scott Fluhrer, Stefan-Lukas Gazdag, Panos Kampanakis, Stefan Kölbl, Tanja Lange, Martin M. Lauridsen, Florian Mendel, Ruben Niederhagen, Christian Rechberger, Joost Rijneveld, Peter Schwabe, Bas Westerbaan.
 - **Authors' website**: https://sphincs.org/
- **Version**: NIST Round 2 submission
+- **Specification version**: NIST Round 3 submission, v3.1 (June 10, 2022).
+- **Primary Source**<a name="primary-source"></a>:
+  - **Source**: https://github.com/PQClean/PQClean/commit/1eacfdafc15ddc5d5759d0b85b4cef26627df181 with copy_from_upstream patches
+  - **Implementation license (SPDX-Identifier)**: CC0-1.0

-## Implementation

- **Source of implementation**: https://github.com/sphincs/sphincsplus
- **Implementation version**: https://github.com/PQClean/PQClean.git, master, 19b438ba5c7c3a6f2194cd8bda14821dc33c64a3
- **License**: CC0 1.0 Universal
- **Constant-time**: Yes
- **Optimizations**: Portable C with AES, AVX2 instructions (if available at run-time)
+## Advisories

-## Parameter sets
+- This algorithm is not tested under Windows.

-| Parameter set                 | Security model | Claimed NIST security level | Public key size (bytes) | Secret key size (bytes) | Signature size (bytes) |
-| ----------------------------- | -------------- | --------------------------- | ----------------------- | ----------------------- | ---------------------- |
-| SPHINCS+-Haraka-128f-robust   | EUF-CMA        | 1                           | 32                      | 64                      | 17088                  |
-| SPHINCS+-Haraka-128f-simple   | EUF-CMA        | 1                           | 32                      | 64                      | 17088                  |
-| SPHINCS+-Haraka-128s-robust   | EUF-CMA        | 1                           | 32                      | 64                      | 7856                   |
-| SPHINCS+-Haraka-128s-simple   | EUF-CMA        | 1                           | 32                      | 64                      | 7856                   |
-| SPHINCS+-Haraka-192f-robust   | EUF-CMA        | 3                           | 48                      | 96                      | 35664                  |
-| SPHINCS+-Haraka-192f-simple   | EUF-CMA        | 3                           | 48                      | 96                      | 35664                  |
-| SPHINCS+-Haraka-192s-robust   | EUF-CMA        | 3                           | 48                      | 96                      | 16224                  |
-| SPHINCS+-Haraka-192s-simple   | EUF-CMA        | 3                           | 48                      | 96                      | 16224                  |
-| SPHINCS+-Haraka-256f-robust   | EUF-CMA        | 5                           | 64                      | 128                     | 49856                  |
-| SPHINCS+-Haraka-256f-simple   | EUF-CMA        | 5                           | 64                      | 128                     | 49856                  |
-| SPHINCS+-Haraka-256s-robust   | EUF-CMA        | 5                           | 64                      | 128                     | 29792                  |
-| SPHINCS+-Haraka-256s-simple   | EUF-CMA        | 5                           | 64                      | 128                     | 29792                  |
-| SPHINCS+-SHA256-128f-robust   | EUF-CMA        | 1                           | 32                      | 64                      | 17088                  |
-| SPHINCS+-SHA256-128f-simple   | EUF-CMA        | 1                           | 32                      | 64                      | 17088                  |
-| SPHINCS+-SHA256-128s-robust   | EUF-CMA        | 1                           | 32                      | 64                      | 7856                   |
-| SPHINCS+-SHA256-128s-simple   | EUF-CMA        | 1                           | 32                      | 64                      | 7856                   |
-| SPHINCS+-SHA256-192f-robust   | EUF-CMA        | 3                           | 48                      | 96                      | 35664                  |
-| SPHINCS+-SHA256-192f-simple   | EUF-CMA        | 3                           | 48                      | 96                      | 35664                  |
-| SPHINCS+-SHA256-192s-robust   | EUF-CMA        | 3                           | 48                      | 96                      | 16224                  |
-| SPHINCS+-SHA256-192s-simple   | EUF-CMA        | 3                           | 48                      | 96                      | 16224                  |
-| SPHINCS+-SHA256-256f-robust   | EUF-CMA        | 5                           | 64                      | 128                     | 49856                  |
-| SPHINCS+-SHA256-256f-simple   | EUF-CMA        | 5                           | 64                      | 128                     | 49856                  |
-| SPHINCS+-SHA256-256s-robust   | EUF-CMA        | 5                           | 64                      | 128                     | 29792                  |
-| SPHINCS+-SHA256-256s-simple   | EUF-CMA        | 5                           | 64                      | 128                     | 29792                  |
-| SPHINCS+-SHAKE256-128f-robust | EUF-CMA        | 1                           | 32                      | 64                      | 17088                  |
-| SPHINCS+-SHAKE256-128f-simple | EUF-CMA        | 1                           | 32                      | 64                      | 17088                  |
-| SPHINCS+-SHAKE256-128s-robust | EUF-CMA        | 1                           | 32                      | 64                      | 7856                   |
-| SPHINCS+-SHAKE256-128s-simple | EUF-CMA        | 1                           | 32                      | 64                      | 7856                   |
-| SPHINCS+-SHAKE256-192f-robust | EUF-CMA        | 3                           | 48                      | 96                      | 35664                  |
-| SPHINCS+-SHAKE256-192f-simple | EUF-CMA        | 3                           | 48                      | 96                      | 35664                  |
-| SPHINCS+-SHAKE256-192s-robust | EUF-CMA        | 3                           | 48                      | 96                      | 16224                  |
-| SPHINCS+-SHAKE256-192s-simple | EUF-CMA        | 3                           | 48                      | 96                      | 16224                  |
-| SPHINCS+-SHAKE256-256f-robust | EUF-CMA        | 5                           | 64                      | 128                     | 49856                  |
-| SPHINCS+-SHAKE256-256f-simple | EUF-CMA        | 5                           | 64                      | 128                     | 49856                  |
-| SPHINCS+-SHAKE256-256s-robust | EUF-CMA        | 5                           | 64                      | 128                     | 29792                  |
