Add HOL Light rej_uniform_eta proofs for AArch64 by jakemas · Pull Request #1040 · pq-code-package/mldsa-native

jakemas · 2026-04-14T21:41:38Z

Resolves #924 (when complete)

Depends on s2n-bignum PRs awslabs/s2n-bignum#378 and awslabs/s2n-bignum#379 (USHLL/SSHLL/MOVI instruction decoding) and a subsequent s2n-bignum nix pin update.

Lots of clean up todo, just checking CI.

oqs-bot · 2026-04-14T22:00:46Z

CBMC Results (ML-DSA-44)

⚠️ Attention Required

Proof	Status	Current	Previous	Change
`rej_uniform_eta4_native_aarch64`	❌	-	-	-

Full Results (187 proofs)

Proof	Status	Current	Previous	Change
`TOTAL`	✅	1749s	1720s	+1.7%
`sign_verify_internal`	✅	225s	231s	-3%
`rej_uniform_native`	✅	122s	127s	-4%
`poly_pointwise_montgomery_c`	✅	109s	110s	-1%
`polyvecl_pointwise_acc_montgomery_c`	✅	107s	104s	+3%
`mld_invntt_layer`	✅	90s	93s	-3%
`mld_ct_memcmp`	✅	77s	78s	-1%
`mld_attempt_signature_generation`	✅	46s	50s	-8%
`mld_ntt_layer`	✅	45s	44s	+2%
`polyvec_matrix_expand_eager`	✅	32s	32s	+0%
`fqmul`	✅	29s	26s	+12%
`keccakf1600x4_permute_native`	✅	28s	24s	+17%
`sign_keypair_internal`	✅	24s	26s	-8%
`sign_signature_internal`	✅	24s	20s	+20%
`rej_uniform`	✅	22s	24s	-8%
`polyt0_unpack`	✅	20s	20s	+0%
`poly_chknorm_c`	✅	19s	19s	+0%
`sign_pk_from_sk`	✅	19s	20s	-5%
`mld_ntt_butterfly_block`	✅	16s	17s	-6%
`rej_uniform_c`	✅	14s	13s	+8%
`polyz_unpack_c`	✅	13s	11s	+18%
`poly_add`	✅	12s	11s	+9%
`poly_uniform_eta_4x`	✅	12s	12s	+0%
`polyveck_decompose`	✅	12s	13s	-8%
`poly_uniform_4x`	✅	11s	10s	+10%
`keccakf1600_permute`	✅	10s	9s	+11%
`mld_check_pct`	✅	9s	9s	+0%
`polyvec_matrix_expand_eager_serial`	✅	9s	9s	+0%
`polyveck_power2round`	✅	9s	8s	+12%
`keccak_absorb_once_x4`	✅	8s	9s	-11%
`keccakf1600_permute_native`	✅	8s	9s	-11%
`mld_compute_pack_z`	✅	8s	9s	-11%
`poly_caddq_c`	✅	8s	5s	+60%
`poly_challenge`	✅	8s	4s	+100%
`polyveck_add`	✅	8s	4s	+100%
`polyveck_chknorm`	✅	8s	11s	-27%
`keccak_squeezeblocks_x4`	✅	7s	5s	+40%
`poly_invntt_tomont_c`	✅	7s	10s	-30%
`poly_pointwise_montgomery`	✅	7s	1s	+600%
`polyveck_shiftl`	✅	7s	6s	+17%
`sign`	✅	7s	5s	+40%
`sign_signature_extmu`	✅	7s	3s	+133%
`sign_verify_pre_hash_shake256`	✅	7s	3s	+133%
`keccak_absorb`	✅	6s	9s	-33%
`pack_sig_z`	✅	6s	5s	+20%
`pointwise_acc_native_aarch64`	✅	6s	7s	-14%
`pointwise_acc_native_x86_64`	✅	6s	8s	-25%
`poly_power2round`	✅	6s	7s	-14%
`polyeta_pack`	✅	6s	2s	+200%
`polyeta_unpack`	✅	6s	5s	+20%
