Add HOL Light rej_uniform_eta proofs for AArch64 by jakemas · Pull Request #1040 · pq-code-package/mldsa-native

jakemas · 2026-04-14T21:41:38Z

Resolves #924

Some (development) notes:

I've moved the theorems that may be shared with future x86 proof to mldsa_specs.ml. Should it occur that more could be shared during the development of the x86 proof, then we can pull what we need at that point.

The CI gives a nice break down on how long each of the CORRECT and MEMSAFE proofs take. I was able to optimize the full eta2 proof quite a bit from 1h7m to just 31m, which is great considering the CORRECT takes ~24min.

CORRECT proof:
HOL-Light / AArch64 HOL Light proof for rej_uniform_eta4_aarch64_asm.S (pull_request) Successful in 11m
HOL-Light / AArch64 HOL Light proof for rej_uniform_eta2_aarch64_asm.S (pull_request) Successful in 24m

CORRECT + MEMSAFE proof:
HOL-Light / AArch64 HOL Light proof for rej_uniform_eta4_aarch64_asm.S (pull_request) Successful in 21m
HOL-Light / AArch64 HOL Light proof for rej_uniform_eta2_aarch64_asm.S (pull_request) Successful in 1h7m

Optimizations CORRECT + MEMSAFE proof:
HOL-Light / AArch64 HOL Light proof for rej_uniform_eta4_aarch64_asm.S succeeded in 18m 40s
HOL-Light / AArch64 HOL Light proof for rej_uniform_eta2_aarch64_asm.S succeeded in 31m 29s

Built with Claude Opus 4.7 1m. Using the Hol-Light MCP. About 4 weeks of effort.

oqs-bot · 2026-04-14T22:00:46Z

CBMC Results (ML-DSA-44)

Full Results (201 proofs)

