Skip to content

Add configs to disable unused APIs#960

Open
flynd wants to merge 9 commits intopq-code-package:mainfrom
flynd:config-disable-apis
Open

Add configs to disable unused APIs#960
flynd wants to merge 9 commits intopq-code-package:mainfrom
flynd:config-disable-apis

Conversation

@flynd
Copy link
Contributor

@flynd flynd commented Feb 10, 2026

Add configs to disable key generation, signature creation, and/or signature verification to reduce the library size when not needing only one or two of these.
Also adds a config to disable all but the internal APIs, allowing for example to build only crypto_sign_verify_internal() and exclude everything else.

Resolves #941

@flynd flynd requested a review from a team as a code owner February 10, 2026 09:18
@mkannwischer
Copy link
Contributor

mkannwischer commented Feb 10, 2026

Thanks @flynd. We will need a way to test the configuration options in CI.
Adding a new example based on the monobuild example seems to be the easiest path.

@flynd
Copy link
Contributor Author

flynd commented Feb 10, 2026

Thanks @flynd. We will need a way to test the configuration options in CI. Adding a new example based on the monobuild example seems to be the easiest path.

I started looking at this, but the standard examples create a signature and then verifies it. When building without signature creation the example code needs to do something else so I'm not sure what would be appropriate here.

@mkannwischer
Copy link
Contributor

mkannwischer commented Feb 11, 2026

Thanks @flynd. We will need a way to test the configuration options in CI. Adding a new example based on the monobuild example seems to be the easiest path.

I started looking at this, but the standard examples create a signature and then verifies it. When building without signature creation the example code needs to do something else so I'm not sure what would be appropriate here.

We already have https://github.com/pq-code-package/mldsa-native/blob/main/examples/basic/expected_signatures.h. This could be extended also with keys, then you could implement keygen, sign, and verify separately.
Probably we do not want to touch existing examples as it would make them hard to understand, but for a new example, this should be fine.
I can take a look at some point, but this month is rather busy.

@flynd flynd force-pushed the config-disable-apis branch 2 times, most recently from e061e08 to abee80e Compare February 12, 2026 10:21
@flynd
Copy link
Contributor Author

flynd commented Feb 12, 2026

@mkannwischer : I've added an example that is pretty close to the actual configuration I'm using (except I omitted MLD_CONFIG_REDUCE_RAM in the example).

flynd added 9 commits February 13, 2026 12:56
@flynd @andolo-axis
fips202: Don't build Keccak-f1600x2/x4 unless used
abce6eb 
When building with MLD_CONFIG_SERIAL_FIPS202_ONLY or
MLD_CONFIG_REDUCE_RAM, Keccak-f1600x2/x4 is not used and can be skipped.

Signed-off-by: Anders Sonmark <Anders.Sonmark@axis.com>
@flynd @andolo-axis
Add config to disable key generation API
5c62a9c 
Make it possible to exclude key generation when not needed, together
with all internal functions not needed for signature creation or
verification.

Signed-off-by: Anders Sonmark <Anders.Sonmark@axis.com>
@flynd @andolo-axis
Add config to disable signature creation API
80e8846 
Make it possible to exclude signature creation when not needed, together
with all internal functions not needed for key generation or signature
verification.

Signed-off-by: Anders Sonmark <Anders.Sonmark@axis.com>
@flynd @andolo-axis
Add config to disable signature verification API
d1e601b 
Make it possible to exclude signature verification when not needed,
together with all internal functions not needed for key generation or
signature creation.

Signed-off-by: Anders Sonmark <Anders.Sonmark@axis.com>
@flynd @andolo-axis
Disable functions not used for key generation
1c755e4 
Make it possible to exclude code only used for signature creation or
verification.

Signed-off-by: Anders Sonmark <Anders.Sonmark@axis.com>
@flynd @andolo-axis
Disable functions not used for signature creation
66e9d49 
Make it possible to exclude code only used for key generation or
verification.

Signed-off-by: Anders Sonmark <Anders.Sonmark@axis.com>
@flynd @andolo-axis
Disable functions not used for signature verification
bac9bf8 
Make it possible to exclude code only used for key generation or
signature creation.

Signed-off-by: Anders Sonmark <Anders.Sonmark@axis.com>
@flynd @andolo-axis
Add config to use only the internal API
15bb1aa 
Make it possible to exclude the wrapper APIs if not needed and build
only the internal API functions.

Signed-off-by: Anders Sonmark <Anders.Sonmark@axis.com>
@flynd @andolo-axis
Add example for using verify_internal only
3c6b183 
Provide both keys and signatures as example data so the verify function
can be tested without having key generation and signature creation in
the same build.

Change-Id: I881fc38162c814787c2b13ca48c0b7fd52ff32c7
Signed-off-by: Anders Sonmark <Anders.Sonmark@axis.com>
@flynd flynd force-pushed the config-disable-apis branch from abee80e to 3c6b183 Compare February 13, 2026 11:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Config flag to only build for signature verification

2 participants

@flynd @mkannwischer