-| SPHINCS+-SHAKE256-256s-simple | EUF-CMA        | 5                           | 64                      | 128                     | 29792                  |
+## Parameter set summary
+
+|       Parameter set        | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Signature size (bytes) |
+|:--------------------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|-------------------------:|
+| SPHINCS+-SHA2-128f-simple  | NA                    | EUF-CMA          |                    1 |                        32 |                        64 |                    17088 |
+| SPHINCS+-SHA2-128s-simple  | NA                    | EUF-CMA          |                    1 |                        32 |                        64 |                     7856 |
+| SPHINCS+-SHA2-192f-simple  | NA                    | EUF-CMA          |                    3 |                        48 |                        96 |                    35664 |
+| SPHINCS+-SHA2-192s-simple  | NA                    | EUF-CMA          |                    3 |                        48 |                        96 |                    16224 |
+| SPHINCS+-SHA2-256f-simple  | NA                    | EUF-CMA          |                    5 |                        64 |                       128 |                    49856 |
+| SPHINCS+-SHA2-256s-simple  | NA                    | EUF-CMA          |                    5 |                        64 |                       128 |                    29792 |
+| SPHINCS+-SHAKE-128f-simple | NA                    | EUF-CMA          |                    1 |                        32 |                        64 |                    17088 |
+| SPHINCS+-SHAKE-128s-simple | NA                    | EUF-CMA          |                    1 |                        32 |                        64 |                     7856 |
+| SPHINCS+-SHAKE-192f-simple | NA                    | EUF-CMA          |                    3 |                        48 |                        96 |                    35664 |
+| SPHINCS+-SHAKE-192s-simple | NA                    | EUF-CMA          |                    3 |                        48 |                        96 |                    16224 |
+| SPHINCS+-SHAKE-256f-simple | NA                    | EUF-CMA          |                    5 |                        64 |                       128 |                    49856 |
+| SPHINCS+-SHAKE-256s-simple | NA                    | EUF-CMA          |                    5 |                        64 |                       128 |                    29792 |
+
+## SPHINCS+-SHA2-128f-simple implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?‡   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:----------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | False                              | False                                          | False                 |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                 |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+ ‡For an explanation of what this denotes, consult the [Explanation of Terms](#explanation-of-terms) section at the end of this file.
+
+## SPHINCS+-SHA2-128s-simple implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | False                              | False                                          | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## SPHINCS+-SHA2-192f-simple implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | False                              | False                                          | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## SPHINCS+-SHA2-192s-simple implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | False                              | False                                          | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## SPHINCS+-SHA2-256f-simple implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | False                              | False                                          | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## SPHINCS+-SHA2-256s-simple implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | False                              | False                                          | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## SPHINCS+-SHAKE-128f-simple implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | False                              | False                                          | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## SPHINCS+-SHAKE-128s-simple implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | False                              | False                                          | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## SPHINCS+-SHAKE-192f-simple implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | False                              | False                                          | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## SPHINCS+-SHAKE-192s-simple implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | False                              | False                                          | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## SPHINCS+-SHAKE-256f-simple implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | False                              | False                                          | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## SPHINCS+-SHAKE-256s-simple implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | False                              | False                                          | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## Explanation of Terms
+
+- **Large Stack Usage**: Implementations identified as having such may cause failures when running in threads or in constrained environments.
--- a/docs/algorithms/sig/sphincs.yml
+++ b/docs/algorithms/sig/sphincs.yml
@ -0,0 +1,396 @@
+name: SPHINCS+
+type: signature
+principal-submitters:
+- Andreas Hülsing
+auxiliary-submitters:
+- Jean-Philippe Aumasson
+- Daniel J. Bernstein,
+- Ward Beullens
+- Christoph Dobraunig
+- Maria Eichlseder
+- Scott Fluhrer
+- Stefan-Lukas Gazdag
+- Panos Kampanakis
+- Stefan Kölbl
+- Tanja Lange
+- Martin M. Lauridsen
+- Florian Mendel
+- Ruben Niederhagen
+- Christian Rechberger
+- Joost Rijneveld
+- Peter Schwabe
+- Bas Westerbaan
+crypto-assumption: hash-based signatures
+website: https://sphincs.org/
+nist-round: 3
+spec-version: NIST Round 3 submission, v3.1 (June 10, 2022)
+spdx-license-identifier: CC0-1.0
+primary-upstream:
+  source: https://github.com/PQClean/PQClean/commit/1eacfdafc15ddc5d5759d0b85b4cef26627df181
+    with copy_from_upstream patches
+  spdx-license-identifier: CC0-1.0
+  upstream-ancestors:
+  - https://github.com/sphincs/sphincsplus
+advisories:
+- This algorithm is not tested under Windows.