`polyvec_matrix_pointwise_montgomery_eager`	✅	6s	7s	-14%
`polyveck_unpack_t0`	✅	6s	2s	+200%
`rej_eta_c`	✅	6s	4s	+50%
`rej_eta_native`	✅	6s	2s	+200%
`unpack_sk`	✅	6s	9s	-33%
`keccak_f1600_x1_native_aarch64`	✅	5s	2s	+150%
`keccakf1600x4_permute`	✅	5s	2s	+150%
`keccakf1600x4_xor_bytes`	✅	5s	3s	+67%
`mld_value_barrier_u32`	✅	5s	2s	+150%
`poly_decompose_c`	✅	5s	3s	+67%
`poly_reduce`	✅	5s	3s	+67%
`poly_shiftl`	✅	5s	5s	+0%
`poly_uniform_eta`	✅	5s	4s	+25%
`poly_uniform_gamma1`	✅	5s	4s	+25%
`polyveck_unpack_eta`	✅	5s	4s	+25%
`polyvecl_chknorm`	✅	5s	7s	-29%
`polyvecl_ntt`	✅	5s	4s	+25%
`polyvecl_pointwise_acc_montgomery_native`	✅	5s	5s	+0%
`sign_open`	✅	5s	7s	-29%
`sign_verify_extmu`	✅	5s	3s	+67%
`use_hint`	✅	5s	3s	+67%
`decompose`	✅	4s	2s	+100%
`intt_native_x86_64`	✅	4s	3s	+33%
`keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid`	✅	4s	2s	+100%
`keccakf1600x4_extract_bytes`	✅	4s	1s	+300%
`mld_h`	✅	4s	4s	+0%
`mld_keccakf1600_extract_bytes`	✅	4s	1s	+300%
`mld_prepare_domain_separation_prefix`	✅	4s	8s	-50%
`mld_sample_s1_s2`	✅	4s	4s	+0%
`pack_sig_h_poly`	✅	4s	1s	+300%
`pack_sk_s1`	✅	4s	4s	+0%
`poly_invntt_tomont`	✅	4s	3s	+33%
`poly_invntt_tomont_native`	✅	4s	4s	+0%
`poly_make_hint`	✅	4s	3s	+33%
`poly_ntt`	✅	4s	3s	+33%
`poly_permute_bitrev_to_custom_optional_native`	✅	4s	5s	-20%
`poly_pointwise_montgomery_native`	✅	4s	2s	+100%
`poly_sub`	✅	4s	3s	+33%
`poly_use_hint_c`	✅	4s	5s	-20%
`polyt0_pack`	✅	4s	2s	+100%
`polyveck_caddq`	✅	4s	5s	-20%
`polyveck_invntt_tomont`	✅	4s	5s	-20%
`polyveck_ntt`	✅	4s	6s	-33%
`polyveck_reduce`	✅	4s	4s	+0%
`polyveck_sub`	✅	4s	5s	-20%
`polyvecl_unpack_z`	✅	4s	1s	+300%
`rej_uniform_eta2_native_aarch64`	✅	4s	-	new
`sign_keypair`	✅	4s	3s	+33%
`sign_signature`	✅	4s	5s	-20%
`unpack_hints`	✅	4s	4s	+0%
`unpack_pk`	✅	4s	3s	+33%
`unpack_sig`	✅	4s	4s	+0%
`keccak_f1600_x1_native_aarch64_v84a`	✅	3s	1s	+200%
`keccak_finalize`	✅	3s	3s	+0%
`keccak_squeeze`	✅	3s	1s	+200%
`keccakf1600_extract_bytes (big endian)`	✅	3s	1s	+200%
`keccakf1600_xor_bytes`	✅	3s	3s	+0%
`make_hint`	✅	3s	2s	+50%
`mld_ct_abs_i32`	✅	3s	3s	+0%
`mld_ct_cmask_nonzero_u8`	✅	3s	2s	+50%
`mld_ct_get_optblocker_i64`	✅	3s	1s	+200%
`mld_ct_sel_int32`	✅	3s	2s	+50%
`mld_sample_s1_s2_serial`	✅	3s	3s	+0%
`mld_value_barrier_i64`	✅	3s	1s	+200%
`ntt_native_aarch64`	✅	3s	2s	+50%
`ntt_native_x86_64`	✅	3s	3s	+0%
`pack_pk`	✅	3s	4s	-25%
`pointwise_native_aarch64`	✅	3s	1s	+200%
`pointwise_native_x86_64`	✅	3s	3s	+0%
