diff --git a/BUILD.gn b/BUILD.gn
index 42d5e46..917b4e8 100644
--- a/BUILD.gn
+++ b/BUILD.gn
@@ -25,17 +25,6 @@
   ]
 }
 
-pw_source_set("utils") {
-  public = [
-    "include/dice/dice.h",
-    "include/dice/utils.h",
-  ]
-  sources = [
-    "src/clear_memory.c",
-    "src/utils.c",
-  ]
-}
-
 pw_source_set("cbor_writer") {
   public = [
     "include/dice/cbor_writer.h",
@@ -43,88 +32,118 @@
   sources = [ "src/cbor_writer.c" ]
 }
 
+config("standalone_ops_config") {
+  include_dirs = [ "//include/dice/config/standalone" ]
+}
+
 pw_static_library("dice_standalone") {
-  public = [ "include/dice/dice.h" ]
-  sources = [ "src/dice.c" ]
+  public = [
+    "include/dice/dice.h",
+    "include/dice/utils.h",
+  ]
+  sources = [
+    "src/clear_memory.c",
+    "src/dice.c"
+  ]
+  all_dependent_configs = [ ":standalone_ops_config" ]
+}
+
+config("boringssl_ed25519_ops_config") {
+  include_dirs = [ "//include/dice/config/boringssl_ed25519" ]
 }
 
 pw_static_library("dice_with_boringssl_ops") {
-  public = [ "include/dice/dice.h" ]
+  public = [
+    "include/dice/dice.h",
+    "include/dice/utils.h",
+  ]
   sources = [
     "src/boringssl_cert_op.c",
     "src/boringssl_hash_kdf_sign_ops.c",
+    "src/clear_memory.c",
     "src/dice.c",
+    "src/utils.c",
   ]
   deps = [
-    ":utils",
     "//third_party/boringssl:crypto",
   ]
+  all_dependent_configs = [ ":boringssl_ed25519_ops_config" ]
+}
+
+config("mbedtls_ops_config") {
+  include_dirs = [ "//include//dice/config/mbedtls_ecdsa_p256" ]
 }
 
 pw_static_library("dice_with_mbedtls_ops") {
-  public = [ "include/dice/dice.h" ]
+  public = [
+    "include/dice/dice.h",
+    "include/dice/utils.h",
+  ]
   sources = [
+    "src/clear_memory.c",
     "src/dice.c",
     "src/mbedtls_ops.c",
+    "src/utils.c",
   ]
   deps = [
-    ":utils",
     "//third_party/mbedtls:mbedcrypto",
   ]
+  all_dependent_configs = [ ":mbedtls_ops_config" ]
 }
 
 pw_static_library("dice_with_cbor_cert") {
-  public = [ "include/dice/dice.h" ]
+  public = [
+    "include/dice/dice.h",
+    "include/dice/utils.h",
+  ]
   sources = [
     "src/boringssl_hash_kdf_sign_ops.c",
     "src/cbor_cert_op.c",
+    "src/clear_memory.c",
     "src/dice.c",
+    "src/utils.c",
   ]
   deps = [
     ":cbor_writer",
-    ":utils",
     "//third_party/boringssl:crypto",
   ]
+  all_dependent_configs = [ ":boringssl_ed25519_ops_config" ]
 }
 
 pw_static_library("dice_with_cbor_template_cert") {
-  public = [ "include/dice/dice.h" ]
+  public = [
+    "include/dice/dice.h",
+    "include/dice/utils.h",
+  ]
   sources = [
     "src/boringssl_hash_kdf_sign_ops.c",
+    "src/clear_memory.c",
     "src/dice.c",
     "src/template_cbor_cert_op.c",
+    "src/utils.c",
   ]
   deps = [
-    ":utils",
     "//third_party/boringssl:crypto",
   ]
+  all_dependent_configs = [ ":boringssl_ed25519_ops_config" ]
 }
 