+parameter-sets:
+- name: SPHINCS+-SHA2-128f-simple
+  claimed-nist-level: 1
+  claimed-security: EUF-CMA
+  length-public-key: 32
+  length-secret-key: 64
+  length-signature: 17088
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA2: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA2: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: SPHINCS+-SHA2-128s-simple
+  claimed-nist-level: 1
+  claimed-security: EUF-CMA
+  length-public-key: 32
+  length-secret-key: 64
+  length-signature: 7856
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA2: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA2: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: SPHINCS+-SHA2-192f-simple
+  claimed-nist-level: 3
+  claimed-security: EUF-CMA
+  length-public-key: 48
+  length-secret-key: 96
+  length-signature: 35664
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA2: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA2: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: SPHINCS+-SHA2-192s-simple
+  claimed-nist-level: 3
+  claimed-security: EUF-CMA
+  length-public-key: 48
+  length-secret-key: 96
+  length-signature: 16224
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA2: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA2: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: SPHINCS+-SHA2-256f-simple
+  claimed-nist-level: 5
+  claimed-security: EUF-CMA
+  length-public-key: 64
+  length-secret-key: 128
+  length-signature: 49856
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA2: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA2: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: SPHINCS+-SHA2-256s-simple
+  claimed-nist-level: 5
+  claimed-security: EUF-CMA
+  length-public-key: 64
+  length-secret-key: 128
+  length-signature: 29792
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA2: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA2: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: SPHINCS+-SHAKE-128f-simple
+  claimed-nist-level: 1
+  claimed-security: EUF-CMA
+  length-public-key: 32
+  length-secret-key: 64
+  length-signature: 17088
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: SPHINCS+-SHAKE-128s-simple
+  claimed-nist-level: 1
+  claimed-security: EUF-CMA
+  length-public-key: 32
+  length-secret-key: 64
+  length-signature: 7856
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: SPHINCS+-SHAKE-192f-simple
+  claimed-nist-level: 3
+  claimed-security: EUF-CMA
+  length-public-key: 48
+  length-secret-key: 96
+  length-signature: 35664
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: SPHINCS+-SHAKE-192s-simple
+  claimed-nist-level: 3
+  claimed-security: EUF-CMA
+  length-public-key: 48
+  length-secret-key: 96
+  length-signature: 16224
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: SPHINCS+-SHAKE-256f-simple
+  claimed-nist-level: 5
+  claimed-security: EUF-CMA
+  length-public-key: 64
+  length-secret-key: 128
+  length-signature: 49856
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: SPHINCS+-SHAKE-256s-simple
+  claimed-nist-level: 5
+  claimed-security: EUF-CMA
+  length-public-key: 64
+  length-secret-key: 128
+  length-signature: 29792
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: false
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      required_flags:
+      - avx2
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
--- a/docs/algorithms/sig/uov.md
+++ b/docs/algorithms/sig/uov.md
@ -0,0 +1,154 @@
+# UOV
+
+- **Algorithm type**: Digital signature scheme.
+- **Main cryptographic assumption**: multivariable quadratic equations, oil and vinegar.
+- **Principal submitters**: Ward Beullens, Ming-Shing Chen, Jintai Ding, Boru Gong, Matthias J. Kannwischer, Jacques Patarin, Bo-Yuan Peng, Dieter Schmidt, Cheng-Jhih Shih, Chengdong Tao, Bo-Yin Yang.
+- **Authors' website**: https://www.uovsig.org/
+- **Specification version**: NIST Round 2 (February 2025).
+- **Primary Source**<a name="primary-source"></a>:
+  - **Source**: https://github.com/pqov/pqov/commit/7e0832b6732a476119742c4acabd11b7c767aefb
+  - **Implementation license (SPDX-Identifier)**: CC0 OR Apache-2.0
+
+
+## Parameter set summary
+
+|  Parameter set  | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Signature size (bytes) |
+|:---------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|-------------------------:|
+|      OV-Is      | NA                    | EUF-CMA          |                    1 |                    412160 |                    348704 |                       96 |
+|      OV-Ip      | NA                    | EUF-CMA          |                    1 |                    278432 |                    237896 |                      128 |
+|     OV-III      | NA                    | EUF-CMA          |                    3 |                   1225440 |                   1044320 |                      200 |
+|      OV-V       | NA                    | EUF-CMA          |                    5 |                   2869440 |                   2436704 |                      260 |
+|    OV-Is-pkc    | NA                    | EUF-CMA          |                    1 |                     66576 |                    348704 |                       96 |
+|    OV-Ip-pkc    | NA                    | EUF-CMA          |                    1 |                     43576 |                    237896 |                      128 |
+|   OV-III-pkc    | NA                    | EUF-CMA          |                    3 |                    189232 |                   1044320 |                      200 |
+|    OV-V-pkc     | NA                    | EUF-CMA          |                    5 |                    446992 |                   2436704 |                      260 |
+|  OV-Is-pkc-skc  | NA                    | EUF-CMA          |                    1 |                     66576 |                        32 |                       96 |
+|  OV-Ip-pkc-skc  | NA                    | EUF-CMA          |                    1 |                     43576 |                        32 |                      128 |
+| OV-III-pkc-skc  | NA                    | EUF-CMA          |                    3 |                    189232 |                        32 |                      200 |
+|  OV-V-pkc-skc   | NA                    | EUF-CMA          |                    5 |                    446992 |                        32 |                      260 |
+
+## OV-Is implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?‡   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:----------------------|
+| [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                 |
+| [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                 |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                 |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+ ‡For an explanation of what this denotes, consult the [Explanation of Terms](#explanation-of-terms) section at the end of this file.
+
+## OV-Ip implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## OV-III implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## OV-V implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## OV-Is-pkc implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## OV-Ip-pkc implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## OV-III-pkc implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## OV-V-pkc implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## OV-Is-pkc-skc implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## OV-Ip-pkc-skc implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## OV-III-pkc-skc implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## OV-V-pkc-skc implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | neon                     | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## Explanation of Terms
+
+- **Large Stack Usage**: Implementations identified as having such may cause failures when running in threads or in constrained environments.