`poly_chknorm`	✅	3s	3s	+0%
`poly_chknorm_native_aarch64`	✅	3s	4s	-25%
`poly_decompose`	✅	3s	2s	+50%
`poly_decompose_native`	✅	3s	2s	+50%
`poly_uniform`	✅	3s	3s	+0%
`poly_uniform_gamma1_4x`	✅	3s	6s	-50%
`poly_use_hint_native`	✅	3s	3s	+0%
`polyt1_pack`	✅	3s	4s	-25%
`polyt1_unpack`	✅	3s	4s	-25%
`polyveck_pack_eta`	✅	3s	3s	+0%
`polyveck_pointwise_poly_montgomery`	✅	3s	3s	+0%
`polyvecl_pack_eta`	✅	3s	1s	+200%
`polyvecl_uniform_gamma1`	✅	3s	4s	-25%
`polyvecl_uniform_gamma1_serial`	✅	3s	4s	-25%
`polyz_pack`	✅	3s	2s	+50%
`polyz_unpack`	✅	3s	5s	-40%
`power2round`	✅	3s	5s	-40%
`rej_eta`	✅	3s	2s	+50%
`shake128x4_absorb_once`	✅	3s	3s	+0%
`shake256`	✅	3s	2s	+50%
`shake256_absorb`	✅	3s	2s	+50%
`shake256_release`	✅	3s	3s	+0%
`shake256_squeeze`	✅	3s	2s	+50%
`sign_signature_pre_hash_internal`	✅	3s	3s	+0%
`sign_signature_pre_hash_shake256`	✅	3s	4s	-25%
`sign_verify`	✅	3s	5s	-40%
`sign_verify_pre_hash_internal`	✅	3s	2s	+50%
`fqscale`	✅	2s	4s	-50%
`keccak_f1600_x4_native_aarch64_v84a`	✅	2s	2s	+0%
`keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid`	✅	2s	3s	-33%
`keccakf1600_xor_bytes (big endian)`	✅	2s	2s	+0%
`mld_ct_cmask_neg_i32`	✅	2s	2s	+0%
`mld_ct_cmask_nonzero_u32`	✅	2s	2s	+0%
`mld_ct_get_optblocker_u32`	✅	2s	2s	+0%
`mld_ct_get_optblocker_u8`	✅	2s	2s	+0%
`mld_value_barrier_u8`	✅	2s	4s	-50%
`montgomery_reduce`	✅	2s	6s	-67%
`pack_sig_c`	✅	2s	7s	-71%
`pack_sk_rho_key_tr_s2_t0`	✅	2s	2s	+0%
`poly_caddq_native`	✅	2s	5s	-60%
`poly_caddq_native_aarch64`	✅	2s	4s	-50%
`poly_ntt_c`	✅	2s	1s	+100%
`poly_ntt_native`	✅	2s	3s	-33%
`poly_permute_bitrev_to_custom_optional`	✅	2s	4s	-50%
`poly_use_hint`	✅	2s	2s	+0%
`polyveck_use_hint`	✅	2s	4s	-50%
`polyvecl_pointwise_acc_montgomery`	✅	2s	2s	+0%
`polyvecl_unpack_eta`	✅	2s	4s	-50%
`polyw1_pack`	✅	2s	2s	+0%
`polyz_unpack_native`	✅	2s	3s	-33%
`shake128_init`	✅	2s	1s	+100%
`shake128_release`	✅	2s	3s	-33%
`shake128_squeeze`	✅	2s	1s	+100%
`shake128x4_squeezeblocks`	✅	2s	2s	+0%
`shake256_init`	✅	2s	3s	-33%
`shake256x4_absorb_once`	✅	2s	3s	-33%
`shake256x4_squeezeblocks`	✅	2s	2s	+0%
`rej_uniform_eta4_native_aarch64`	❌	-	-	-
`caddq`	✅	1s	3s	-67%
`keccak_init`	✅	1s	1s	+0%
`poly_caddq`	✅	1s	1s	+0%
`poly_chknorm_native`	✅	1s	3s	-67%
`polyveck_pack_t0`	✅	1s	3s	-67%
`polyveck_pack_w1`	✅	1s	2s	-50%
`reduce32`	✅	1s	1s	+0%
`shake128_absorb`	✅	1s	3s	-67%
`shake128_finalize`	✅	1s	2s	-50%
`shake256_finalize`	✅	1s	3s	-67%
`sys_check_capability`	✅	1s	2s	-50%