 pw_static_library("dice_with_x509_template_cert") {
-  public = [ "include/dice/dice.h" ]
+  public = [
+    "include/dice/dice.h",
+    "include/dice/utils.h",
+  ]
   sources = [
     "src/boringssl_hash_kdf_sign_ops.c",
+    "src/clear_memory.c",
     "src/dice.c",
     "src/template_cert_op.c",
+    "src/utils.c",
   ]
   deps = [
-    ":utils",
     "//third_party/boringssl:crypto",
   ]
-}
-
-pw_source_set("test_utils") {
-  public = [ "include/dice/test_utils.h" ]
-  sources = [ "src/test_utils.cc" ]
-  deps = [
-    ":utils",
-    "$dir_pw_string:pw_string",
-  ]
-  public_deps = [
-    "//third_party/boringssl:crypto",
-    "//third_party/cose-c:cose-c",
-  ]
-  cflags = [ "-Wno-ignored-qualifiers" ]
+  all_dependent_configs = [ ":boringssl_ed25519_ops_config" ]
 }
 
 pw_source_set("fuzzer") {
@@ -149,17 +168,20 @@
   sources = [ "src/dice_test.cc" ]
   deps = [
     ":dice_standalone",
-    ":utils",
     "//third_party/boringssl:crypto",
   ]
 }
 
 pw_test("boringssl_ops_test") {
-  sources = [ "src/boringssl_ops_test.cc" ]
+  sources = [
+    "src/boringssl_ops_test.cc",
+    "src/test_utils.cc",
+  ]
   deps = [
     ":dice_with_boringssl_ops",
-    ":test_utils",
-    ":utils",
+    "//third_party/boringssl:crypto",
+    "//third_party/cose-c:cose-c",
+    "$dir_pw_string:pw_string",
   ]
 }
 
@@ -171,11 +193,15 @@
 }
 
 pw_test("template_cert_op_test") {
-  sources = [ "src/template_cert_op_test.cc" ]
+  sources = [
+    "src/template_cert_op_test.cc",
+    "src/test_utils.cc",
+  ]
   deps = [
     ":dice_with_x509_template_cert",
-    ":test_utils",
-    ":utils",
+    "//third_party/boringssl:crypto",
+    "//third_party/cose-c:cose-c",
+    "$dir_pw_string:pw_string",
   ]
 }
 
@@ -187,11 +213,15 @@
 }
 
 pw_test("cbor_cert_op_test") {
-  sources = [ "src/cbor_cert_op_test.cc" ]
+  sources = [
+    "src/cbor_cert_op_test.cc",
+    "src/test_utils.cc",
+  ]
   deps = [
     ":dice_with_cbor_cert",
-    ":test_utils",
-    ":utils",
+    "//third_party/boringssl:crypto",
+    "//third_party/cose-c:cose-c",
+    "$dir_pw_string:pw_string",
   ]
 }
 
@@ -203,11 +233,15 @@
 }
 
 pw_test("template_cbor_cert_op_test") {
-  sources = [ "src/template_cbor_cert_op_test.cc" ]
+  sources = [
+    "src/template_cbor_cert_op_test.cc",
+    "src/test_utils.cc",
+  ]
   deps = [
     ":dice_with_cbor_template_cert",
-    ":test_utils",
-    ":utils",
+    "//third_party/boringssl:crypto",
+    "//third_party/cose-c:cose-c",
+    "$dir_pw_string:pw_string",
   ]
 }
 
@@ -219,11 +253,15 @@
 }
 
 pw_test("mbedtls_ops_test") {
-  sources = [ "src/mbedtls_ops_test.cc" ]
+  sources = [
+    "src/mbedtls_ops_test.cc",
+    "src/test_utils.cc",
+  ]
   deps = [
     ":dice_with_mbedtls_ops",
-    ":test_utils",
-    ":utils",
+    "//third_party/boringssl:crypto",
+    "//third_party/cose-c:cose-c",
+    "$dir_pw_string:pw_string",
   ]
 }
 
