René Meusel

Rebased after underlying #3887 had to get some conflicts resolved.

Moved to 3.6.0 (is dependent on #4024)

With #4024 merged, this is now directly based on master and (finally) ready for prime time. The code to actually make ML-KEM-ipd happen isn't a lot, apart from the various...

Judging from appendix C.2, the only relevant addition is the domain separation in the seed expansion in Algorithm 13 (KeyGen). Basically, they just append a single byte `k = {2,3,4}`...

> That means in the ML-KEM ipd implementation the swapping of the matrix indices that happened in the ipd draft version were never implemented? I had taken that as an...

The latest push contains a first round of adaptions (mostly updating the inline document references). As of now, I didn't come across any credible KATs to verify functional changes, albeit...

Rebased after #3888.

Rebased and resolved conflicts after #3908 got merged.

I'd like to argue that the this adds almost 400 lines of test code. 🙂 However, admittedly, the code is denser than before, that's for sure.

Bring it on! 😊