oqs-bot · 2026-04-14T22:07:30Z

CBMC Results (ML-DSA-65)

⚠️ Attention Required

Proof	Status	Current	Previous	Change
`rej_uniform_eta2_native_aarch64`	❌	-	-	-

Full Results (187 proofs)

Proof	Status	Current	Previous	Change
`TOTAL`	✅	2119s	2089s	+1.4%
`polyvecl_pointwise_acc_montgomery_c`	✅	248s	230s	+8%
`sign_verify_internal`	✅	237s	237s	+0%
`polyvec_matrix_expand_eager`	✅	176s	171s	+3%
`rej_uniform_native`	✅	127s	130s	-2%
`poly_pointwise_montgomery_c`	✅	105s	116s	-9%
`mld_invntt_layer`	✅	95s	97s	-2%
`mld_ct_memcmp`	✅	78s	81s	-4%
`mld_attempt_signature_generation`	✅	52s	49s	+6%
`mld_ntt_layer`	✅	44s	44s	+0%
`sign_keypair_internal`	✅	32s	31s	+3%
`sign_signature_internal`	✅	29s	29s	+0%
`fqmul`	✅	27s	30s	-10%
`polyvec_matrix_expand_eager_serial`	✅	25s	27s	-7%
`keccakf1600x4_permute_native`	✅	23s	23s	+0%
`rej_uniform`	✅	23s	23s	+0%
`sign_pk_from_sk`	✅	21s	18s	+17%
`polyt0_unpack`	✅	20s	21s	-5%
`rej_uniform_c`	✅	18s	14s	+29%
`poly_chknorm_c`	✅	16s	18s	-11%
`polyveck_pointwise_poly_montgomery`	✅	15s	16s	-6%
`mld_ntt_butterfly_block`	✅	14s	17s	-18%
`polyveck_add`	✅	14s	14s	+0%
`mld_check_pct`	✅	13s	12s	+8%
`poly_uniform_eta_4x`	✅	13s	13s	+0%
`polyveck_decompose`	✅	13s	13s	+0%
`polyveck_power2round`	✅	13s	13s	+0%
`poly_add`	✅	12s	12s	+0%
`poly_uniform_4x`	✅	12s	12s	+0%
`keccak_absorb_once_x4`	✅	11s	9s	+22%
`polyz_unpack_c`	✅	10s	7s	+43%
`keccakf1600_permute`	✅	8s	9s	-11%
`keccakf1600_permute_native`	✅	8s	6s	+33%
`mld_compute_pack_z`	✅	8s	5s	+60%
`poly_caddq_c`	✅	8s	3s	+167%
`poly_power2round`	✅	8s	6s	+33%
`polyveck_caddq`	✅	8s	8s	+0%
`polyveck_ntt`	✅	8s	6s	+33%
`poly_invntt_tomont_c`	✅	7s	9s	-22%
`poly_make_hint`	✅	7s	1s	+600%
`polyvec_matrix_pointwise_montgomery_eager`	✅	7s	9s	-22%
`polyveck_invntt_tomont`	✅	7s	6s	+17%
`polyveck_shiftl`	✅	7s	6s	+17%
`polyveck_sub`	✅	7s	4s	+75%
`polyvecl_ntt`	✅	7s	7s	+0%
`keccak_absorb`	✅	6s	9s	-33%
`pointwise_acc_native_x86_64`	✅	6s	7s	-14%
`poly_permute_bitrev_to_custom_optional_native`	✅	6s	2s	+200%
`poly_reduce`	✅	6s	2s	+200%
`poly_uniform`	✅	6s	2s	+200%
`polyt0_pack`	✅	6s	6s	+0%
`polyveck_use_hint`	✅	6s	5s	+20%
`shake256_finalize`	✅	6s	1s	+500%
`sign`	✅	6s	5s	+20%
`sign_verify`	✅	6s	3s	+100%
`sign_verify_pre_hash_shake256`	✅	6s	4s	+50%
`unpack_hints`	✅	6s	3s	+100%
`unpack_pk`	✅	6s	3s	+100%
`fqscale`	✅	5s	1s	+400%
`keccak_squeezeblocks_x4`	✅	5s	5s	+0%
`mld_sample_s1_s2`	✅	5s	5s	+0%
`pack_sig_h_poly`	✅	5s	3s	+67%
`pointwise_acc_native_aarch64`	✅	5s	6s	-17%
`pointwise_native_aarch64`	✅	5s	3s	+67%
`poly_decompose_c`	✅	5s	4s	+25%
`poly_ntt_c`	✅	5s	4s	+25%
`poly_ntt_native`	✅	5s	3s	+67%
`polyveck_chknorm`	✅	5s	6s	-17%
`polyveck_reduce`	✅	5s	6s	-17%
`power2round`	✅	5s	1s	+400%
`reduce32`	✅	5s	4s	+25%
`rej_eta_native`	✅	5s	5s	+0%
`rej_uniform_eta4_native_aarch64`	✅	5s	-	new
`shake128_release`	✅	5s	2s	+150%
`sign_signature`	✅	5s	6s	-17%
`sign_signature_pre_hash_internal`	✅	5s	5s	+0%
`sign_signature_pre_hash_shake256`	✅	5s	8s	-38%
`unpack_sk`	✅	5s	5s	+0%
`caddq`	✅	4s	3s	+33%
`keccakf1600_xor_bytes (big endian)`	✅	4s	3s	+33%
`mld_h`	✅	4s	2s	+100%
`mld_prepare_domain_separation_prefix`	✅	4s	3s	+33%
`mld_sample_s1_s2_serial`	✅	4s	5s	-20%
`poly_invntt_tomont`	✅	4s	4s	+0%
`poly_uniform_gamma1_4x`	✅	4s	6s	-33%
`poly_use_hint`	✅	4s	3s	+33%
`poly_use_hint_native`	✅	4s	3s	+33%
`polyeta_pack`	✅	4s	4s	+0%
`polyeta_unpack`	✅	4s	2s	+100%
`polyt1_pack`	✅	4s	3s	+33%
`polyveck_pack_w1`	✅	4s	4s	+0%
`polyvecl_pack_eta`	✅	4s	4s	+0%