@@ -266,10 +304,7 @@
 
 pw_executable("dice_standalone_main") {
   sources = [ "src/dice_standalone_main.c" ]
-  deps = [
-    ":dice_standalone",
-    ":utils",
-  ]
+  deps = [ ":dice_standalone" ]
 }
 
 pw_source_set("dice_main") {
diff --git a/include/dice/config/boringssl_ed25519/dice/config.h b/include/dice/config/boringssl_ed25519/dice/config.h
new file mode 100644
index 0000000..583ac68
--- /dev/null
+++ b/include/dice/config/boringssl_ed25519/dice/config.h
@@ -0,0 +1,23 @@
+// Copyright 2021 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not
+// use this file except in compliance with the License. You may obtain a copy of
+// the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+// License for the specific language governing permissions and limitations under
+// the License.
+
+#ifndef DICE_CONFIG_H_
+#define DICE_CONFIG_H_
+
+// Ed25519
+#define DICE_PUBLIC_KEY_SIZE 32
+#define DICE_PRIVATE_KEY_SIZE 64
+#define DICE_SIGNATURE_SIZE 64
+
+#endif  // DICE_DICE_CONFIG_H_
diff --git a/include/dice/config/mbedtls_ecdsa_p256/dice/config.h b/include/dice/config/mbedtls_ecdsa_p256/dice/config.h
new file mode 100644
index 0000000..11f4875
--- /dev/null
+++ b/include/dice/config/mbedtls_ecdsa_p256/dice/config.h
@@ -0,0 +1,23 @@
+// Copyright 2021 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not
+// use this file except in compliance with the License. You may obtain a copy of
+// the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+// License for the specific language governing permissions and limitations under
+// the License.
+
+#ifndef DICE_CONFIG_H_
+#define DICE_CONFIG_H_
+
+// ECDSA-P256
+#define DICE_PUBLIC_KEY_SIZE 33
+#define DICE_PRIVATE_KEY_SIZE 32
+#define DICE_SIGNATURE_SIZE 64
+
+#endif  // DICE_DICE_CONFIG_H_
diff --git a/include/dice/config/standalone/dice/config.h b/include/dice/config/standalone/dice/config.h
new file mode 100644
index 0000000..5f6188f
--- /dev/null
+++ b/include/dice/config/standalone/dice/config.h
@@ -0,0 +1,26 @@
+// Copyright 2021 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not
+// use this file except in compliance with the License. You may obtain a copy of
+// the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+// License for the specific language governing permissions and limitations under
+// the License.
+
+#ifndef DICE_CONFIG_H_
+#define DICE_CONFIG_H_
+
+// The standalone config is only used for testing. In particular, it is used
+// for tests that focus on the core aspects of the library and not the ops.
+// These value aren't yet used meaningfully in such tests so are given
+// placeholder values.
+#define DICE_PUBLIC_KEY_SIZE 1
+#define DICE_PRIVATE_KEY_SIZE 1
+#define DICE_SIGNATURE_SIZE 1
+
+#endif  // DICE_DICE_CONFIG_H_
diff --git a/include/dice/dice.h b/include/dice/dice.h
index 2f4caa7..9731247 100644
--- a/include/dice/dice.h
+++ b/include/dice/dice.h
@@ -27,8 +27,6 @@
 #define DICE_HIDDEN_SIZE 64
 #define DICE_INLINE_CONFIG_SIZE 64
 #define DICE_PRIVATE_KEY_SEED_SIZE 32
-#define DICE_PUBLIC_KEY_MAX_SIZE 48
-#define DICE_PRIVATE_KEY_MAX_SIZE 64
 
 typedef enum {
   kDiceResultOk,
diff --git a/include/dice/ops.h b/include/dice/ops.h
index cb3ee45..53f8d8e 100644
--- a/include/dice/ops.h
+++ b/include/dice/ops.h
@@ -15,6 +15,7 @@
 #ifndef DICE_OPS_H_
 #define DICE_OPS_H_
 