--- a/docs/algorithms/sig/uov.yml
+++ b/docs/algorithms/sig/uov.yml
@ -0,0 +1,562 @@
+name: UOV
+type: signature
+principal-submitters:
+- Ward Beullens
+- Ming-Shing Chen
+- Jintai Ding
+- Boru Gong
+- Matthias J. Kannwischer
+- Jacques Patarin
+- Bo-Yuan Peng
+- Dieter Schmidt
+- Cheng-Jhih Shih
+- Chengdong Tao
+- Bo-Yin Yang
+crypto-assumption: multivariable quadratic equations, oil and vinegar
+website: https://www.uovsig.org/
+nist-round: 2
+spec-version: NIST Round 2 (February 2025)
+primary-upstream:
+  source: https://github.com/pqov/pqov/commit/7e0832b6732a476119742c4acabd11b7c767aefb
+  spdx-license-identifier: CC0 OR Apache-2.0
+parameter-sets:
+- name: OV-Is
+  claimed-nist-level: 1
+  claimed-security: EUF-CMA
+  length-public-key: 412160
+  length-secret-key: 348704
+  length-signature: 96
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: ref
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: neon
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: OV-Ip
+  claimed-nist-level: 1
+  claimed-security: EUF-CMA
+  length-public-key: 278432
+  length-secret-key: 237896
+  length-signature: 128
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: ref
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: neon
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: OV-III
+  claimed-nist-level: 3
+  claimed-security: EUF-CMA
+  length-public-key: 1225440
+  length-secret-key: 1044320
+  length-signature: 200
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: ref
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: neon
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: OV-V
+  claimed-nist-level: 5
+  claimed-security: EUF-CMA
+  length-public-key: 2869440
+  length-secret-key: 2436704
+  length-signature: 260
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: ref
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: neon
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: OV-Is-pkc
+  claimed-nist-level: 1
+  claimed-security: EUF-CMA
+  length-public-key: 66576
+  length-secret-key: 348704
+  length-signature: 96
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: ref
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: neon
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: OV-Ip-pkc
+  claimed-nist-level: 1
+  claimed-security: EUF-CMA
+  length-public-key: 43576
+  length-secret-key: 237896
+  length-signature: 128
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: ref
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: neon
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: OV-III-pkc
+  claimed-nist-level: 3
+  claimed-security: EUF-CMA
+  length-public-key: 189232
+  length-secret-key: 1044320
+  length-signature: 200
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: ref
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: neon
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: OV-V-pkc
+  claimed-nist-level: 5
+  claimed-security: EUF-CMA
+  length-public-key: 446992
+  length-secret-key: 2436704
+  length-signature: 260
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: ref
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: neon
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: OV-Is-pkc-skc
+  claimed-nist-level: 1
+  claimed-security: EUF-CMA
+  length-public-key: 66576
+  length-secret-key: 32
+  length-signature: 96
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: ref
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: neon
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: OV-Ip-pkc-skc
+  claimed-nist-level: 1
+  claimed-security: EUF-CMA
+  length-public-key: 43576
+  length-secret-key: 32
+  length-signature: 128
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: ref
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: neon
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: OV-III-pkc-skc
+  claimed-nist-level: 3
+  claimed-security: EUF-CMA
+  length-public-key: 189232
+  length-secret-key: 32
+  length-signature: 200
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: ref
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: neon
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+- name: OV-V-pkc-skc
+  claimed-nist-level: 5
+  claimed-security: EUF-CMA
+  length-public-key: 446992
+  length-secret-key: 32
+  length-signature: 260
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream: primary-upstream
+    upstream-id: ref
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: neon
+    supported-platforms:
+    - architecture: ARM64_V8
+      operating_systems:
+      - Linux
+      - Darwin
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: false
+    large-stack-usage: false
+  - upstream: primary-upstream
+    upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+    common-crypto:
+    - SHA3: liboqs
+    - AES: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
--- a/docs/algorithms/sig_stfl/lms.md
+++ b/docs/algorithms/sig_stfl/lms.md
@ -0,0 +1,50 @@
+# LMS
+
+- **Algorithm type**: Digital signature scheme.
+- **Main cryptographic assumption**: hash-based signatures.
+- **Principal submitters**: Scott Fluhrer.
+- **Auxiliary submitters**: C Martin, Maurice Hieronymus.
+- **Authors' website**: https://www.rfc-editor.org/info/rfc8554
+- **Specification version**: None.