`polyvecl_pointwise_acc_montgomery`	✅	4s	4s	+0%
`polyvecl_uniform_gamma1_serial`	✅	4s	2s	+100%
`polyvecl_unpack_z`	✅	4s	3s	+33%
`polyz_pack`	✅	4s	2s	+100%
`shake128_finalize`	✅	4s	1s	+300%
`shake128_squeeze`	✅	4s	4s	+0%
`shake128x4_absorb_once`	✅	4s	4s	+0%
`shake256_init`	✅	4s	1s	+300%
`sign_open`	✅	4s	4s	+0%
`sign_verify_extmu`	✅	4s	3s	+33%
`sign_verify_pre_hash_internal`	✅	4s	6s	-33%
`decompose`	✅	3s	4s	-25%
`intt_native_x86_64`	✅	3s	5s	-40%
`keccak_f1600_x4_native_aarch64_v84a`	✅	3s	4s	-25%
`keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid`	✅	3s	2s	+50%
`keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid`	✅	3s	3s	+0%
`keccak_finalize`	✅	3s	2s	+50%
`keccak_squeeze`	✅	3s	3s	+0%
`keccakf1600x4_permute`	✅	3s	3s	+0%
`keccakf1600x4_xor_bytes`	✅	3s	2s	+50%
`mld_ct_cmask_nonzero_u32`	✅	3s	4s	-25%
`mld_ct_cmask_nonzero_u8`	✅	3s	6s	-50%
`mld_ct_get_optblocker_i64`	✅	3s	2s	+50%
`mld_ct_sel_int32`	✅	3s	1s	+200%
`mld_value_barrier_u32`	✅	3s	2s	+50%
`montgomery_reduce`	✅	3s	3s	+0%
`ntt_native_aarch64`	✅	3s	3s	+0%
`ntt_native_x86_64`	✅	3s	5s	-40%
`pack_sig_z`	✅	3s	4s	-25%
`poly_caddq_native_aarch64`	✅	3s	3s	+0%
`poly_challenge`	✅	3s	5s	-40%
`poly_chknorm`	✅	3s	3s	+0%
`poly_chknorm_native`	✅	3s	4s	-25%
`poly_decompose`	✅	3s	2s	+50%
`poly_decompose_native`	✅	3s	3s	+0%
`poly_pointwise_montgomery_native`	✅	3s	6s	-50%
`poly_shiftl`	✅	3s	3s	+0%
`poly_uniform_eta`	✅	3s	4s	-25%
`poly_uniform_gamma1`	✅	3s	3s	+0%
`polyt1_unpack`	✅	3s	3s	+0%
`polyveck_pack_eta`	✅	3s	3s	+0%
`polyveck_pack_t0`	✅	3s	3s	+0%
`polyveck_unpack_t0`	✅	3s	1s	+200%
`polyvecl_chknorm`	✅	3s	6s	-50%
`polyvecl_pointwise_acc_montgomery_native`	✅	3s	3s	+0%
`polyvecl_uniform_gamma1`	✅	3s	5s	-40%
`polyw1_pack`	✅	3s	1s	+200%
`polyz_unpack_native`	✅	3s	3s	+0%
`rej_eta_c`	✅	3s	6s	-50%
`shake256`	✅	3s	4s	-25%
`shake256_absorb`	✅	3s	4s	-25%
`sign_keypair`	✅	3s	2s	+50%
`sign_signature_extmu`	✅	3s	4s	-25%
`unpack_sig`	✅	3s	2s	+50%
`keccak_f1600_x1_native_aarch64`	✅	2s	2s	+0%
`keccakf1600_xor_bytes`	✅	2s	2s	+0%
`keccakf1600x4_extract_bytes`	✅	2s	3s	-33%
`make_hint`	✅	2s	2s	+0%
`mld_ct_abs_i32`	✅	2s	2s	+0%
`mld_ct_cmask_neg_i32`	✅	2s	2s	+0%
`mld_ct_get_optblocker_u32`	✅	2s	1s	+100%
`mld_value_barrier_i64`	✅	2s	3s	-33%
`mld_value_barrier_u8`	✅	2s	3s	-33%
`pack_pk`	✅	2s	4s	-50%
`pack_sig_c`	✅	2s	3s	-33%
`pack_sk_rho_key_tr_s2_t0`	✅	2s	2s	+0%
`pack_sk_s1`	✅	2s	3s	-33%
`pointwise_native_x86_64`	✅	2s	3s	-33%
`poly_caddq`	✅	2s	4s	-50%
`poly_caddq_native`	✅	2s	2s	+0%
`poly_chknorm_native_aarch64`	✅	2s	2s	+0%
`poly_invntt_tomont_native`	✅	2s	5s	-60%
`poly_ntt`	✅	2s	5s	-60%
`poly_pointwise_montgomery`	✅	2s	2s	+0%
`poly_use_hint_c`	✅	2s	3s	-33%
`polyveck_unpack_eta`	✅	2s	4s	-50%
`polyvecl_unpack_eta`	✅	2s	3s	-33%
`rej_eta`	✅	2s	2s	+0%
`shake128_absorb`	✅	2s	4s	-50%
`shake128_init`	✅	2s	3s	-33%
`shake256_release`	✅	2s	2s	+0%
`shake256_squeeze`	✅	2s	3s	-33%
`shake256x4_absorb_once`	✅	2s	1s	+100%
`shake256x4_squeezeblocks`	✅	2s	4s	-50%
`rej_uniform_eta2_native_aarch64`	❌	-	-	-
`keccak_f1600_x1_native_aarch64_v84a`	✅	1s	3s	-67%
`keccak_init`	✅	1s	2s	-50%
`keccakf1600_extract_bytes (big endian)`	✅	1s	1s	+0%
`mld_ct_get_optblocker_u8`	✅	1s	2s	-50%
`mld_keccakf1600_extract_bytes`	✅	1s	2s	-50%
`poly_permute_bitrev_to_custom_optional`	✅	1s	5s	-80%
`poly_sub`	✅	1s	2s	-50%
`polyz_unpack`	✅	1s	5s	-80%
`shake128x4_squeezeblocks`	✅	1s	3s	-67%
`sys_check_capability`	✅	1s	3s	-67%
`use_hint`	✅	1s	4s	-75%