+#include <dice/config.h>
 #include <dice/dice.h>
 
 // These are the set of functions that implement various operations that the
@@ -43,27 +44,23 @@
 // implementation defined format so may only be passed to the |sign| operation.
 DiceResult DiceKeypairFromSeed(void* context,
                                const uint8_t seed[DICE_PRIVATE_KEY_SEED_SIZE],
-                               uint8_t public_key[DICE_PUBLIC_KEY_MAX_SIZE],
-                               size_t* public_key_size,
-                               uint8_t private_key[DICE_PRIVATE_KEY_MAX_SIZE],
-                               size_t* private_key_size);
+                               uint8_t public_key[DICE_PUBLIC_KEY_SIZE],
+                               uint8_t private_key[DICE_PRIVATE_KEY_SIZE]);
 
 // Calculates a signature of |message_size| bytes from |message| using
 // |private_key|. |private_key| was generated by |keypair_from_seed| to allow
 // an implementation to use their own private key format. |signature| points to
-// |signature_size| bytes into which the calculated signature is written.  If
-// |signature_size| differs from the implementation's signature size,
-// kDiceResultPlatformError is returned.
+// the buffer where the calculated signature is written.
 DiceResult DiceSign(void* context, const uint8_t* message, size_t message_size,
-                    const uint8_t* private_key, size_t private_key_size,
-                    size_t signature_size, uint8_t* signature);
+                    const uint8_t private_key[DICE_PRIVATE_KEY_SIZE],
+                    uint8_t signature[DICE_SIGNATURE_SIZE]);
 
 // Verifies, using |public_key|, that |signature| covers |message_size| bytes
 // from |message|.
 DiceResult DiceVerify(void* context, const uint8_t* message,
-                      size_t message_size, const uint8_t* signature,
-                      size_t signature_size, const uint8_t* public_key,
-                      size_t public_key_size);
+                      size_t message_size,
+                      const uint8_t signature[DICE_SIGNATURE_SIZE],
+                      const uint8_t public_key[DICE_PUBLIC_KEY_SIZE]);
 
 // Generates an X.509 certificate, or an alternative certificate format, from
 // the given |subject_private_key_seed| and |input_values|, and signed by
diff --git a/src/boringssl_hash_kdf_sign_ops.c b/src/boringssl_hash_kdf_sign_ops.c
index c135dae..9198b4a 100644
--- a/src/boringssl_hash_kdf_sign_ops.c
+++ b/src/boringssl_hash_kdf_sign_ops.c
@@ -25,6 +25,19 @@
 #include "openssl/is_boringssl.h"
 #include "openssl/sha.h"
 
+#if DICE_PRIVATE_KEY_SEED_SIZE != 32
+#error "Private key seed is expected to be 32 bytes."
+#endif
+#if DICE_PUBLIC_KEY_SIZE != 32
+#error "Ed25519 needs 32 bytes to store the public key."
+#endif
+#if DICE_PRIVATE_KEY_SIZE != 64
+#error "This Ed25519 implementation needs 64 bytes for the private key."
+#endif
+#if DICE_SIGNATURE_SIZE != 64
+#error "Ed25519 needs 64 bytes to store the signature."
+#endif
+
 DiceResult DiceHash(void* context_not_used, const uint8_t* input,
                     size_t input_size, uint8_t output[DICE_HASH_SIZE]) {
   (void)context_not_used;
@@ -45,34 +58,18 @@
 
 DiceResult DiceKeypairFromSeed(void* context_not_used,
                                const uint8_t seed[DICE_PRIVATE_KEY_SEED_SIZE],
-                               uint8_t public_key[DICE_PUBLIC_KEY_MAX_SIZE],
-                               size_t* public_key_size,
-                               uint8_t private_key[DICE_PRIVATE_KEY_MAX_SIZE],
-                               size_t* private_key_size) {
+                               uint8_t public_key[DICE_PUBLIC_KEY_SIZE],
+                               uint8_t private_key[DICE_PRIVATE_KEY_SIZE]) {
   (void)context_not_used;
-#if DICE_PRIVATE_KEY_SEED_SIZE != 32
-#error "Private key seed is expected to be 32 bytes."
-#endif
-#if DICE_PUBLIC_KEY_MAX_SIZE < 32
-#error "Ed25519 needs 32 bytes to store the public key."
-#endif
-#if DICE_PRIVATE_KEY_MAX_SIZE < 64
-#error "This Ed25519 implementation needs  64 bytes for the private key."
-#endif
   ED25519_keypair_from_seed(public_key, private_key, seed);
-  *public_key_size = 32;
-  *private_key_size = 64;
   return kDiceResultOk;
 }
 
