Integrate API_PKC SIG bridge and KAT targets for MAMBA‑Sign profiles

[Make1205]

Motivation

• Provide an official API-style submission package by wiring the API_PKC SIG template to the existing MAMBA‑Sign implementation while preserving all algorithm parameters and core signing logic.
• Map the repository's ref and avx2 implementations to the API_PKC Reference_Implementation and Optimized_Implementation build flows respectively so KATs can be produced in the template format.
• Ensure the API template requirements are met: OUTPUT_BLANK_TEST_VECTORS=0, per-instance ALGORITHM_INSTANCE names (MAMBA‑Sign‑128/192/256/384/512), and keep template files listed as immutable unchanged.

Description

• Implemented the SIG bridge: API_PKC/Implementations/Reference_Implementation/AlgorithmInstance/SIG_AlgorithmInstance.c now returns CRYPTO_PUBLICKEYBYTES/CRYPTO_SECRETKEYBYTES/CRYPTO_BYTES and bridges template calls to the library API by calling crypto_sign_keypair, crypto_sign_signature (detached), and crypto_sign_verify without changing core logic.
• Parameterized the instance name in API_PKC/Implementations/Reference_Implementation/AlgorithmInstance/SIG_AlgorithmInstance.h using MAMBA_PROFILE and set OUTPUT_BLANK_TEST_VECTORS to 0 so each build selects ALGORITHM_INSTANCE = MAMBA-Sign-128/192/256/384/512.
• Added API_PKC/Makefile to build per-profile KAT executables for both ref and avx2, mapping MAMBA_PROFILE -> DILITHIUM_MODE and including required sources (added randombytes.c to link the KAT binaries); targets include make, make clean, make kat and per-profile kat-sign{128,192,256,384,512}-{ref,avx2}.
• Documentation and packaging: added API_PKC/README.md, updated .gitignore to exclude API_PKC artifacts, and produced KAT outputs at API_PKC/Test_Vector/MAMBA-Sign-*-{ref,avx2}.txt.
• Reported profile sizes (PK/SK/SIG bytes) in the README and ensured the length functions reflect the actual sizes: 128: 1440/480/2420, 192: 1952/736/3309, 256: 2592/768/4627, 384: 2592/1120/5312, 512: 3232/1376/6634.

Testing

• Ran repository-wide build and fast tests with make clean && make && make test-all-fast and observed correctness=PASS for ref and avx2 across all profiles (CSV written to build/mamba_sign_test_all.csv).
• Built and ran the API package KATs with cd API_PKC && make clean && make && make kat, which produced the KAT files API_PKC/Test_Vector/MAMBA-Sign-*-ref.txt and API_PKC/Test_Vector/MAMBA-Sign-*-avx2.txt successfully; an initial linker error for randombytes was fixed by adding randombytes.c to the API_PKC/Makefile inputs.
• Build warnings observed: randombytes.c reports an implicit syscall declaration warning; this is non‑blocking and does not prevent KAT generation.
• Automated steps executed: make and make kat under API_PKC completed and KAT files were generated as listed above.

---

Codex Task

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7b070dee51

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Seed keygen from KAT DRNG instead of system RNG

KAT_SIG.c initializes drng_algorithm from the per-test seed before calling sig_keygen, but this implementation immediately calls crypto_sign_keypair, whose implementation in ref/sign.c draws entropy via randombytes() (OS RNG). That makes generated KAT vectors non-deterministic across runs even with identical seeds, so make kat cannot reliably reproduce the checked-in vectors or produce stable regression artifacts.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Keep clean target from deleting checked-in KAT vectors

The new clean rule removes Test_Vector/MAMBA-Sign-*-{ref,avx2}.txt, but these files are committed in this change as package artifacts. Running make clean now deletes tracked deliverables and leaves the repo dirty, which breaks common workflows that start from make clean and expect packaged KAT files to remain available unless explicitly regenerated.

Useful? React with 👍 / 👎.