Proof	Status	Current	Previous	Change
`TOTAL`	✅	1631s	1674s	-2.6%
`polyvecl_pointwise_acc_montgomery_c`	✅	243s	249s	-2%
`rej_uniform_native`	✅	114s	124s	-8%
`poly_pointwise_montgomery_c`	✅	92s	97s	-5%
`mld_invntt_layer`	✅	89s	96s	-7%
`mld_ct_memcmp`	✅	68s	67s	+1%
`mld_attempt_signature_generation`	✅	53s	58s	-9%
`mld_ntt_layer`	✅	44s	43s	+2%
`fqmul`	✅	29s	29s	+0%
`polyvec_matrix_expand`	✅	28s	29s	-3%
`sign_signature_internal`	✅	28s	28s	+0%
`sign_verify_internal`	✅	26s	27s	-4%
`keccakf1600x4_permute_native`	✅	24s	21s	+14%
`mld_check_pct`	✅	18s	17s	+6%
`rej_uniform_c`	✅	18s	20s	-10%
`rej_uniform`	✅	16s	16s	+0%
`compute_pack_t0_t1`	✅	15s	15s	+0%
`mld_ntt_butterfly_block`	✅	15s	16s	-6%
`poly_chknorm_c`	✅	15s	17s	-12%
`polyt0_unpack`	✅	15s	15s	+0%
`polyvec_matrix_pointwise_montgomery_yvec`	✅	15s	13s	+15%
`polyvecl_chknorm`	✅	14s	15s	-7%
`poly_uniform_4x`	✅	13s	12s	+8%
`polyz_unpack_c`	✅	13s	11s	+18%
`poly_uniform_eta_4x`	✅	12s	14s	-14%
`polyeta_unpack`	✅	12s	12s	+0%
`polyvec_matrix_expand_serial`	✅	12s	11s	+9%
`mld_compute_pack_z`	✅	11s	8s	+38%
`poly_power2round`	✅	10s	10s	+0%
`keccak_absorb_once_x4`	✅	9s	8s	+12%
`poly_add`	✅	9s	11s	-18%
`poly_invntt_tomont_c`	✅	8s	9s	-11%
`poly_uniform_gamma1_4x`	✅	8s	5s	+60%
`sign`	✅	8s	7s	+14%
`pointwise_acc_native_aarch64`	✅	7s	5s	+40%
`poly_decompose_c`	✅	7s	8s	-12%
`rej_eta_c`	✅	7s	4s	+75%
`keccak_absorb`	✅	6s	6s	+0%
`poly_challenge`	✅	6s	4s	+50%
`polyveck_decompose`	✅	6s	6s	+0%
`rej_eta_native`	✅	6s	5s	+20%
`keccak_squeezeblocks_x4`	✅	5s	4s	+25%
`mld_keccakf1600_permute_c`	✅	5s	8s	-38%
`nttunpack_native_x86_64`	✅	5s	5s	+0%
`pointwise_acc_native_x86_64`	✅	5s	6s	-17%
`pointwise_native_x86_64`	✅	5s	5s	+0%
`poly_caddq_native_x86_64`	✅	5s	-	new
`poly_invntt_tomont`	✅	5s	3s	+67%
`polyveck_ntt`	✅	5s	3s	+67%
`polyvecl_ntt`	✅	5s	7s	-29%
`sig_unpack_hints`	✅	5s	4s	+25%
`sign_pk_from_sk`	✅	5s	5s	+0%
`sign_verify`	✅	5s	3s	+67%
`unpack_sk_t0hat`	✅	5s	4s	+25%
`yvec_get_poly`	✅	5s	2s	+150%
`keccak_f1600_x4_native_aarch64_v84a`	✅	4s	2s	+100%
`keccakf1600_extract_bytes (big endian)`	✅	4s	4s	+0%
`keccakf1600_xor_bytes`	✅	4s	2s	+100%
`keccakf1600x4_xor_bytes_native`	✅	4s	3s	+33%
`mld_h`	✅	4s	2s	+100%
`mld_prepare_domain_separation_prefix`	✅	4s	4s	+0%
`mld_value_barrier_u32`	✅	4s	1s	+300%
`montgomery_reduce`	✅	4s	3s	+33%
`pack_sig_c`	✅	4s	2s	+100%
`pack_sk_s1`	✅	4s	3s	+33%
`pointwise_native_aarch64`	✅	4s	2s	+100%
`poly_decompose_32_native_aarch64`	✅	4s	1s	+300%
`poly_decompose_native`	✅	4s	3s	+33%
`poly_invntt_tomont_native`	✅	4s	4s	+0%
`poly_ntt_c`	✅	4s	3s	+33%
`poly_sub`	✅	4s	2s	+100%
`poly_uniform`	✅	4s	4s	+0%
`poly_use_hint_c`	✅	4s	5s	-20%
`polyeta_pack`	✅	4s	2s	+100%
`polyt1_unpack`	✅	4s	3s	+33%
`polyvec_matrix_pointwise_montgomery_row`	✅	4s	3s	+33%
`polyveck_caddq`	✅	4s	2s	+100%
`polyveck_pack_w1`	✅	4s	3s	+33%
`reduce32`	✅	4s	4s	+0%
`rej_eta`	✅	4s	1s	+300%
`shake128_init`	✅	4s	3s	+33%
`sign_keypair_internal`	✅	4s	5s	-20%
`sign_open`	✅	4s	4s	+0%
`sign_signature`	✅	4s	6s	-33%
`sign_signature_pre_hash_shake256`	✅	4s	4s	+0%
`sign_verify_extmu`	✅	4s	5s	-20%
`sign_verify_pre_hash_internal`	✅	4s	4s	+0%
`sign_verify_pre_hash_shake256`	✅	4s	3s	+33%
`sk_s1hat_get_poly`	✅	4s	4s	+0%
`sk_s2hat_get_poly`	✅	4s	3s	+33%
`decompose`	✅	3s	2s	+50%
`fqscale`	✅	3s	2s	+50%
`intt_native_x86_64`	✅	3s	6s	-50%
`keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid`	✅	3s	2s	+50%
`keccak_f1600_x4_native_avx2`	✅	3s	2s	+50%
`keccak_finalize`	✅	3s	2s	+50%
`keccak_init`	✅	3s	4s	-25%
`keccak_squeeze`	✅	3s	2s	+50%
`keccakf1600x4_extract_bytes`	✅	3s	3s	+0%
`keccakf1600x4_extract_bytes_native`	✅	3s	3s	+0%
`keccakf1600x4_permute`	✅	3s	2s	+50%
`keccakf1600x4_xor_bytes`	✅	3s	2s	+50%
`make_hint`	✅	3s	2s	+50%
`mld_ct_get_optblocker_i64`	✅	3s	4s	-25%
`mld_keccakf1600x4_extract_bytes_c`	✅	3s	4s	-25%
`mld_polymat_expand_entry`	✅	3s	2s	+50%
`mld_sample_s1_s2`	✅	3s	4s	-25%
`mld_value_barrier_u8`	✅	3s	3s	+0%
`ntt_native_aarch64`	✅	3s	4s	-25%
`pack_sig_z`	✅	3s	1s	+200%
`pack_sk_rho_key_tr_s2`	✅	3s	4s	-25%
`poly_caddq`	✅	3s	3s	+0%
`poly_caddq_c`	✅	3s	3s	+0%
`poly_chknorm`	✅	3s	4s	-25%
`poly_chknorm_native_aarch64`	✅	3s	2s	+50%
`poly_decompose`	✅	3s	5s	-40%
`poly_decompose_88_native_aarch64`	✅	3s	4s	-25%
`poly_ntt`	✅	3s	1s	+200%
`poly_ntt_native`	✅	3s	7s	-57%
`poly_pointwise_montgomery`	✅	3s	6s	-50%
`poly_shiftl`	✅	3s	4s	-25%
`poly_uniform_eta`	✅	3s	4s	-25%
`poly_use_hint_native_aarch64`	✅	3s	3s	+0%
`polyt0_pack`	✅	3s	6s	-50%
`polyt1_pack`	✅	3s	3s	+0%
`polyveck_chknorm`	✅	3s	5s	-40%
`polyveck_invntt_tomont`	✅	3s	5s	-40%
`polyveck_reduce`	✅	3s	3s	+0%
`polyvecl_pointwise_acc_montgomery`	✅	3s	3s	+0%
`polyvecl_pointwise_acc_montgomery_native`	✅	3s	2s	+50%
`polyvecl_uniform_gamma1_serial`	✅	3s	3s	+0%
`polyvecl_unpack_eta`	✅	3s	1s	+200%
`polyvecl_unpack_z`	✅	3s	3s	+0%
`polyz_unpack_17_native_aarch64`	✅	3s	5s	-40%
`polyz_unpack_19_native_aarch64`	✅	3s	5s	-40%
`rej_uniform_native_aarch64`	✅	3s	3s	+0%
`shake128x4_squeezeblocks`	✅	3s	1s	+200%
`shake256_init`	✅	3s	3s	+0%
`shake256x4_squeezeblocks`	✅	3s	3s	+0%
`sign_keypair`	✅	3s	6s	-50%
`sign_signature_extmu`	✅	3s	4s	-25%
`unpack_pk_t1`	✅	3s	2s	+50%
`unpack_sk`	✅	3s	3s	+0%
`use_hint`	✅	3s	5s	-40%
`yvec_init`	✅	3s	4s	-25%
`caddq`	✅	2s	4s	-50%
`intt_native_aarch64`	✅	2s	4s	-50%
`keccak_f1600_x1_native_aarch64`	✅	2s	1s	+100%
`keccakf1600_permute`	✅	2s	2s	+0%
`keccakf1600_permute_native`	✅	2s	1s	+100%
`keccakf1600_xor_bytes (big endian)`	✅	2s	2s	+0%
`mld_ct_abs_i32`	✅	2s	3s	-33%
`mld_ct_cmask_neg_i32`	✅	2s	2s	+0%
`mld_ct_cmask_nonzero_u32`	✅	2s	2s	+0%
`mld_ct_cmask_nonzero_u8`	✅	2s	5s	-60%
`mld_ct_get_optblocker_u32`	✅	2s	3s	-33%
`mld_ct_sel_int32`	✅	2s	2s	+0%
`mld_keccakf1600_extract_bytes`	✅	2s	2s	+0%
`mld_keccakf1600x4_xor_bytes_c`	✅	2s	2s	+0%
`mld_sample_s1_s2_serial`	✅	2s	3s	-33%
`mld_value_barrier_i64`	✅	2s	3s	-33%
`ntt_native_x86_64`	✅	2s	4s	-50%
`pack_sig_h`	✅	2s	1s	+100%
`poly_caddq_native`	✅	2s	5s	-60%
`poly_caddq_native_aarch64`	✅	2s	4s	-50%
`poly_chknorm_native`	✅	2s	3s	-33%
`poly_permute_bitrev_to_custom_optional_native`	✅	2s	3s	-33%
`poly_pointwise_montgomery_native`	✅	2s	2s	+0%
`poly_reduce`	✅	2s	3s	-33%
`poly_uniform_gamma1`	✅	2s	3s	-33%
`poly_use_hint`	✅	2s	2s	+0%
`poly_use_hint_native`	✅	2s	6s	-67%
`polyveck_pack_eta`	✅	2s	3s	-33%
`polyveck_unpack_eta`	✅	2s	4s	-50%
`polyvecl_pack_eta`	✅	2s	3s	-33%
`polyvecl_uniform_gamma1`	✅	2s	2s	+0%
`polyw1_pack`	✅	2s	3s	-33%
`polyz_pack`	✅	2s	3s	-33%
`polyz_unpack`	✅	2s	3s	-33%
`polyz_unpack_native`	✅	2s	3s	-33%
`rej_uniform_eta_native_aarch64`	✅	2s	-	new
`shake128_absorb`	✅	2s	4s	-50%
`shake128_finalize`	✅	2s	3s	-33%
`shake128_release`	✅	2s	3s	-33%
`shake128x4_absorb_once`	✅	2s	3s	-33%
`shake256_absorb`	✅	2s	3s	-33%
`shake256_finalize`	✅	2s	1s	+100%
`shake256_release`	✅	2s	1s	+100%
`shake256_squeeze`	✅	2s	4s	-50%
`shake256x4_absorb_once`	✅	2s	2s	+0%
`sign_signature_pre_hash_internal`	✅	2s	3s	-33%
`sk_t0hat_get_poly`	✅	2s	3s	-33%
`sys_check_capability`	✅	2s	5s	-60%
`unpack_sk_s1hat`	✅	2s	3s	-33%
`unpack_sk_s2hat`	✅	2s	2s	+0%
`keccak_f1600_x1_native_aarch64_v84a`	✅	1s	2s	-50%
`keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid`	✅	1s	2s	-50%
`mld_ct_get_optblocker_u8`	✅	1s	1s	+0%
`poly_permute_bitrev_to_custom_optional`	✅	1s	3s	-67%
`power2round`	✅	1s	1s	+0%
`shake128_squeeze`	✅	1s	1s	+0%
`shake256`	✅	1s	3s	-67%

oqs-bot · 2026-04-14T22:07:30Z

CBMC Results (ML-DSA-65)

Full Results (201 proofs)