oqs-bot · 2026-04-14T22:15:30Z

CBMC Results (ML-DSA-87)

⚠️ Attention Required

Proof	Status	Current	Previous	Change
`rej_uniform_eta4_native_aarch64`	❌	-	-	-

Full Results (187 proofs)

Proof	Status	Current	Previous	Change
`TOTAL`	✅	2558s	2247s	+13.8%
`polyvecl_pointwise_acc_montgomery_c`	✅	375s	268s	+40%
`sign_verify_internal`	✅	305s	287s	+6%
`polyvec_matrix_expand_eager`	✅	158s	144s	+10%
`rej_uniform_native`	✅	136s	121s	+12%
`poly_pointwise_montgomery_c`	✅	134s	109s	+23%
`mld_invntt_layer`	✅	107s	99s	+8%
`mld_ct_memcmp`	✅	100s	77s	+30%
`mld_attempt_signature_generation`	✅	85s	83s	+2%
`polyvec_matrix_expand_eager_serial`	✅	66s	64s	+3%
`mld_ntt_layer`	✅	49s	43s	+14%
`sign_keypair_internal`	✅	49s	48s	+2%
`fqmul`	✅	33s	29s	+14%
`sign_pk_from_sk`	✅	30s	22s	+36%
`sign_signature_internal`	✅	29s	29s	+0%
`keccakf1600x4_permute_native`	✅	25s	23s	+9%
`rej_uniform`	✅	23s	23s	+0%
`poly_chknorm_c`	✅	22s	19s	+16%
`polyt0_unpack`	✅	22s	20s	+10%
`mld_ntt_butterfly_block`	✅	18s	16s	+12%
`polyveck_chknorm`	✅	18s	17s	+6%
`polyveck_sub`	✅	18s	18s	+0%
`rej_uniform_c`	✅	18s	16s	+12%
`polyveck_decompose`	✅	15s	16s	-6%
`poly_uniform_eta_4x`	✅	14s	13s	+8%
`poly_uniform_4x`	✅	13s	11s	+18%
`mld_compute_pack_z`	✅	12s	11s	+9%
`poly_add`	✅	12s	11s	+9%
`poly_invntt_tomont_c`	✅	12s	10s	+20%
`polyveck_power2round`	✅	12s	9s	+33%
`keccak_absorb_once_x4`	✅	11s	10s	+10%
`mld_check_pct`	✅	11s	11s	+0%
`polyvec_matrix_pointwise_montgomery_eager`	✅	11s	13s	-15%
`polyveck_add`	✅	11s	11s	+0%
`pointwise_acc_native_aarch64`	✅	10s	6s	+67%
`polyveck_invntt_tomont`	✅	10s	7s	+43%
`keccakf1600_permute`	✅	9s	5s	+80%
`poly_decompose_c`	✅	9s	7s	+29%
`polyveck_pointwise_poly_montgomery`	✅	9s	8s	+12%
`polyveck_reduce`	✅	9s	6s	+50%
`sign_signature`	✅	9s	3s	+200%
`keccakf1600_permute_native`	✅	8s	7s	+14%
`polyeta_unpack`	✅	8s	7s	+14%
`polyveck_ntt`	✅	8s	9s	-11%
`polyvecl_ntt`	✅	8s	7s	+14%
`polyvecl_uniform_gamma1`	✅	8s	3s	+167%
`polyvecl_unpack_eta`	✅	8s	4s	+100%
`unpack_hints`	✅	8s	4s	+100%
`keccak_squeezeblocks_x4`	✅	7s	6s	+17%
`mld_sample_s1_s2`	✅	7s	8s	-12%
`poly_power2round`	✅	7s	7s	+0%
`polyveck_caddq`	✅	7s	7s	+0%
`rej_uniform_eta2_native_aarch64`	✅	7s	-	new
`sign`	✅	7s	6s	+17%
`sign_signature_extmu`	✅	7s	5s	+40%
`keccak_absorb`	✅	6s	7s	-14%
`mld_prepare_domain_separation_prefix`	✅	6s	4s	+50%
`pointwise_acc_native_x86_64`	✅	6s	8s	-25%
`poly_chknorm_native`	✅	6s	3s	+100%
`poly_pointwise_montgomery_native`	✅	6s	5s	+20%
`poly_uniform_gamma1_4x`	✅	6s	3s	+100%
`polyveck_shiftl`	✅	6s	6s	+0%
`polyveck_unpack_t0`	✅	6s	2s	+200%
`polyveck_use_hint`	✅	6s	6s	+0%
`polyvecl_pointwise_acc_montgomery_native`	✅	6s	4s	+50%
`decompose`	✅	5s	4s	+25%
`fqscale`	✅	5s	4s	+25%
`keccak_squeeze`	✅	5s	2s	+150%
