Skip to content

Add configs to disable unused APIs#960

Open
flynd wants to merge 14 commits intopq-code-package:mainfrom
flynd:config-disable-apis
Open

Add configs to disable unused APIs#960
flynd wants to merge 14 commits intopq-code-package:mainfrom
flynd:config-disable-apis

Conversation

@flynd
Copy link
Contributor

@flynd flynd commented Feb 10, 2026

Add configs to disable key generation, signature creation, and/or signature verification to reduce the library size when not needing only one or two of these.
Also adds a config to disable all but the internal APIs, allowing for example to build only crypto_sign_verify_internal() and exclude everything else.

Resolves #941

@flynd flynd requested a review from a team as a code owner February 10, 2026 09:18
@mkannwischer
Copy link
Contributor

mkannwischer commented Feb 10, 2026

Thanks @flynd. We will need a way to test the configuration options in CI.
Adding a new example based on the monobuild example seems to be the easiest path.

@flynd
Copy link
Contributor Author

flynd commented Feb 10, 2026

Thanks @flynd. We will need a way to test the configuration options in CI. Adding a new example based on the monobuild example seems to be the easiest path.

I started looking at this, but the standard examples create a signature and then verifies it. When building without signature creation the example code needs to do something else so I'm not sure what would be appropriate here.

@mkannwischer
Copy link
Contributor

mkannwischer commented Feb 11, 2026

Thanks @flynd. We will need a way to test the configuration options in CI. Adding a new example based on the monobuild example seems to be the easiest path.

I started looking at this, but the standard examples create a signature and then verifies it. When building without signature creation the example code needs to do something else so I'm not sure what would be appropriate here.

We already have https://github.com/pq-code-package/mldsa-native/blob/main/examples/basic/expected_signatures.h. This could be extended also with keys, then you could implement keygen, sign, and verify separately.
Probably we do not want to touch existing examples as it would make them hard to understand, but for a new example, this should be fine.
I can take a look at some point, but this month is rather busy.

@flynd flynd force-pushed the config-disable-apis branch 2 times, most recently from e061e08 to abee80e Compare February 12, 2026 10:21
@flynd
Copy link
Contributor Author

flynd commented Feb 12, 2026

@mkannwischer : I've added an example that is pretty close to the actual configuration I'm using (except I omitted MLD_CONFIG_REDUCE_RAM in the example).

@flynd flynd force-pushed the config-disable-apis branch from abee80e to 3c6b183 Compare February 13, 2026 11:59
flynd added 9 commits March 10, 2026 09:57
@flynd @andolo-axis
fips202: Don't build Keccak-f1600x2/x4 unless used
144222a 
When building with MLD_CONFIG_SERIAL_FIPS202_ONLY or
MLD_CONFIG_REDUCE_RAM, Keccak-f1600x2/x4 is not used and can be skipped.

Signed-off-by: Anders Sonmark <Anders.Sonmark@axis.com>
@flynd @andolo-axis
Add config to disable key generation API
d8752fc 
Make it possible to exclude key generation when not needed, together
with all internal functions not needed for signature creation or
verification.

Signed-off-by: Anders Sonmark <Anders.Sonmark@axis.com>
@flynd @andolo-axis
Add config to disable signature creation API
3f78da9 
Make it possible to exclude signature creation when not needed, together
with all internal functions not needed for key generation or signature
verification.

Signed-off-by: Anders Sonmark <Anders.Sonmark@axis.com>
@flynd @andolo-axis
Add config to disable signature verification API
72ad0b5 
Make it possible to exclude signature verification when not needed,
together with all internal functions not needed for key generation or
signature creation.

Signed-off-by: Anders Sonmark <Anders.Sonmark@axis.com>
@flynd @andolo-axis
Disable functions not used for key generation
8074def 
Make it possible to exclude code only used for signature creation or
verification.

Signed-off-by: Anders Sonmark <Anders.Sonmark@axis.com>
@flynd @andolo-axis
Disable functions not used for signature creation
64bb068 
Make it possible to exclude code only used for key generation or
verification.

Signed-off-by: Anders Sonmark <Anders.Sonmark@axis.com>
@flynd @andolo-axis
Disable functions not used for signature verification
3e91eac 
Make it possible to exclude code only used for key generation or
signature creation.

Signed-off-by: Anders Sonmark <Anders.Sonmark@axis.com>
@flynd @andolo-axis
Add config to use only the internal API
a9cc636 
Make it possible to exclude the wrapper APIs if not needed and build
only the internal API functions.

Signed-off-by: Anders Sonmark <Anders.Sonmark@axis.com>
@flynd @andolo-axis
Add example for using verify_internal only
c399012 
Provide both keys and signatures as example data so the verify function
can be tested without having key generation and signature creation in
the same build.

Change-Id: I881fc38162c814787c2b13ca48c0b7fd52ff32c7
Signed-off-by: Anders Sonmark <Anders.Sonmark@axis.com>
@flynd flynd force-pushed the config-disable-apis branch from 3c6b183 to c399012 Compare March 10, 2026 08:58
@flynd
Copy link
Contributor Author

flynd commented Mar 10, 2026

@mkannwischer: It's been a month. Is there any chance that you might have time to look at this now? Or is there something more that I should try to add to make it easier/better?

@mkannwischer
Copy link
Contributor

mkannwischer commented Mar 11, 2026

@mkannwischer: It's been a month. Is there any chance that you might have time to look at this now? Or is there something more that I should try to add to make it easier/better?

Apologies for the long delay! We've been busy with getting everything ready for our RWC talk.
I'll take a look this weekend.

@mkannwischer
Fix formating
3e3f211 
Signed-off-by: Matthias J. Kannwischer <matthias@zerorisc.com>
@mkannwischer
Replace monolithic verify-only example with disabled_apis example
d669736 
Replace the monolithic_build_verify_native example (which only tested
verify-only) with a new disabled_apis example that tests four
disabled API combinations (keygen-only, sign-only, verify-only, and
sign+verify) across all three parameter sets (44, 65, 87).

Signed-off-by: Matthias J. Kannwischer <matthias@zerorisc.com>
@mkannwischer
Add disabled_apis_native example with native backends
f2c9478 
Same as disabled_apis but with native arithmetic and FIPS-202 backends
enabled, testing four disabled API combinations across all three
parameter sets.

Signed-off-by: Matthias J. Kannwischer <matthias@zerorisc.com>
@mkannwischer
Add READMEs for disabled_apis examples
95b0f21 
Also add missing monolithic_build_native entry to the top-level
examples README.

Signed-off-by: Matthias J. Kannwischer <matthias@zerorisc.com>
@mkannwischer
Exclude disabled_apis examples from PCT config variations
3a2bd94 
PCT requires sign+verify internally during keygen for the pairwise
consistency test, which conflicts with MLD_CONFIG_NO_SIGN_API and
MLD_CONFIG_NO_VERIFY_API.

Also add the new examples to the root Makefile clean targets and the
--exclude-example choices lists in scripts/tests.

Signed-off-by: Matthias J. Kannwischer <matthias@zerorisc.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Config flag to only build for signature verification

2 participants

@flynd @mkannwischer