Proof	Status	Current	Previous	Change
`TOTAL`	✅	1834s	2016s	-9.0%
`polyvecl_pointwise_acc_montgomery_c`	✅	257s	319s	-19%
`polyvec_matrix_expand`	✅	142s	154s	-8%
`rej_uniform_native`	✅	119s	133s	-11%
`mld_invntt_layer`	✅	94s	97s	-3%
`poly_pointwise_montgomery_c`	✅	94s	103s	-9%
`mld_attempt_signature_generation`	✅	68s	70s	-3%
`sign_verify_internal`	✅	68s	70s	-3%
`mld_ct_memcmp`	✅	62s	76s	-18%
`sign_signature_internal`	✅	47s	47s	+0%
`mld_ntt_layer`	✅	41s	45s	-9%
`fqmul`	✅	28s	27s	+4%
`polyvec_matrix_pointwise_montgomery_yvec`	✅	27s	29s	-7%
`polyvec_matrix_expand_serial`	✅	23s	25s	-8%
`keccakf1600x4_permute_native`	✅	22s	23s	-4%
`rej_uniform`	✅	18s	17s	+6%
`mld_ntt_butterfly_block`	✅	17s	18s	-6%
`rej_uniform_c`	✅	17s	22s	-23%
`poly_chknorm_c`	✅	16s	16s	+0%
`mld_check_pct`	✅	14s	14s	+0%
`polyt0_unpack`	✅	14s	16s	-12%
`compute_pack_t0_t1`	✅	13s	12s	+8%
`polyveck_decompose`	✅	13s	15s	-13%
`poly_uniform_eta_4x`	✅	12s	13s	-8%
`poly_add`	✅	11s	12s	-8%
`poly_uniform_4x`	✅	11s	12s	-8%
`keccak_absorb_once_x4`	✅	9s	9s	+0%
`polyveck_chknorm`	✅	9s	11s	-18%
`keccak_absorb`	✅	8s	7s	+14%
`mld_keccakf1600_permute_c`	✅	8s	6s	+33%
`poly_invntt_tomont_c`	✅	8s	10s	-20%
`poly_power2round`	✅	8s	9s	-11%
`mld_compute_pack_z`	✅	7s	7s	+0%
`poly_challenge`	✅	7s	5s	+40%
`poly_decompose_c`	✅	7s	8s	-12%
`polyveck_caddq`	✅	7s	7s	+0%
`polyveck_invntt_tomont`	✅	7s	9s	-22%
`polyveck_ntt`	✅	7s	7s	+0%
`sign`	✅	7s	12s	-42%
`pointwise_acc_native_x86_64`	✅	6s	6s	+0%
`polyvecl_ntt`	✅	6s	9s	-33%
`sign_pk_from_sk`	✅	6s	7s	-14%
`unpack_sk_t0hat`	✅	6s	5s	+20%
`decompose`	✅	5s	2s	+150%
`intt_native_x86_64`	✅	5s	5s	+0%
`keccak_squeezeblocks_x4`	✅	5s	4s	+25%
`poly_caddq_c`	✅	5s	5s	+0%
`poly_use_hint_native_aarch64`	✅	5s	2s	+150%
`polyz_unpack_19_native_aarch64`	✅	5s	5s	+0%
`rej_eta_native`	✅	5s	4s	+25%
`shake128_squeeze`	✅	5s	3s	+67%
`sign_open`	✅	5s	5s	+0%
`sign_signature`	✅	5s	5s	+0%
`sign_signature_pre_hash_internal`	✅	5s	3s	+67%
`sign_signature_pre_hash_shake256`	✅	5s	3s	+67%
`sign_verify`	✅	5s	6s	-17%
`sign_verify_pre_hash_internal`	✅	5s	4s	+25%
`intt_native_aarch64`	✅	4s	3s	+33%
`keccakf1600_xor_bytes`	✅	4s	2s	+100%
`mld_ct_cmask_nonzero_u32`	✅	4s	1s	+300%
`mld_ct_cmask_nonzero_u8`	✅	4s	3s	+33%
`mld_keccakf1600_extract_bytes`	✅	4s	2s	+100%
`mld_sample_s1_s2`	✅	4s	4s	+0%
`mld_sample_s1_s2_serial`	✅	4s	4s	+0%
`nttunpack_native_x86_64`	✅	4s	2s	+100%
`pack_sk_s1`	✅	4s	2s	+100%
`pointwise_acc_native_aarch64`	✅	4s	6s	-33%
`pointwise_native_aarch64`	✅	4s	3s	+33%
`poly_caddq_native`	✅	4s	2s	+100%
`poly_caddq_native_aarch64`	✅	4s	2s	+100%
`poly_decompose`	✅	4s	2s	+100%
`poly_reduce`	✅	4s	2s	+100%
`poly_uniform_gamma1`	✅	4s	2s	+100%
`polyt0_pack`	✅	4s	3s	+33%
`polyveck_pack_w1`	✅	4s	4s	+0%
`polyveck_unpack_eta`	✅	4s	2s	+100%
`polyvecl_chknorm`	✅	4s	5s	-20%
`polyvecl_pointwise_acc_montgomery_native`	✅	4s	4s	+0%
`polyz_unpack_c`	✅	4s	2s	+100%
`reduce32`	✅	4s	2s	+100%
`rej_uniform_native_aarch64`	✅	4s	2s	+100%
`shake128_absorb`	✅	4s	3s	+33%
`shake128_finalize`	✅	4s	2s	+100%
`shake128x4_absorb_once`	✅	4s	3s	+33%
`shake256x4_absorb_once`	✅	4s	3s	+33%
`sign_keypair`	✅	4s	5s	-20%
`sign_verify_extmu`	✅	4s	7s	-43%
`use_hint`	✅	4s	3s	+33%
`keccak_f1600_x1_native_aarch64`	✅	3s	5s	-40%
`keccak_f1600_x1_native_aarch64_v84a`	✅	3s	3s	+0%
`keccak_init`	✅	3s	2s	+50%
`keccak_squeeze`	✅	3s	4s	-25%
`keccakf1600_extract_bytes (big endian)`	✅	3s	3s	+0%
`keccakf1600x4_permute`	✅	3s	3s	+0%
`keccakf1600x4_xor_bytes`	✅	3s	2s	+50%
`mld_ct_abs_i32`	✅	3s	1s	+200%
`mld_ct_get_optblocker_u32`	✅	3s	2s	+50%
`mld_ct_get_optblocker_u8`	✅	3s	1s	+200%
`mld_keccakf1600x4_extract_bytes_c`	✅	3s	4s	-25%
`mld_polymat_expand_entry`	✅	3s	2s	+50%
`mld_prepare_domain_separation_prefix`	✅	3s	5s	-40%
`mld_value_barrier_u8`	✅	3s	3s	+0%
`montgomery_reduce`	✅	3s	2s	+50%
`ntt_native_aarch64`	✅	3s	2s	+50%
`pack_sig_h`	✅	3s	4s	-25%
`pack_sk_rho_key_tr_s2`	✅	3s	5s	-40%
`poly_caddq_native_x86_64`	✅	3s	-	new
`poly_chknorm_native_aarch64`	✅	3s	4s	-25%
`poly_decompose_native`	✅	3s	5s	-40%
`poly_invntt_tomont`	✅	3s	4s	-25%
`poly_ntt`	✅	3s	2s	+50%
`poly_ntt_c`	✅	3s	3s	+0%
`poly_permute_bitrev_to_custom_optional_native`	✅	3s	4s	-25%
`poly_pointwise_montgomery`	✅	3s	3s	+0%
`poly_pointwise_montgomery_native`	✅	3s	4s	-25%
`poly_uniform`	✅	3s	4s	-25%
`poly_use_hint`	✅	3s	3s	+0%
`polyeta_pack`	✅	3s	3s	+0%
`polyeta_unpack`	✅	3s	4s	-25%
`polyvec_matrix_pointwise_montgomery_row`	✅	3s	3s	+0%
`polyveck_pack_eta`	✅	3s	3s	+0%
`polyvecl_pack_eta`	✅	3s	4s	-25%
`polyvecl_pointwise_acc_montgomery`	✅	3s	4s	-25%
`polyvecl_uniform_gamma1`	✅	3s	5s	-40%
`polyvecl_unpack_eta`	✅	3s	3s	+0%
`polyz_unpack_17_native_aarch64`	✅	3s	3s	+0%
`polyz_unpack_native`	✅	3s	2s	+50%
`rej_eta`	✅	3s	3s	+0%
`rej_eta_c`	✅	3s	3s	+0%
`rej_uniform_eta_native_aarch64`	✅	3s	-	new
`shake128_release`	✅	3s	1s	+200%
`shake256_init`	✅	3s	2s	+50%
`sign_keypair_internal`	✅	3s	2s	+50%
`sign_signature_extmu`	✅	3s	3s	+0%
`sign_verify_pre_hash_shake256`	✅	3s	2s	+50%
`sk_s1hat_get_poly`	✅	3s	4s	-25%
`sk_s2hat_get_poly`	✅	3s	4s	-25%
`sk_t0hat_get_poly`	✅	3s	2s	+50%
`unpack_pk_t1`	✅	3s	4s	-25%
`unpack_sk`	✅	3s	3s	+0%
`caddq`	✅	2s	2s	+0%
`fqscale`	✅	2s	3s	-33%
`keccak_f1600_x4_native_aarch64_v84a`	✅	2s	2s	+0%
`keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid`	✅	2s	1s	+100%
`keccak_f1600_x4_native_avx2`	✅	2s	2s	+0%
`keccak_finalize`	✅	2s	3s	-33%
`keccakf1600_xor_bytes (big endian)`	✅	2s	5s	-60%
`keccakf1600x4_extract_bytes`	✅	2s	3s	-33%
`keccakf1600x4_extract_bytes_native`	✅	2s	3s	-33%
`make_hint`	✅	2s	4s	-50%
`mld_ct_get_optblocker_i64`	✅	2s	2s	+0%
`mld_ct_sel_int32`	✅	2s	3s	-33%
`mld_h`	✅	2s	4s	-50%
`mld_keccakf1600x4_xor_bytes_c`	✅	2s	2s	+0%
`mld_value_barrier_u32`	✅	2s	2s	+0%
`ntt_native_x86_64`	✅	2s	4s	-50%
`pack_sig_c`	✅	2s	1s	+100%
`pack_sig_z`	✅	2s	2s	+0%
`pointwise_native_x86_64`	✅	2s	6s	-67%
`poly_caddq`	✅	2s	3s	-33%
`poly_chknorm_native`	✅	2s	5s	-60%
`poly_decompose_32_native_aarch64`	✅	2s	2s	+0%
`poly_decompose_88_native_aarch64`	✅	2s	4s	-50%
`poly_invntt_tomont_native`	✅	2s	3s	-33%
`poly_ntt_native`	✅	2s	4s	-50%
`poly_permute_bitrev_to_custom_optional`	✅	2s	5s	-60%
`poly_shiftl`	✅	2s	3s	-33%
`poly_sub`	✅	2s	3s	-33%
`poly_uniform_gamma1_4x`	✅	2s	5s	-60%
`poly_use_hint_c`	✅	2s	3s	-33%
`poly_use_hint_native`	✅	2s	3s	-33%
`polyt1_pack`	✅	2s	4s	-50%
`polyveck_reduce`	✅	2s	4s	-50%
`polyvecl_uniform_gamma1_serial`	✅	2s	5s	-60%
`polyvecl_unpack_z`	✅	2s	3s	-33%
`polyw1_pack`	✅	2s	6s	-67%
`polyz_unpack`	✅	2s	5s	-60%
`power2round`	✅	2s	3s	-33%
`shake128_init`	✅	2s	4s	-50%
`shake128x4_squeezeblocks`	✅	2s	1s	+100%
`shake256_absorb`	✅	2s	2s	+0%
`shake256_finalize`	✅	2s	1s	+100%
`shake256_release`	✅	2s	2s	+0%
`shake256_squeeze`	✅	2s	1s	+100%
`shake256x4_squeezeblocks`	✅	2s	3s	-33%
`sig_unpack_hints`	✅	2s	3s	-33%
`sys_check_capability`	✅	2s	4s	-50%
`unpack_sk_s1hat`	✅	2s	3s	-33%
`unpack_sk_s2hat`	✅	2s	3s	-33%
`yvec_get_poly`	✅	2s	3s	-33%
`yvec_init`	✅	2s	2s	+0%
`keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid`	✅	1s	1s	+0%
`keccakf1600_permute`	✅	1s	1s	+0%
`keccakf1600_permute_native`	✅	1s	3s	-67%
`keccakf1600x4_xor_bytes_native`	✅	1s	5s	-80%
`mld_ct_cmask_neg_i32`	✅	1s	3s	-67%
`mld_value_barrier_i64`	✅	1s	2s	-50%
`poly_chknorm`	✅	1s	4s	-75%
`poly_uniform_eta`	✅	1s	5s	-80%
`polyt1_unpack`	✅	1s	4s	-75%
`polyz_pack`	✅	1s	2s	-50%
`shake256`	✅	1s	4s	-75%