+- **Primary Source**<a name="primary-source"></a>:
+  - **Source**: https://github.com/cisco/hash-sigs
+  - **Implementation license (SPDX-Identifier)**: MIT
+
+
+## Parameter set summary
+
+|      Parameter set       | Security model   | Claimed NIST Level   |   Public key size (bytes) |   Secret key size (bytes) |   Signature size (bytes) |
+|:------------------------:|:-----------------|:---------------------|--------------------------:|--------------------------:|-------------------------:|
+|     LMS_SHA256_H5_W1     |                  |                      |                        60 |                        64 |                     8688 |
+|     LMS_SHA256_H5_W2     |                  |                      |                        60 |                        64 |                     4464 |
+|     LMS_SHA256_H5_W4     |                  |                      |                        60 |                        64 |                     2352 |
+|     LMS_SHA256_H5_W8     |                  |                      |                        60 |                        64 |                     1296 |
+|    LMS_SHA256_H10_W1     |                  |                      |                        60 |                        64 |                     8848 |
+|    LMS_SHA256_H10_W2     |                  |                      |                        60 |                        64 |                     4624 |
+|    LMS_SHA256_H10_W4     |                  |                      |                        60 |                        64 |                     2512 |
+|    LMS_SHA256_H10_W8     |                  |                      |                        60 |                        64 |                     1456 |
+|    LMS_SHA256_H15_W1     |                  |                      |                        60 |                        64 |                     9008 |
+|    LMS_SHA256_H15_W2     |                  |                      |                        60 |                        64 |                     4784 |
+|    LMS_SHA256_H15_W4     |                  |                      |                        60 |                        64 |                     2672 |
+|    LMS_SHA256_H15_W8     |                  |                      |                        60 |                        64 |                     1616 |
+|    LMS_SHA256_H20_W1     |                  |                      |                        60 |                        64 |                     9168 |
+|    LMS_SHA256_H20_W2     |                  |                      |                        60 |                        64 |                     4944 |
+|    LMS_SHA256_H20_W4     |                  |                      |                        60 |                        64 |                     2832 |
+|    LMS_SHA256_H20_W8     |                  |                      |                        60 |                        64 |                     1776 |
+|    LMS_SHA256_H25_W1     |                  |                      |                        60 |                        64 |                     9328 |
+|    LMS_SHA256_H25_W2     |                  |                      |                        60 |                        64 |                     5104 |
+|    LMS_SHA256_H25_W4     |                  |                      |                        60 |                        64 |                     2992 |
+|    LMS_SHA256_H25_W8     |                  |                      |                        60 |                        64 |                     1936 |
+|  LMS_SHA256_H5_W8_H5_W8  |                  |                      |                        60 |                        64 |                     2644 |
+| LMS_SHA256_H10_W4_H5_W8  |                  |                      |                        60 |                        64 |                     2804 |
+| LMS_SHA256_H10_W8_H5_W8  |                  |                      |                        60 |                        64 |                     3860 |
+| LMS_SHA256_H10_W2_H10_W2 |                  |                      |                        60 |                        64 |                     9300 |
+| LMS_SHA256_H10_W4_H10_W4 |                  |                      |                        60 |                        64 |                     5076 |
+| LMS_SHA256_H10_W8_H10_W8 |                  |                      |                        60 |                        64 |                     2964 |
+| LMS_SHA256_H15_W8_H5_W8  |                  |                      |                        60 |                        64 |                     2964 |
+| LMS_SHA256_H15_W8_H10_W8 |                  |                      |                        60 |                        64 |                     3124 |
+| LMS_SHA256_H15_W8_H15_W8 |                  |                      |                        60 |                        64 |                     3284 |
+| LMS_SHA256_H20_W8_H5_W8  |                  |                      |                        60 |                        64 |                     3124 |
+| LMS_SHA256_H20_W8_H10_W8 |                  |                      |                        60 |                        64 |                     3284 |
+| LMS_SHA256_H20_W8_H15_W8 |                  |                      |                        60 |                        64 |                     3444 |
+| LMS_SHA256_H20_W8_H20_W8 |                  |                      |                        60 |                        64 |                     3604 |
--- a/docs/algorithms/sig_stfl/lms.yml
+++ b/docs/algorithms/sig_stfl/lms.yml
@ -0,0 +1,216 @@
+name: LMS
+type: stateful signature
+principal-submitters:
+- Scott Fluhrer
+auxiliary-submitters:
+- C Martin
+- Maurice Hieronymus
+
+crypto-assumption: hash-based signatures
+website: https://www.rfc-editor.org/info/rfc8554
+nist-round: 
+spec-version: 
+spdx-license-identifier: 
+primary-upstream:
+  source: https://github.com/cisco/hash-sigs
+  spdx-license-identifier: MIT
+  upstream-ancestors:
+parameter-sets:
+- name: LMS_SHA256_H5_W1
+  claimed-nist-level: 
+  claimed-security: 
+  length-public-key: 60