 DiceResult DiceSign(void* context_not_used, const uint8_t* message,
-                    size_t message_size, const uint8_t* private_key,
-                    size_t private_key_size, size_t signature_size,
-                    uint8_t* signature) {
+                    size_t message_size,
+                    const uint8_t private_key[DICE_PRIVATE_KEY_SIZE],
+                    uint8_t signature[DICE_SIGNATURE_SIZE]) {
   (void)context_not_used;
-  if (private_key_size != 64 || signature_size != 64) {
-    return kDiceResultPlatformError;
-  }
   if (1 != ED25519_sign(signature, message, message_size, private_key)) {
     return kDiceResultPlatformError;
   }
@@ -80,13 +77,10 @@
 }
 
 DiceResult DiceVerify(void* context_not_used, const uint8_t* message,
-                      size_t message_size, const uint8_t* signature,
-                      size_t signature_size, const uint8_t* public_key,
-                      size_t public_key_size) {
+                      size_t message_size,
+                      const uint8_t signature[DICE_SIGNATURE_SIZE],
+                      const uint8_t public_key[DICE_PUBLIC_KEY_SIZE]) {
   (void)context_not_used;
-  if (public_key_size != 32 || signature_size != 64) {
-    return kDiceResultPlatformError;
-  }
   if (1 != ED25519_verify(message, message_size, signature, public_key)) {
     return kDiceResultPlatformError;
   }
diff --git a/src/cbor_cert_op.c b/src/cbor_cert_op.c
index a49947f..1746083 100644
--- a/src/cbor_cert_op.c
+++ b/src/cbor_cert_op.c
@@ -24,6 +24,13 @@
 #include "dice/ops.h"
 #include "dice/utils.h"
 
+#if DICE_PUBLIC_KEY_SIZE != 32
+#error "Only Ed25519 is supported; 32 bytes needed to store the public key."
+#endif
+#if DICE_SIGNATURE_SIZE != 64
+#error "Only Ed25519 is supported; 64 bytes needed to store the signature."
+#endif
+
 // Max size of COSE_Sign1 including payload.
 static const size_t kMaxCertificateSize = 2048;
 // Max size of COSE_Key encoding.
@@ -50,7 +57,7 @@
   return kDiceResultOk;
 }
 
-static DiceResult EncodePublicKey(uint8_t subject_public_key[32],
+static DiceResult EncodePublicKey(uint8_t subject_public_key[DICE_PUBLIC_KEY_SIZE],
                                   size_t buffer_size, uint8_t* buffer,
                                   size_t* encoded_size) {
   // Constants per RFC 8152.
@@ -82,7 +89,7 @@
   CborWriteInt(kCoseCrvEd25519, &out);
   // Add the subject public key.
   CborWriteInt(kCoseOkpXLabel, &out);
-  CborWriteBstr(/*data_size=*/32, subject_public_key, &out);
+  CborWriteBstr(/*data_size=*/DICE_PUBLIC_KEY_SIZE, subject_public_key, &out);
   if (CborOutOverflowed(&out)) {
     return kDiceResultBufferTooSmall;
   }
@@ -220,7 +227,7 @@
 static DiceResult EncodeCoseSign1(const uint8_t* protected_attributes,
                                   size_t protected_attributes_size,
                                   const uint8_t* payload, size_t payload_size,
-                                  const uint8_t signature[64],
+                                  const uint8_t signature[DICE_SIGNATURE_SIZE],
                                   size_t buffer_size, uint8_t* buffer,
                                   size_t* encoded_size) {
   struct CborOut out;
@@ -234,7 +241,7 @@
   // Payload.
   CborWriteBstr(payload_size, payload, &out);
   // Signature.
-  CborWriteBstr(/*num_elements=*/64, signature, &out);
+  CborWriteBstr(/*num_elements=*/DICE_SIGNATURE_SIZE, signature, &out);
   if (CborOutOverflowed(&out)) {
     return kDiceResultBufferTooSmall;
   }
@@ -257,8 +264,8 @@
   }
 