oqs-bot · 2026-04-14T22:15:30Z

CBMC Results (ML-DSA-87)

Full Results (201 proofs)

Proof	Status	Current	Previous	Change
`TOTAL`	✅	2096s	2060s	+1.7%
`polyvecl_pointwise_acc_montgomery_c`	✅	290s	261s	+11%
`polyvec_matrix_expand`	✅	180s	177s	+2%
`rej_uniform_native`	✅	129s	128s	+1%
`poly_pointwise_montgomery_c`	✅	107s	96s	+11%
`mld_attempt_signature_generation`	✅	106s	102s	+4%
`mld_invntt_layer`	✅	99s	93s	+6%
`sign_verify_internal`	✅	91s	87s	+5%
`mld_ct_memcmp`	✅	69s	70s	-1%
`sign_signature_internal`	✅	52s	52s	+0%
`mld_ntt_layer`	✅	44s	45s	-2%
`polyvec_matrix_expand_serial`	✅	39s	40s	-3%
`fqmul`	✅	31s	26s	+19%
`compute_pack_t0_t1`	✅	27s	25s	+8%
`keccakf1600x4_permute_native`	✅	23s	23s	+0%
`polyvec_matrix_pointwise_montgomery_yvec`	✅	21s	21s	+0%
`mld_ntt_butterfly_block`	✅	19s	15s	+27%
`rej_uniform_c`	✅	18s	17s	+6%
`poly_chknorm_c`	✅	17s	16s	+6%
`rej_uniform`	✅	16s	17s	-6%
`poly_uniform_4x`	✅	15s	10s	+50%
`polyt0_unpack`	✅	15s	16s	-6%
`polyeta_unpack`	✅	14s	14s	+0%
`mld_check_pct`	✅	13s	16s	-19%
`poly_uniform_eta_4x`	✅	13s	15s	-13%
`poly_add`	✅	12s	12s	+0%
`polyveck_decompose`	✅	12s	11s	+9%
`polyveck_invntt_tomont`	✅	11s	10s	+10%
`keccak_absorb_once_x4`	✅	10s	10s	+0%
`mld_compute_pack_z`	✅	9s	9s	+0%
`polyveck_ntt`	✅	9s	9s	+0%
`poly_challenge`	✅	8s	3s	+167%
`poly_power2round`	✅	8s	10s	-20%
`polyz_unpack_c`	✅	8s	7s	+14%
`sign`	✅	8s	8s	+0%
`pointwise_acc_native_aarch64`	✅	7s	5s	+40%
`pointwise_acc_native_x86_64`	✅	7s	7s	+0%
`poly_invntt_tomont_c`	✅	7s	7s	+0%
`polyveck_caddq`	✅	7s	9s	-22%
`polyveck_chknorm`	✅	7s	8s	-12%
`sign_keypair_internal`	✅	7s	4s	+75%
`unpack_sk_t0hat`	✅	7s	5s	+40%
`mld_keccakf1600_permute_c`	✅	6s	8s	-25%
`mld_prepare_domain_separation_prefix`	✅	6s	5s	+20%
`mld_sample_s1_s2_serial`	✅	6s	4s	+50%
`poly_uniform_eta`	✅	6s	2s	+200%
`polyvecl_ntt`	✅	6s	7s	-14%
`polyz_unpack_19_native_aarch64`	✅	6s	4s	+50%
`sign_verify`	✅	6s	6s	+0%
`keccak_absorb`	✅	5s	5s	+0%
`keccak_squeezeblocks_x4`	✅	5s	4s	+25%
`mld_ct_cmask_neg_i32`	✅	5s	3s	+67%
`mld_sample_s1_s2`	✅	5s	5s	+0%
`ntt_native_x86_64`	✅	5s	3s	+67%
`nttunpack_native_x86_64`	✅	5s	3s	+67%
`pack_sig_h`	✅	5s	3s	+67%
`poly_uniform`	✅	5s	7s	-29%
`polyt1_pack`	✅	5s	2s	+150%
`polyt1_unpack`	✅	5s	2s	+150%
`polyveck_unpack_eta`	✅	5s	4s	+25%
`polyvecl_chknorm`	✅	5s	6s	-17%
`polyvecl_pointwise_acc_montgomery_native`	✅	5s	3s	+67%
`polyvecl_uniform_gamma1`	✅	5s	4s	+25%
`sign_open`	✅	5s	3s	+67%
`sign_pk_from_sk`	✅	5s	6s	-17%
`unpack_sk`	✅	5s	4s	+25%
`unpack_sk_s2hat`	✅	5s	4s	+25%
`yvec_init`	✅	5s	4s	+25%
`keccak_finalize`	✅	4s	3s	+33%
`keccakf1600x4_xor_bytes`	✅	4s	3s	+33%
`mld_polymat_expand_entry`	✅	4s	3s	+33%
`pack_sk_s1`	✅	4s	4s	+0%
`pointwise_native_x86_64`	✅	4s	4s	+0%
`poly_caddq_native`	✅	4s	3s	+33%
`poly_chknorm`	✅	4s	6s	-33%
`poly_chknorm_native_aarch64`	✅	4s	2s	+100%
`poly_decompose`	✅	4s	5s	-20%
`poly_decompose_c`	✅	4s	3s	+33%
`poly_ntt_native`	✅	4s	5s	-20%
`poly_permute_bitrev_to_custom_optional`	✅	4s	3s	+33%
`poly_pointwise_montgomery_native`	✅	4s	3s	+33%
`poly_use_hint_c`	✅	4s	4s	+0%
`polyvecl_pointwise_acc_montgomery`	✅	4s	6s	-33%
`polyvecl_unpack_z`	✅	4s	2s	+100%
`polyw1_pack`	✅	4s	4s	+0%
`polyz_unpack_native`	✅	4s	2s	+100%
`rej_eta`	✅	4s	3s	+33%
`rej_eta_native`	✅	4s	4s	+0%
`shake256`	✅	4s	3s	+33%
`shake256_squeeze`	✅	4s	4s	+0%
`shake256x4_absorb_once`	✅	4s	2s	+100%
`sign_keypair`	✅	4s	5s	-20%
`sign_signature_pre_hash_internal`	✅	4s	6s	-33%
`sign_signature_pre_hash_shake256`	✅	4s	5s	-20%
`sign_verify_pre_hash_shake256`	✅	4s	6s	-33%
`sk_s2hat_get_poly`	✅	4s	3s	+33%
`sys_check_capability`	✅	4s	4s	+0%
`use_hint`	✅	4s	5s	-20%
`decompose`	✅	3s	4s	-25%
`intt_native_x86_64`	✅	3s	5s	-40%
`keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid`	✅	3s	2s	+50%
`keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid`	✅	3s	2s	+50%
`keccak_f1600_x4_native_avx2`	✅	3s	3s	+0%
`keccak_init`	✅	3s	2s	+50%
`keccak_squeeze`	✅	3s	3s	+0%
`keccakf1600_permute_native`	✅	3s	3s	+0%
`keccakf1600x4_extract_bytes_native`	✅	3s	5s	-40%
`keccakf1600x4_permute`	✅	3s	5s	-40%
`mld_ct_cmask_nonzero_u32`	✅	3s	3s	+0%
`mld_ct_cmask_nonzero_u8`	✅	3s	3s	+0%
`mld_ct_get_optblocker_u8`	✅	3s	3s	+0%
`mld_keccakf1600x4_xor_bytes_c`	✅	3s	3s	+0%
`mld_value_barrier_i64`	✅	3s	3s	+0%
`mld_value_barrier_u8`	✅	3s	3s	+0%
`montgomery_reduce`	✅	3s	2s	+50%
`ntt_native_aarch64`	✅	3s	3s	+0%
`pack_sig_c`	✅	3s	2s	+50%
`pack_sig_z`	✅	3s	3s	+0%
`pack_sk_rho_key_tr_s2`	✅	3s	3s	+0%
`poly_caddq_c`	✅	3s	4s	-25%
`poly_caddq_native_aarch64`	✅	3s	3s	+0%
`poly_caddq_native_x86_64`	✅	3s	-	new
`poly_chknorm_native`	✅	3s	3s	+0%
`poly_decompose_32_native_aarch64`	✅	3s	3s	+0%
`poly_ntt`	✅	3s	3s	+0%
`poly_permute_bitrev_to_custom_optional_native`	✅	3s	4s	-25%
`poly_pointwise_montgomery`	✅	3s	2s	+50%
`poly_reduce`	✅	3s	2s	+50%
`poly_shiftl`	✅	3s	4s	-25%
`poly_uniform_gamma1_4x`	✅	3s	5s	-40%
`poly_use_hint`	✅	3s	5s	-40%
`polyeta_pack`	✅	3s	3s	+0%
`polyveck_reduce`	✅	3s	1s	+200%
`polyvecl_pack_eta`	✅	3s	3s	+0%
`polyvecl_uniform_gamma1_serial`	✅	3s	4s	-25%
`polyvecl_unpack_eta`	✅	3s	6s	-50%
`polyz_unpack_17_native_aarch64`	✅	3s	6s	-50%
`reduce32`	✅	3s	2s	+50%
`rej_eta_c`	✅	3s	3s	+0%
`rej_uniform_native_aarch64`	✅	3s	7s	-57%
`shake128_finalize`	✅	3s	1s	+200%
`shake128_init`	✅	3s	3s	+0%
`shake256_absorb`	✅	3s	2s	+50%
`sig_unpack_hints`	✅	3s	5s	-40%
`sign_signature`	✅	3s	3s	+0%
`sign_signature_extmu`	✅	3s	5s	-40%
`sign_verify_pre_hash_internal`	✅	3s	2s	+50%
`sk_s1hat_get_poly`	✅	3s	4s	-25%
`unpack_sk_s1hat`	✅	3s	4s	-25%
`caddq`	✅	2s	4s	-50%
`fqscale`	✅	2s	2s	+0%
`keccak_f1600_x1_native_aarch64`	✅	2s	3s	-33%
`keccak_f1600_x4_native_aarch64_v84a`	✅	2s	3s	-33%
`keccakf1600_permute`	✅	2s	4s	-50%
`keccakf1600_xor_bytes`	✅	2s	2s	+0%
`keccakf1600x4_extract_bytes`	✅	2s	3s	-33%
`keccakf1600x4_xor_bytes_native`	✅	2s	2s	+0%
`mld_ct_abs_i32`	✅	2s	3s	-33%
`mld_ct_get_optblocker_u32`	✅	2s	2s	+0%
`mld_ct_sel_int32`	✅	2s	1s	+100%
`mld_h`	✅	2s	2s	+0%
`mld_keccakf1600_extract_bytes`	✅	2s	2s	+0%
`mld_value_barrier_u32`	✅	2s	1s	+100%
`poly_caddq`	✅	2s	3s	-33%
`poly_decompose_88_native_aarch64`	✅	2s	3s	-33%
`poly_decompose_native`	✅	2s	4s	-50%
`poly_invntt_tomont`	✅	2s	2s	+0%
`poly_ntt_c`	✅	2s	3s	-33%
`poly_sub`	✅	2s	5s	-60%
`poly_uniform_gamma1`	✅	2s	2s	+0%
`poly_use_hint_native`	✅	2s	4s	-50%
`poly_use_hint_native_aarch64`	✅	2s	2s	+0%
`polyt0_pack`	✅	2s	3s	-33%
`polyvec_matrix_pointwise_montgomery_row`	✅	2s	3s	-33%
`polyveck_pack_w1`	✅	2s	3s	-33%
`polyz_pack`	✅	2s	2s	+0%
`polyz_unpack`	✅	2s	3s	-33%
`power2round`	✅	2s	2s	+0%
`rej_uniform_eta_native_aarch64`	✅	2s	-	new
`shake128_absorb`	✅	2s	4s	-50%
`shake128_release`	✅	2s	3s	-33%
`shake128_squeeze`	✅	2s	3s	-33%
`shake128x4_absorb_once`	✅	2s	2s	+0%
`shake128x4_squeezeblocks`	✅	2s	4s	-50%
`shake256_finalize`	✅	2s	3s	-33%
`shake256_release`	✅	2s	2s	+0%
`shake256x4_squeezeblocks`	✅	2s	1s	+100%
`sign_verify_extmu`	✅	2s	4s	-50%
`unpack_pk_t1`	✅	2s	1s	+100%
`yvec_get_poly`	✅	2s	6s	-67%
`intt_native_aarch64`	✅	1s	5s	-80%
`keccak_f1600_x1_native_aarch64_v84a`	✅	1s	2s	-50%
`keccakf1600_extract_bytes (big endian)`	✅	1s	4s	-75%
`keccakf1600_xor_bytes (big endian)`	✅	1s	3s	-67%
`make_hint`	✅	1s	6s	-83%
`mld_ct_get_optblocker_i64`	✅	1s	1s	+0%
`mld_keccakf1600x4_extract_bytes_c`	✅	1s	3s	-67%
`pointwise_native_aarch64`	✅	1s	3s	-67%
`poly_invntt_tomont_native`	✅	1s	5s	-80%
`polyveck_pack_eta`	✅	1s	3s	-67%
`shake256_init`	✅	1s	2s	-50%
`sk_t0hat_get_poly`	✅	1s	3s	-67%