+  length-secret-key: 64
+  length-signature: 8688
+- name: LMS_SHA256_H5_W2
+  claimed-nist-level: 
+  claimed-security: 
+  length-public-key: 60
+  length-secret-key: 64
+  length-signature: 4464
+- name: LMS_SHA256_H5_W4
+  claimed-nist-level: 
+  claimed-security: 
+  length-public-key: 60
+  length-secret-key: 64
+  length-signature: 2352
+- name: LMS_SHA256_H5_W8
+  claimed-nist-level: 
+  claimed-security: 
+  length-public-key: 60
+  length-secret-key: 64
+  length-signature: 1296
+- name: LMS_SHA256_H10_W1
+  claimed-nist-level: 
+  claimed-security: 
+  length-public-key: 60
+  length-secret-key: 64
+  length-signature: 8848
+- name: LMS_SHA256_H10_W2
+  claimed-nist-level: 
+  claimed-security: 
+  length-public-key: 60
+  length-secret-key: 64
+  length-signature: 4624
+- name: LMS_SHA256_H10_W4
+  claimed-nist-level: 
+  claimed-security: 
+  length-public-key: 60
+  length-secret-key: 64
+  length-signature: 2512
+- name: LMS_SHA256_H10_W8
+  claimed-nist-level: 
+  claimed-security: 
+  length-public-key: 60
+  length-secret-key: 64
+  length-signature: 1456
+- name: LMS_SHA256_H15_W1
+  claimed-nist-level: 
+  claimed-security: 
+  length-public-key: 60
+  length-secret-key: 64
+  length-signature: 9008
+- name: LMS_SHA256_H15_W2
+  claimed-nist-level: 
+  claimed-security: 
+  length-public-key: 60
+  length-secret-key: 64
+  length-signature: 4784
+- name: LMS_SHA256_H15_W4
+  claimed-nist-level: 
+  claimed-security: 
+  length-public-key: 60
+  length-secret-key: 64
+  length-signature: 2672
+- name: LMS_SHA256_H15_W8
+  claimed-nist-level: 
+  claimed-security: 
+  length-public-key: 60
+  length-secret-key: 64
+  length-signature: 1616
+- name: LMS_SHA256_H20_W1
+  claimed-nist-level: 
+  claimed-security: 
+  length-public-key: 60
+  length-secret-key: 64
+  length-signature: 9168
+- name: LMS_SHA256_H20_W2
+  claimed-nist-level: 
+  claimed-security: 
+  length-public-key: 60
+  length-secret-key: 64
+  length-signature: 4944
+- name: LMS_SHA256_H20_W4
+  claimed-nist-level: 
+  claimed-security: 
+  length-public-key: 60
+  length-secret-key: 64
+  length-signature: 2832
+- name: LMS_SHA256_H20_W8
+  claimed-nist-level: 
+  claimed-security: 
+  length-public-key: 60
+  length-secret-key: 64
+  length-signature: 1776
+- name: LMS_SHA256_H25_W1
+  claimed-nist-level: 
+  claimed-security: 
+  length-public-key: 60
+  length-secret-key: 64
+  length-signature: 9328
+- name: LMS_SHA256_H25_W2
+  claimed-nist-level: 
+  claimed-security: 
+  length-public-key: 60
+  length-secret-key: 64
+  length-signature: 5104
+- name: LMS_SHA256_H25_W4
+  claimed-nist-level: 
+  claimed-security: 
+  length-public-key: 60
+  length-secret-key: 64
+  length-signature: 2992
+- name: LMS_SHA256_H25_W8
+  claimed-nist-level: 
+  claimed-security: 
+  length-public-key: 60
+  length-secret-key: 64
+  length-signature: 1936
+- name: LMS_SHA256_H5_W8_H5_W8
+  claimed-nist-level: 
+  claimed-security: 
+  length-public-key: 60
+  length-secret-key: 64
+  length-signature: 2644
+- name: LMS_SHA256_H10_W4_H5_W8
+  claimed-nist-level: 
+  claimed-security: 
+  length-public-key: 60
+  length-secret-key: 64
+  length-signature: 2804
+- name: LMS_SHA256_H10_W8_H5_W8
+  claimed-nist-level: 
+  claimed-security: 
+  length-public-key: 60
+  length-secret-key: 64
+  length-signature: 3860
+- name: LMS_SHA256_H10_W2_H10_W2
+  claimed-nist-level: 
+  claimed-security: 
+  length-public-key: 60
+  length-secret-key: 64
+  length-signature: 9300
+- name: LMS_SHA256_H10_W4_H10_W4
+  claimed-nist-level: 
+  claimed-security: 
+  length-public-key: 60
+  length-secret-key: 64
+  length-signature: 5076
+- name: LMS_SHA256_H10_W8_H10_W8
+  claimed-nist-level: 
+  claimed-security: 
+  length-public-key: 60
+  length-secret-key: 64
+  length-signature: 2964
+- name: LMS_SHA256_H15_W8_H5_W8
+  claimed-nist-level: 
+  claimed-security: 
+  length-public-key: 60
+  length-secret-key: 64
+  length-signature: 2964
+- name: LMS_SHA256_H15_W8_H10_W8
+  claimed-nist-level: 
+  claimed-security: 
+  length-public-key: 60
+  length-secret-key: 64
+  length-signature: 3124
+- name: LMS_SHA256_H15_W8_H15_W8
+  claimed-nist-level: 
+  claimed-security: 
+  length-public-key: 60
+  length-secret-key: 64
+  length-signature: 3284
+- name: LMS_SHA256_H20_W8_H5_W8
+  claimed-nist-level: 
+  claimed-security: 
+  length-public-key: 60
+  length-secret-key: 64
+  length-signature: 3124
+- name: LMS_SHA256_H20_W8_H10_W8
+  claimed-nist-level: 
+  claimed-security: 
+  length-public-key: 60
+  length-secret-key: 64
+  length-signature: 3284
+- name: LMS_SHA256_H20_W8_H15_W8
+  claimed-nist-level: 
+  claimed-security: 
+  length-public-key: 60
+  length-secret-key: 64
+  length-signature: 3444
+- name: LMS_SHA256_H20_W8_H20_W8
+  claimed-nist-level: 
+  claimed-security: 
+  length-public-key: 60
+  length-secret-key: 64
+  length-signature: 3604
--- a/docs/algorithms/sig_stfl/sig_stfl.md
+++ b/docs/algorithms/sig_stfl/sig_stfl.md
@ -0,0 +1,29 @@
+
+# **Stateful Hash Based Signatures**
+
+The security of hash based signatures (HBS) is based on the underlying hash functions on which they are built.
+NIST recommendation is that they are suitable for near term use to mitigate against attacks mounted by quantum computers.
+While not a general purpose solution, they are useful means to authenticate boot or firmware images.
+
+<ins>**General**</ins>
+
+This package provides full support for a variety of variants for XMSS and LMS. 
+Key generation, signature generation, and signature verification. 
+Security of HBS also depends on the management of the state of the secret key. Secret keys can only used once to generate a signature.
+Multiple signing with same key can reveal that key to an attacker.
+Because of this, NIST recommends that key and signature generation be done in hardware security modules.
+Having said that, this library is fully functional for research purposes. Secret keys are incremented after each sign operation.
+However, secure storage and lifecycle management of the secret keys are left to applications using this feature.
+Secret key storage is easily done by supplying a callback function to the library. This callback is invoked to store the secret key.