`pack_sig_c`	✅	5s	2s	+150%
`pack_sig_z`	✅	5s	3s	+67%
`pack_sk_s1`	✅	5s	2s	+150%
`pointwise_native_x86_64`	✅	5s	3s	+67%
`poly_caddq_native`	✅	5s	3s	+67%
`poly_chknorm`	✅	5s	3s	+67%
`sign_verify`	✅	5s	4s	+25%
`sign_verify_pre_hash_internal`	✅	5s	3s	+67%
`unpack_sig`	✅	5s	4s	+25%
`unpack_sk`	✅	5s	6s	-17%
`caddq`	✅	4s	2s	+100%
`intt_native_x86_64`	✅	4s	2s	+100%
`keccak_f1600_x1_native_aarch64_v84a`	✅	4s	3s	+33%
`keccakf1600x4_permute`	✅	4s	1s	+300%
`mld_ct_cmask_neg_i32`	✅	4s	2s	+100%
`mld_ct_get_optblocker_u8`	✅	4s	3s	+33%
`mld_sample_s1_s2_serial`	✅	4s	4s	+0%
`mld_value_barrier_u8`	✅	4s	5s	-20%
`ntt_native_aarch64`	✅	4s	3s	+33%
`pack_pk`	✅	4s	3s	+33%
`pack_sig_h_poly`	✅	4s	4s	+0%
`poly_caddq_c`	✅	4s	3s	+33%
`poly_caddq_native_aarch64`	✅	4s	3s	+33%
`poly_challenge`	✅	4s	4s	+0%
`poly_chknorm_native_aarch64`	✅	4s	4s	+0%
`poly_invntt_tomont`	✅	4s	2s	+100%
`poly_permute_bitrev_to_custom_optional`	✅	4s	2s	+100%
`poly_reduce`	✅	4s	5s	-20%
`poly_shiftl`	✅	4s	5s	-20%
`poly_sub`	✅	4s	2s	+100%
`poly_uniform_eta`	✅	4s	4s	+0%
`poly_uniform_gamma1`	✅	4s	2s	+100%
`poly_use_hint_c`	✅	4s	2s	+100%
`poly_use_hint_native`	✅	4s	3s	+33%
`polyt0_pack`	✅	4s	3s	+33%
`polyveck_unpack_eta`	✅	4s	5s	-20%
`polyvecl_chknorm`	✅	4s	6s	-33%
`polyvecl_uniform_gamma1_serial`	✅	4s	5s	-20%
`polyz_unpack_c`	✅	4s	4s	+0%
`polyz_unpack_native`	✅	4s	3s	+33%
`rej_eta_c`	✅	4s	6s	-33%
`rej_eta_native`	✅	4s	4s	+0%
`sign_keypair`	✅	4s	3s	+33%
`sign_open`	✅	4s	5s	-20%
`sign_signature_pre_hash_internal`	✅	4s	4s	+0%
`sys_check_capability`	✅	4s	3s	+33%
`unpack_pk`	✅	4s	4s	+0%
`use_hint`	✅	4s	2s	+100%
`keccak_finalize`	✅	3s	4s	-25%
`keccakf1600_xor_bytes (big endian)`	✅	3s	2s	+50%
`keccakf1600x4_extract_bytes`	✅	3s	5s	-40%
`mld_ct_abs_i32`	✅	3s	2s	+50%
`mld_ct_cmask_nonzero_u32`	✅	3s	2s	+50%
`mld_value_barrier_i64`	✅	3s	1s	+200%
`pointwise_native_aarch64`	✅	3s	3s	+0%
`poly_caddq`	✅	3s	4s	-25%
`poly_decompose_native`	✅	3s	4s	-25%
`poly_ntt`	✅	3s	2s	+50%
`poly_uniform`	✅	3s	5s	-40%
`poly_use_hint`	✅	3s	2s	+50%
`polyeta_pack`	✅	3s	3s	+0%
`polyt1_pack`	✅	3s	3s	+0%
`polyveck_pack_t0`	✅	3s	3s	+0%
`polyvecl_pack_eta`	✅	3s	5s	-40%
`polyvecl_pointwise_acc_montgomery`	✅	3s	3s	+0%
`polyvecl_unpack_z`	✅	3s	2s	+50%
`polyz_pack`	✅	3s	2s	+50%
`power2round`	✅	3s	3s	+0%
`rej_eta`	✅	3s	4s	-25%
`shake128_finalize`	✅	3s	2s	+50%
`shake128_squeeze`	✅	3s	5s	-40%
`shake256`	✅	3s	2s	+50%
`shake256_finalize`	✅	3s	1s	+200%
`shake256_release`	✅	3s	3s	+0%
`sign_signature_pre_hash_shake256`	✅	3s	4s	-25%
`sign_verify_extmu`	✅	3s	4s	-25%
`keccak_f1600_x1_native_aarch64`	✅	2s	2s	+0%
`keccak_f1600_x4_native_aarch64_v84a`	✅	2s	3s	-33%
`keccak_init`	✅	2s	2s	+0%
`keccakf1600_extract_bytes (big endian)`	✅	2s	2s	+0%