   // Declare buffers which are cleared on 'goto out'.
-  uint8_t subject_private_key[DICE_PRIVATE_KEY_MAX_SIZE];
-  uint8_t authority_private_key[DICE_PRIVATE_KEY_MAX_SIZE];
+  uint8_t subject_private_key[DICE_PRIVATE_KEY_SIZE];
+  uint8_t authority_private_key[DICE_PRIVATE_KEY_SIZE];
 
   // These are 'variably modified' types so need to be declared upfront.
   uint8_t encoded_public_key[kMaxPublicKeySize];
@@ -266,19 +273,16 @@
   uint8_t protected_attributes[kMaxProtectedAttributesSize];
 
   // Derive keys and IDs from the private key seeds.
-  uint8_t subject_public_key[DICE_PUBLIC_KEY_MAX_SIZE];
-  size_t subject_public_key_size;
-  size_t subject_private_key_size;
+  uint8_t subject_public_key[DICE_PUBLIC_KEY_SIZE];
   result = DiceKeypairFromSeed(context, subject_private_key_seed,
-                               subject_public_key, &subject_public_key_size,
-                               subject_private_key, &subject_private_key_size);
+                               subject_public_key, subject_private_key);
   if (result != kDiceResultOk) {
     goto out;
   }
 
   uint8_t subject_id[20];
   result =
-      DiceDeriveCdiCertificateId(context, subject_public_key, 32, subject_id);
+      DiceDeriveCdiCertificateId(context, subject_public_key, DICE_PUBLIC_KEY_SIZE, subject_id);
   if (result != kDiceResultOk) {
     goto out;
   }
@@ -287,20 +291,16 @@
                 sizeof(subject_id_hex));
   subject_id_hex[sizeof(subject_id_hex) - 1] = '\0';
 
-  uint8_t authority_public_key[DICE_PUBLIC_KEY_MAX_SIZE];
-  size_t authority_public_key_size;
-  size_t authority_private_key_size;
-  result =
-      DiceKeypairFromSeed(context, authority_private_key_seed,
-                          authority_public_key, &authority_public_key_size,
-                          authority_private_key, &authority_private_key_size);
+  uint8_t authority_public_key[DICE_PUBLIC_KEY_SIZE];
+  result = DiceKeypairFromSeed(context, authority_private_key_seed,
+                               authority_public_key, authority_private_key);
   if (result != kDiceResultOk) {
     goto out;
   }
 
   uint8_t authority_id[20];
   result = DiceDeriveCdiCertificateId(context, authority_public_key,
-                                      authority_public_key_size, authority_id);
+                                      DICE_PUBLIC_KEY_SIZE, authority_id);
   if (result != kDiceResultOk) {
     goto out;
   }
@@ -346,16 +346,14 @@
   }
 
   // Sign the TBS with the authority key.
-  uint8_t signature[64];
+  uint8_t signature[DICE_SIGNATURE_SIZE];
   result = DiceSign(context, certificate, *certificate_actual_size,
-                    authority_private_key, authority_private_key_size,
-                    sizeof(signature), signature);
+                    authority_private_key, signature);
   if (result != kDiceResultOk) {
     goto out;
   }
   result = DiceVerify(context, certificate, *certificate_actual_size, signature,
-                      sizeof(signature), authority_public_key,
-                      authority_public_key_size);
+                      authority_public_key);
   if (result != kDiceResultOk) {
     goto out;
   }
diff --git a/src/template_cbor_cert_op.c b/src/template_cbor_cert_op.c
index 21aa186..52eb131 100644
--- a/src/template_cbor_cert_op.c
+++ b/src/template_cbor_cert_op.c
@@ -42,6 +42,13 @@
 #include "dice/ops.h"
 #include "dice/utils.h"
 