oqs-bot · 2026-04-24T21:07:03Z

CBMC Results (ML-DSA-44, REDUCE-RAM)

Full Results (201 proofs)

Proof	Status	Current	Previous	Change
`TOTAL`	✅	1513s	1437s	+5.3%
`poly_pointwise_montgomery_c`	✅	192s	171s	+12%
`rej_uniform_native`	✅	114s	105s	+9%
`mld_invntt_layer`	✅	109s	106s	+3%
`polyvec_matrix_pointwise_montgomery_yvec`	✅	94s	93s	+1%
`mld_ct_memcmp`	✅	68s	67s	+1%
`mld_ntt_layer`	✅	44s	42s	+5%
`fqmul`	✅	29s	29s	+0%
`mld_attempt_signature_generation`	✅	26s	24s	+8%
`keccakf1600x4_permute_native`	✅	23s	24s	-4%
`rej_uniform`	✅	22s	20s	+10%
`sign_verify_internal`	✅	21s	22s	-5%
`rej_uniform_c`	✅	19s	16s	+19%
`mld_check_pct`	✅	18s	16s	+12%
`mld_ntt_butterfly_block`	✅	18s	17s	+6%
`polyeta_unpack`	✅	15s	17s	-12%
`polyveck_chknorm`	✅	14s	9s	+56%
`poly_chknorm_c`	✅	12s	12s	+0%
`poly_uniform_eta_4x`	✅	12s	10s	+20%
`poly_add`	✅	11s	10s	+10%
`polyt0_unpack`	✅	11s	12s	-8%
`polyvec_matrix_pointwise_montgomery_row`	✅	11s	8s	+38%
`polyz_unpack_c`	✅	11s	15s	-27%
`poly_invntt_tomont_c`	✅	10s	7s	+43%
`keccak_absorb_once_x4`	✅	9s	10s	-10%
`poly_caddq_c`	✅	8s	10s	-20%
`polyveck_reduce`	✅	8s	4s	+100%
`compute_pack_t0_t1`	✅	7s	8s	-12%
`pointwise_acc_native_x86_64`	✅	7s	6s	+17%
`poly_decompose_c`	✅	7s	10s	-30%
`poly_power2round`	✅	7s	8s	-12%
`sign_signature_internal`	✅	7s	5s	+40%
`keccak_absorb`	✅	6s	7s	-14%
`mld_compute_pack_z`	✅	6s	6s	+0%
`mld_h`	✅	6s	3s	+100%
`poly_ntt_native`	✅	6s	4s	+50%
`poly_uniform`	✅	6s	5s	+20%
`polyveck_decompose`	✅	6s	6s	+0%
`sig_unpack_hints`	✅	6s	3s	+100%
`sign`	✅	6s	7s	-14%
`sign_pk_from_sk`	✅	6s	6s	+0%
`sign_signature_extmu`	✅	6s	4s	+50%
`mld_ct_sel_int32`	✅	5s	3s	+67%
`mld_keccakf1600_permute_c`	✅	5s	7s	-29%
`mld_keccakf1600x4_extract_bytes_c`	✅	5s	5s	+0%
`mld_value_barrier_u32`	✅	5s	2s	+150%
`pack_sig_h`	✅	5s	3s	+67%
`pointwise_acc_native_aarch64`	✅	5s	5s	+0%
`pointwise_native_x86_64`	✅	5s	2s	+150%
`poly_caddq_native`	✅	5s	5s	+0%
`poly_chknorm_native`	✅	5s	3s	+67%
`poly_invntt_tomont`	✅	5s	2s	+150%
`poly_invntt_tomont_native`	✅	5s	4s	+25%
`poly_shiftl`	✅	5s	6s	-17%
`poly_sub`	✅	5s	2s	+150%
`poly_uniform_4x`	✅	5s	3s	+67%
`poly_use_hint`	✅	5s	1s	+400%
`polyt1_unpack`	✅	5s	2s	+150%
`polyvec_matrix_expand`	✅	5s	3s	+67%
`polyvecl_chknorm`	✅	5s	7s	-29%
`polyvecl_ntt`	✅	5s	4s	+25%
`polyz_unpack`	✅	5s	2s	+150%
`rej_eta_c`	✅	5s	3s	+67%
`rej_eta_native`	✅	5s	5s	+0%
`shake128_squeeze`	✅	5s	2s	+150%
`sign_keypair_internal`	✅	5s	3s	+67%
`sign_open`	✅	5s	5s	+0%
`sign_verify`	✅	5s	3s	+67%
`sign_verify_extmu`	✅	5s	5s	+0%
`fqscale`	✅	4s	4s	+0%
`keccak_f1600_x1_native_aarch64`	✅	4s	3s	+33%
`keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid`	✅	4s	1s	+300%
`keccak_squeezeblocks_x4`	✅	4s	5s	-20%
`mld_prepare_domain_separation_prefix`	✅	4s	5s	-20%
`mld_sample_s1_s2`	✅	4s	2s	+100%
`pack_sk_rho_key_tr_s2`	✅	4s	3s	+33%
`pointwise_native_aarch64`	✅	4s	2s	+100%
`poly_challenge`	✅	4s	4s	+0%
`poly_decompose_88_native_aarch64`	✅	4s	3s	+33%
`poly_permute_bitrev_to_custom_optional_native`	✅	4s	3s	+33%
`poly_reduce`	✅	4s	3s	+33%
`poly_uniform_gamma1_4x`	✅	4s	5s	-20%
`poly_use_hint_c`	✅	4s	2s	+100%
`polyeta_pack`	✅	4s	3s	+33%
`polyveck_invntt_tomont`	✅	4s	3s	+33%
`polyveck_pack_w1`	✅	4s	1s	+300%
`polyvecl_pointwise_acc_montgomery_c`	✅	4s	2s	+100%
`polyvecl_pointwise_acc_montgomery_native`	✅	4s	3s	+33%
`polyvecl_unpack_eta`	✅	4s	3s	+33%
`polyz_unpack_native`	✅	4s	3s	+33%
`rej_eta`	✅	4s	3s	+33%
`rej_uniform_native_aarch64`	✅	4s	5s	-20%
`shake128_release`	✅	4s	1s	+300%
`shake256x4_squeezeblocks`	✅	4s	2s	+100%
`sign_keypair`	✅	4s	3s	+33%
`sign_signature_pre_hash_shake256`	✅	4s	3s	+33%
`sign_verify_pre_hash_internal`	✅	4s	2s	+100%
`unpack_pk_t1`	✅	4s	2s	+100%
`unpack_sk_s2hat`	✅	4s	2s	+100%
`intt_native_aarch64`	✅	3s	3s	+0%