+
+
+<ins>**Key State Management**</ins>
+
+Application writers have to supply callback functions to store and update secret keys.
+After a sign operation the secret key index is advanced and stored. This ensures one-time use of the key.
+Signing operations will fail without this callback set because the private key cannot be advanced (to prevent reuse).
+
+Stateful keys can generate a finite number of signatures. A counter tracks the limit when the key is created and is decremented after each signature is generated.
+When the counter is down to 0, signature generation fails. Applications can query the remaining count via an API.
+
+
--- a/docs/algorithms/sig_stfl/xmss.md
+++ b/docs/algorithms/sig_stfl/xmss.md
@ -0,0 +1,53 @@
+# XMSS
+
+- **Algorithm type**: Digital signature scheme.
+- **Main cryptographic assumption**: hash-based signatures.
+- **Principal submitters**: Joost Rijneveld, A. Huelsing, David Cooper, Bas Westerbaan.
+- **Authors' website**: https://www.rfc-editor.org/info/rfc8391
+- **Specification version**: None.
+- **Primary Source**<a name="primary-source"></a>:
+  - **Source**: https://github.com/XMSS/xmss-reference
+  - **Implementation license (SPDX-Identifier)**: (Apache-2.0 OR MIT) AND CC0-1.0
+
+
+## Parameter set summary
+
+|     Parameter set      | Security model   | Claimed NIST Level   |   Public key size (bytes) |   Secret key size (bytes) |   Signature size (bytes) |
+|:----------------------:|:-----------------|:---------------------|--------------------------:|--------------------------:|-------------------------:|
+|    XMSS-SHA2_10_256    |                  |                      |                        64 |                      1373 |                     2500 |
+|    XMSS-SHA2_16_256    |                  |                      |                        64 |                      2093 |                     2692 |
+|    XMSS-SHA2_20_256    |                  |                      |                        64 |                      2573 |                     2820 |
+|   XMSS-SHAKE_10_256    |                  |                      |                        64 |                      1373 |                     2500 |
+|   XMSS-SHAKE_16_256    |                  |                      |                        64 |                      2093 |                     2692 |
+|   XMSS-SHAKE_20_256    |                  |                      |                        64 |                      2573 |                     2820 |
+|    XMSS-SHA2_10_512    |                  |                      |                       128 |                      2653 |                     9092 |
+|    XMSS-SHA2_16_512    |                  |                      |                       128 |                      4045 |                     9476 |
+|    XMSS-SHA2_20_512    |                  |                      |                       128 |                      2653 |                     9732 |
+|   XMSS-SHAKE_10_512    |                  |                      |                       128 |                      2653 |                     9092 |
+|   XMSS-SHAKE_16_512    |                  |                      |                       128 |                      4045 |                     9476 |
+|   XMSS-SHAKE_20_512    |                  |                      |                       128 |                      4973 |                     9732 |
+|    XMSS-SHA2_10_192    |                  |                      |                        48 |                      1053 |                     1492 |
+|    XMSS-SHA2_16_192    |                  |                      |                        48 |                      1605 |                     1636 |
+|    XMSS-SHA2_20_192    |                  |                      |                        48 |                      1973 |                     1732 |
+|  XMSS-SHAKE256_10_192  |                  |                      |                        48 |                      1053 |                     1492 |
+|  XMSS-SHAKE256_16_192  |                  |                      |                        48 |                      1605 |                     1636 |
+|  XMSS-SHAKE256_20_192  |                  |                      |                        48 |                      1973 |                     1732 |
+|  XMSS-SHAKE256_10_256  |                  |                      |                        64 |                      1373 |                     2500 |
+|  XMSS-SHAKE256_16_256  |                  |                      |                        64 |                      2093 |                     2692 |
+|  XMSS-SHAKE256_20_256  |                  |                      |                        64 |                      2573 |                     2820 |
+|  XMSSMT-SHA2_20/2_256  |                  |                      |                        64 |                      5998 |                     4963 |
+|  XMSSMT-SHA2_20/4_256  |                  |                      |                        64 |                     10938 |                     9251 |
+|  XMSSMT-SHA2_40/2_256  |                  |                      |                        64 |                      9600 |                     5605 |
+|  XMSSMT-SHA2_40/4_256  |                  |                      |                        64 |                     15252 |                     9893 |
+|  XMSSMT-SHA2_40/8_256  |                  |                      |                        64 |                     24516 |                    18469 |
+|  XMSSMT-SHA2_60/3_256  |                  |                      |                        64 |                     16629 |                     8392 |
+|  XMSSMT-SHA2_60/6_256  |                  |                      |                        64 |                     24507 |                    14824 |
+| XMSSMT-SHA2_60/12_256  |                  |                      |                        64 |                     38095 |                    27688 |
+| XMSSMT-SHAKE_20/2_256  |                  |                      |                        64 |                      5998 |                     4963 |
+| XMSSMT-SHAKE_20/4_256  |                  |                      |                        64 |                     10938 |                     9251 |
+| XMSSMT-SHAKE_40/2_256  |                  |                      |                        64 |                      9600 |                     5605 |
+| XMSSMT-SHAKE_40/4_256  |                  |                      |                        64 |                     15252 |                     9893 |