+#if DICE_PUBLIC_KEY_SIZE != 32
+#error "Only Ed25519 is supported; 32 bytes needed to store the public key."
+#endif
+#if DICE_SIGNATURE_SIZE != 64
+#error "Only Ed25519 is supported; 64 bytes needed to store the signature."
+#endif
+
 // A well-formed certificate, but with zeros in all fields to be filled.
 static const uint8_t kTemplate[441] = {
     // Constant encoding.
@@ -170,26 +177,23 @@
   }
 
   // Declare buffers which are cleared on 'goto out'.
-  uint8_t subject_private_key[DICE_PRIVATE_KEY_MAX_SIZE];
-  uint8_t authority_private_key[DICE_PRIVATE_KEY_MAX_SIZE];
+  uint8_t subject_private_key[DICE_PRIVATE_KEY_SIZE];
+  uint8_t authority_private_key[DICE_PRIVATE_KEY_SIZE];
 
   // These are 'variably modified' types so need to be declared upfront.
   uint8_t tbs[kTbsSize];
 
   // Derive keys and IDs from the private key seeds.
-  uint8_t subject_public_key[DICE_PUBLIC_KEY_MAX_SIZE];
-  size_t subject_public_key_size;
-  size_t subject_private_key_size;
+  uint8_t subject_public_key[DICE_PUBLIC_KEY_SIZE];
   result = DiceKeypairFromSeed(context, subject_private_key_seed,
-                               subject_public_key, &subject_public_key_size,
-                               subject_private_key, &subject_private_key_size);
+                               subject_public_key, subject_private_key);
   if (result != kDiceResultOk) {
     goto out;
   }
 
   uint8_t subject_id[20];
   result = DiceDeriveCdiCertificateId(context, subject_public_key,
-                                      subject_public_key_size, subject_id);
+                                      DICE_PUBLIC_KEY_SIZE, subject_id);
   if (result != kDiceResultOk) {
     goto out;
   }
@@ -197,20 +201,16 @@
   DiceHexEncode(subject_id, sizeof(subject_id), subject_id_hex,
                 sizeof(subject_id_hex));
 
-  uint8_t authority_public_key[DICE_PUBLIC_KEY_MAX_SIZE];
-  size_t authority_public_key_size;
-  size_t authority_private_key_size;
-  result =
-      DiceKeypairFromSeed(context, authority_private_key_seed,
-                          authority_public_key, &authority_public_key_size,
-                          authority_private_key, &authority_private_key_size);
+  uint8_t authority_public_key[DICE_PUBLIC_KEY_SIZE];
+  result = DiceKeypairFromSeed(context, authority_private_key_seed,
+                               authority_public_key, authority_private_key);
   if (result != kDiceResultOk) {
     goto out;
   }
 
   uint8_t authority_id[20];
   result = DiceDeriveCdiCertificateId(context, authority_public_key,
-                                      authority_public_key_size, authority_id);
+                                      DICE_PUBLIC_KEY_SIZE, authority_id);
   if (result != kDiceResultOk) {
     goto out;
   }
@@ -236,14 +236,12 @@
          &certificate[kFieldTable[kFieldIndexPayload].offset],
          kFieldTable[kFieldIndexPayload].length);
 
-  uint8_t signature[64];
-  result = DiceSign(context, tbs, kTbsSize, authority_private_key,
-                    authority_private_key_size, sizeof(signature), signature);
+  uint8_t signature[DICE_SIGNATURE_SIZE];
+  result = DiceSign(context, tbs, kTbsSize, authority_private_key, signature);
   if (result != kDiceResultOk) {
     goto out;
   }
-  result = DiceVerify(context, tbs, kTbsSize, signature, sizeof(signature),
-                      authority_public_key, authority_public_key_size);
+  result = DiceVerify(context, tbs, kTbsSize, signature, authority_public_key);
   if (result != kDiceResultOk) {
     goto out;
   }