`intt_native_x86_64`	✅	3s	7s	-57%
`keccak_f1600_x4_native_aarch64_v84a`	✅	3s	2s	+50%
`keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid`	✅	3s	3s	+0%
`keccak_squeeze`	✅	3s	4s	-25%
`keccakf1600_extract_bytes (big endian)`	✅	3s	2s	+50%
`keccakf1600_permute_native`	✅	3s	3s	+0%
`keccakf1600x4_extract_bytes_native`	✅	3s	2s	+50%
`mld_ct_cmask_nonzero_u8`	✅	3s	3s	+0%
`ntt_native_aarch64`	✅	3s	3s	+0%
`ntt_native_x86_64`	✅	3s	2s	+50%
`nttunpack_native_x86_64`	✅	3s	5s	-40%
`pack_sk_s1`	✅	3s	3s	+0%
`poly_caddq`	✅	3s	2s	+50%
`poly_caddq_native_aarch64`	✅	3s	3s	+0%
`poly_decompose`	✅	3s	3s	+0%
`poly_decompose_32_native_aarch64`	✅	3s	2s	+50%
`poly_decompose_native`	✅	3s	2s	+50%
`poly_ntt_c`	✅	3s	4s	-25%
`poly_pointwise_montgomery`	✅	3s	2s	+50%
`poly_pointwise_montgomery_native`	✅	3s	5s	-40%
`poly_uniform_eta`	✅	3s	5s	-40%
`poly_use_hint_native`	✅	3s	4s	-25%
`polyt0_pack`	✅	3s	3s	+0%
`polyveck_ntt`	✅	3s	2s	+50%
`polyveck_unpack_eta`	✅	3s	2s	+50%
`polyvecl_uniform_gamma1`	✅	3s	3s	+0%
`polyw1_pack`	✅	3s	2s	+50%
`polyz_pack`	✅	3s	2s	+50%
`polyz_unpack_17_native_aarch64`	✅	3s	3s	+0%
`shake128_init`	✅	3s	2s	+50%
`shake128x4_absorb_once`	✅	3s	3s	+0%
`shake128x4_squeezeblocks`	✅	3s	4s	-25%
`shake256_squeeze`	✅	3s	3s	+0%
`shake256x4_absorb_once`	✅	3s	3s	+0%
`sign_signature_pre_hash_internal`	✅	3s	3s	+0%
`sign_verify_pre_hash_shake256`	✅	3s	4s	-25%
`sys_check_capability`	✅	3s	4s	-25%
`unpack_sk_s1hat`	✅	3s	1s	+200%
`yvec_get_poly`	✅	3s	4s	-25%
`yvec_init`	✅	3s	1s	+200%
`caddq`	✅	2s	2s	+0%
`decompose`	✅	2s	3s	-33%
`keccak_finalize`	✅	2s	3s	-33%
`keccak_init`	✅	2s	2s	+0%
`keccakf1600_permute`	✅	2s	3s	-33%
`keccakf1600_xor_bytes (big endian)`	✅	2s	2s	+0%
`keccakf1600x4_extract_bytes`	✅	2s	2s	+0%
`keccakf1600x4_xor_bytes_native`	✅	2s	4s	-50%
`make_hint`	✅	2s	3s	-33%
`mld_ct_cmask_neg_i32`	✅	2s	3s	-33%
`mld_ct_get_optblocker_i64`	✅	2s	1s	+100%
`mld_ct_get_optblocker_u8`	✅	2s	2s	+0%
`mld_keccakf1600_extract_bytes`	✅	2s	4s	-50%
`mld_keccakf1600x4_xor_bytes_c`	✅	2s	2s	+0%
`mld_polymat_expand_entry`	✅	2s	2s	+0%
`mld_sample_s1_s2_serial`	✅	2s	5s	-60%
`mld_value_barrier_i64`	✅	2s	5s	-60%
`mld_value_barrier_u8`	✅	2s	2s	+0%
`montgomery_reduce`	✅	2s	3s	-33%
`pack_sig_c`	✅	2s	3s	-33%
`pack_sig_z`	✅	2s	5s	-60%
`poly_caddq_native_x86_64`	✅	2s	-	new
`poly_chknorm`	✅	2s	3s	-33%
`poly_chknorm_native_aarch64`	✅	2s	2s	+0%
`polyt1_pack`	✅	2s	2s	+0%
`polyvec_matrix_expand_serial`	✅	2s	5s	-60%
`polyveck_caddq`	✅	2s	4s	-50%
`polyveck_pack_eta`	✅	2s	2s	+0%
`polyvecl_pack_eta`	✅	2s	4s	-50%
`polyvecl_pointwise_acc_montgomery`	✅	2s	2s	+0%
`polyvecl_uniform_gamma1_serial`	✅	2s	3s	-33%
`polyvecl_unpack_z`	✅	2s	2s	+0%
`polyz_unpack_19_native_aarch64`	✅	2s	2s	+0%
`reduce32`	✅	2s	1s	+100%
`rej_uniform_eta_native_aarch64`	✅	2s	-	new
`shake128_absorb`	✅	2s	4s	-50%
`shake128_finalize`	✅	2s	2s	+0%
`shake256`	✅	2s	3s	-33%
`shake256_absorb`	✅	2s	3s	-33%
`shake256_finalize`	✅	2s	2s	+0%
`shake256_init`	✅	2s	4s	-50%
`shake256_release`	✅	2s	2s	+0%
`sign_signature`	✅	2s	3s	-33%
`sk_s1hat_get_poly`	✅	2s	3s	-33%
`sk_s2hat_get_poly`	✅	2s	2s	+0%
`sk_t0hat_get_poly`	✅	2s	2s	+0%
`unpack_sk`	✅	2s	2s	+0%
`unpack_sk_t0hat`	✅	2s	3s	-33%
`use_hint`	✅	2s	3s	-33%
`keccak_f1600_x1_native_aarch64_v84a`	✅	1s	2s	-50%
`keccak_f1600_x4_native_avx2`	✅	1s	2s	-50%
`keccakf1600_xor_bytes`	✅	1s	2s	-50%
`keccakf1600x4_permute`	✅	1s	3s	-67%
`keccakf1600x4_xor_bytes`	✅	1s	3s	-67%
`mld_ct_abs_i32`	✅	1s	2s	-50%
`mld_ct_cmask_nonzero_u32`	✅	1s	3s	-67%
`mld_ct_get_optblocker_u32`	✅	1s	3s	-67%
`poly_ntt`	✅	1s	1s	+0%
`poly_permute_bitrev_to_custom_optional`	✅	1s	3s	-67%
`poly_uniform_gamma1`	✅	1s	3s	-67%
`poly_use_hint_native_aarch64`	✅	1s	3s	-67%
`power2round`	✅	1s	6s	-83%