+| XMSSMT-SHAKE_40/8_256  |                  |                      |                        64 |                     24516 |                    18469 |
+| XMSSMT-SHAKE_60/3_256  |                  |                      |                        64 |                     24516 |                     8392 |
+| XMSSMT-SHAKE_60/6_256  |                  |                      |                        64 |                     24507 |                    14824 |
+| XMSSMT-SHAKE_60/12_256 |                  |                      |                        64 |                     38095 |                    27688 |
--- a/docs/algorithms/sig_stfl/xmss.yml
+++ b/docs/algorithms/sig_stfl/xmss.yml
@ -0,0 +1,241 @@
+name: XMSS
+type: stateful signature
+principal-submitters:
+- Joost Rijneveld
+- A. Huelsing
+- David Cooper
+- Bas Westerbaan
+auxiliary-submitters:
+
+crypto-assumption: hash-based signatures
+website: https://www.rfc-editor.org/info/rfc8391
+nist-round:
+spec-version:
+spdx-license-identifier: (Apache-2.0 OR MIT) AND CC0-1.0
+primary-upstream:
+  source: https://github.com/XMSS/xmss-reference
+  spdx-license-identifier: (Apache-2.0 OR MIT) AND CC0-1.0
+  upstream-ancestors:
+parameter-sets:
+- name: XMSS-SHA2_10_256
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 64
+  length-secret-key: 1373
+  length-signature: 2500
+- name: XMSS-SHA2_16_256
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 64
+  length-secret-key: 2093
+  length-signature: 2692
+- name: XMSS-SHA2_20_256
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 64
+  length-secret-key: 2573
+  length-signature: 2820
+- name: XMSS-SHAKE_10_256
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 64
+  length-secret-key: 1373
+  length-signature: 2500
+- name: XMSS-SHAKE_16_256
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 64
+  length-secret-key: 2093
+  length-signature: 2692
+- name: XMSS-SHAKE_20_256
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 64
+  length-secret-key: 2573
+  length-signature: 2820
+- name: XMSS-SHA2_10_512
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 128
+  length-secret-key: 2653
+  length-signature: 9092
+- name: XMSS-SHA2_16_512
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 128
+  length-secret-key: 4045
+  length-signature: 9476
+- name: XMSS-SHA2_20_512
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 128
+  length-secret-key: 2653
+  length-signature: 9732
+- name: XMSS-SHAKE_10_512
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 128
+  length-secret-key: 2653
+  length-signature: 9092
+- name: XMSS-SHAKE_16_512
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 128
+  length-secret-key: 4045
+  length-signature: 9476
+- name: XMSS-SHAKE_20_512
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 128
+  length-secret-key: 4973
+  length-signature: 9732
+- name: XMSS-SHA2_10_192
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 48
+  length-secret-key: 1053
+  length-signature: 1492
+- name: XMSS-SHA2_16_192
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 48
+  length-secret-key: 1605
+  length-signature: 1636
+- name: XMSS-SHA2_20_192
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 48
+  length-secret-key: 1973
+  length-signature: 1732
+- name: XMSS-SHAKE256_10_192
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 48
+  length-secret-key: 1053
+  length-signature: 1492
+- name: XMSS-SHAKE256_16_192
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 48
+  length-secret-key: 1605
+  length-signature: 1636
+- name: XMSS-SHAKE256_20_192
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 48
+  length-secret-key: 1973
+  length-signature: 1732
+- name: XMSS-SHAKE256_10_256
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 64
+  length-secret-key: 1373
+  length-signature: 2500
+- name: XMSS-SHAKE256_16_256
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 64
+  length-secret-key: 2093
+  length-signature: 2692
+- name: XMSS-SHAKE256_20_256
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 64
+  length-secret-key: 2573
+  length-signature: 2820
+- name: XMSSMT-SHA2_20/2_256
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 64
+  length-secret-key: 5998
+  length-signature: 4963
+- name: XMSSMT-SHA2_20/4_256
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 64
+  length-secret-key: 10938
+  length-signature: 9251
+- name: XMSSMT-SHA2_40/2_256
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 64
+  length-secret-key: 9600
+  length-signature: 5605
+- name: XMSSMT-SHA2_40/4_256
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 64
+  length-secret-key: 15252
+  length-signature: 9893
+- name: XMSSMT-SHA2_40/8_256
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 64
+  length-secret-key: 24516
+  length-signature: 18469
+- name: XMSSMT-SHA2_60/3_256
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 64
+  length-secret-key: 16629
+  length-signature: 8392
+- name: XMSSMT-SHA2_60/6_256
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 64
+  length-secret-key: 24507
+  length-signature: 14824
+- name: XMSSMT-SHA2_60/12_256
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 64
+  length-secret-key: 38095
+  length-signature: 27688
+- name: XMSSMT-SHAKE_20/2_256
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 64
+  length-secret-key: 5998
+  length-signature: 4963
+- name: XMSSMT-SHAKE_20/4_256
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 64
+  length-secret-key: 10938
+  length-signature: 9251
+- name: XMSSMT-SHAKE_40/2_256
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 64
+  length-secret-key: 9600
+  length-signature: 5605
+- name: XMSSMT-SHAKE_40/4_256
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 64
+  length-secret-key: 15252
+  length-signature: 9893
+- name: XMSSMT-SHAKE_40/8_256
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 64
+  length-secret-key: 24516
+  length-signature: 18469
+- name: XMSSMT-SHAKE_60/3_256
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 64
+  length-secret-key: 24516
+  length-signature: 8392
+- name: XMSSMT-SHAKE_60/6_256
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 64
+  length-secret-key: 24507
+  length-signature: 14824
+- name: XMSSMT-SHAKE_60/12_256
+  claimed-nist-level:
+  claimed-security:
+  length-public-key: 64
+  length-secret-key: 38095
+  length-signature: 27688
--- a/docs/cbom.json
+++ b/docs/cbom.json
--- a/flake.lock
+++ b/flake.lock
@ -0,0 +1,61 @@
+{
+  "nodes": {
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1735563628,
+        "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/Show More
+++ b/Show More