…ty proofs Add functional correctness, subroutine correctness, memory-safety and subroutine-safety proofs for the AArch64 assembly implementations of rej_uniform_eta for both eta variants: - rej_uniform_eta2 (eta=2, used in ML-DSA-44) - rej_uniform_eta4 (eta=4, used in ML-DSA-65/87) Memory safety follows the mlkem_rej_uniform_VARIABLE_TIME pattern in s2n-bignum because the loop count is data-dependent (which nibbles pass the < 9 / < 15 filter). Written with the assistance of Claude Opus 4.7. Signed-off-by: Jake Massimo <jakemas@amazon.com>

jakemas · 2026-05-29T19:48:43Z

@mkannwischer @hanno-becker Ready for review

mkannwischer

Thanks @jakemas for finishing the last AArch64 proof - exciting!!
I found a couple of mistakes.

mkannwischer · 2026-05-31T04:17:40Z

+  requires(buflen >= 8)
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(buf, buflen))
+  requires(memory_no_alias(table, 4096)) /* check-magic: 4096 == 256 * 16 */


This can be a stronger pre-condition table == mld_rej_uniform_eta_table

mkannwischer · 2026-05-31T04:17:46Z

+  requires(buflen >= 8)
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(buf, buflen))
+  requires(memory_no_alias(table, 4096)) /* check-magic: 4096 == 256 * 16 */


mkannwischer · 2026-05-31T04:17:56Z

same changes need to be made to the aarch64_clean files

mkannwischer · 2026-05-31T04:19:01Z

These files should be autogenerated via autogen

mkannwischer · 2026-05-31T04:24:55Z

+(* Memory safety of the core (non-subroutine) form, mirroring the structure  *)
+(* of MLDSA_REJ_UNIFORM_ETA2_CORRECT but augmented with an event accumulator *)
+(* and memaccess_inbounds invariant. Pattern from mlkem-native               *)
+(* (mlkem_rej_uniform_VARIABLE_TIME.ml:1744).                                *)


This file has a different name in mlkem-native. Replace by a link and remove the line number as that may change.

mkannwischer · 2026-05-31T04:28:49Z

-                                          const uint8_t *table);
+                                          unsigned buflen, const uint8_t *table)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_rej_uniform_eta2.ml */


mldsa_rej_uniform_eta2 -> rej_uniform_eta2_aarch64_asm.ml

mkannwischer · 2026-05-31T04:38:22Z

+(* The subroutine memory safety theorem.                                     *)
+(* ------------------------------------------------------------------------- *)
+
+let MLDSA_REJ_UNIFORM_ETA2_SUBROUTINE_SAFE = time prove


Should this be called _MEMSAFE?

mkannwischer · 2026-05-31T04:38:53Z

+(* ensures(array_abs_bound(r, 0, return_value, MLDSA_ETA + 1)) for eta = 2.  *)
+(* ------------------------------------------------------------------------- *)
+
+let MLDSA_REJ_UNIFORM_ETA2_SUBROUTINE_CORRECT = prove


Add comment here to keep in sync with the CBMC spec.

jakemas requested a review from a team as a code owner April 14, 2026 21:41

jakemas marked this pull request as draft April 14, 2026 21:41

jakemas force-pushed the add-hol-light-rej-uniform-eta4 branch 7 times, most recently from a3673e9 to 0213d92 Compare April 14, 2026 22:00

jakemas force-pushed the add-hol-light-rej-uniform-eta4 branch from 0213d92 to 4558665 Compare April 14, 2026 22:03

jakemas force-pushed the add-hol-light-rej-uniform-eta4 branch from 4558665 to 73d8d61 Compare April 14, 2026 22:14

jakemas force-pushed the add-hol-light-rej-uniform-eta4 branch from 73d8d61 to a7cc582 Compare April 15, 2026 11:06

jakemas changed the title ~~Add HOL Light rej_uniform_eta4 proof for AArch64~~ Add HOL Light rej_uniform_eta proofs for AArch64 Apr 15, 2026

jakemas force-pushed the add-hol-light-rej-uniform-eta4 branch 9 times, most recently from 77cb935 to f986df8 Compare April 15, 2026 17:09

mkannwischer self-assigned this Apr 22, 2026

jakemas force-pushed the add-hol-light-rej-uniform-eta4 branch 3 times, most recently from 37dfafd to ddd97de Compare April 24, 2026 20:10

jakemas mentioned this pull request May 9, 2026

ML-DSA aarch64 rejection sampling proof awslabs/s2n-bignum#378

Open

jakemas force-pushed the add-hol-light-rej-uniform-eta4 branch 24 times, most recently from 7429b71 to 0c8ed0a Compare May 22, 2026 00:03

jakemas marked this pull request as ready for review May 22, 2026 01:54

jakemas force-pushed the add-hol-light-rej-uniform-eta4 branch from 0c8ed0a to 63f752b Compare May 22, 2026 18:30

mkannwischer requested changes May 31, 2026

View reviewed changes

Conversation

jakemas commented Apr 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

oqs-bot commented Apr 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

CBMC Results (ML-DSA-44)

Uh oh!

oqs-bot commented Apr 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

CBMC Results (ML-DSA-65)

Uh oh!

oqs-bot commented Apr 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

CBMC Results (ML-DSA-87)

Uh oh!

oqs-bot commented Apr 24, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

CBMC Results (ML-DSA-44, REDUCE-RAM)

Uh oh!

jakemas commented May 29, 2026

Uh oh!

mkannwischer left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

jakemas commented Apr 14, 2026 •

edited

Loading

oqs-bot commented Apr 14, 2026 •

edited

Loading

oqs-bot commented Apr 14, 2026 •

edited

Loading

oqs-bot commented Apr 14, 2026 •

edited

Loading

oqs-bot commented Apr 24, 2026 •

edited

Loading