`keccakf1600x4_xor_bytes`	✅	2s	1s	+100%
`make_hint`	✅	2s	4s	-50%
`mld_ct_get_optblocker_u32`	✅	2s	1s	+100%
`mld_ct_sel_int32`	✅	2s	3s	-33%
`mld_h`	✅	2s	3s	-33%
`mld_value_barrier_u32`	✅	2s	2s	+0%
`ntt_native_x86_64`	✅	2s	4s	-50%
`pack_sk_rho_key_tr_s2_t0`	✅	2s	4s	-50%
`poly_decompose`	✅	2s	7s	-71%
`poly_invntt_tomont_native`	✅	2s	2s	+0%
`poly_make_hint`	✅	2s	3s	-33%
`poly_ntt_c`	✅	2s	3s	-33%
`poly_ntt_native`	✅	2s	2s	+0%
`poly_permute_bitrev_to_custom_optional_native`	✅	2s	5s	-60%
`poly_pointwise_montgomery`	✅	2s	2s	+0%
`polyt1_unpack`	✅	2s	3s	-33%
`polyw1_pack`	✅	2s	3s	-33%
`polyz_unpack`	✅	2s	2s	+0%
`reduce32`	✅	2s	2s	+0%
`shake128_release`	✅	2s	1s	+100%
`shake128x4_absorb_once`	✅	2s	2s	+0%
`shake128x4_squeezeblocks`	✅	2s	2s	+0%
`shake256_absorb`	✅	2s	3s	-33%
`shake256_squeeze`	✅	2s	1s	+100%
`shake256x4_squeezeblocks`	✅	2s	3s	-33%
`sign_verify_pre_hash_shake256`	✅	2s	8s	-75%
`rej_uniform_eta4_native_aarch64`	❌	-	-	-
`keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid`	✅	1s	2s	-50%
`keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid`	✅	1s	3s	-67%
`keccakf1600_xor_bytes`	✅	1s	1s	+0%
`mld_ct_cmask_nonzero_u8`	✅	1s	4s	-75%
`mld_ct_get_optblocker_i64`	✅	1s	2s	-50%
`mld_keccakf1600_extract_bytes`	✅	1s	3s	-67%
`montgomery_reduce`	✅	1s	2s	-50%
`polyveck_pack_eta`	✅	1s	2s	-50%
`polyveck_pack_w1`	✅	1s	2s	-50%
`shake128_absorb`	✅	1s	1s	+0%
`shake128_init`	✅	1s	6s	-83%
`shake256_init`	✅	1s	3s	-67%
`shake256x4_absorb_once`	✅	1s	2s	-50%

jakemas · 2026-04-14T22:19:28Z

CBMC Results (ML-DSA-44)

⚠️ Attention Required

Proof Status Current Previous Change
rej_uniform_eta4_native_aarch64 ❌ - - -

IS expected, adding eta2 proof, still under construction.

Add formal correctness proof for the AArch64 mld_rej_uniform_eta4_asm function, which performs rejection sampling with eta=4 for ML-DSA. The proof verifies that the assembly implementation correctly: - Extracts 4-bit nibbles from input bytes - Filters nibbles < 9 using SIMD comparison + TBL permutation - Maps accepted values n to (4 - n) as signed 32-bit integers - Returns at most 256 coefficients with the correct count Verified against the compiled object code (post-hoc, not trusting the assembler) using the s2n-bignum ARM verification framework in HOL Light. All 86 AArch64 instructions are mechanically verified across every execution path (360+ ARM simulation steps). No CHEAT_TAC remains. New files: - mldsa_rej_uniform_eta4.S: standalone assembly for proof bytecodes - mldsa_rej_uniform_eta4.ml: 547-line HOL Light correctness proof - mldsa_rej_uniform_eta_table.ml: 256-entry lookup table constants Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Jake Massimo <jakemas@amazon.com>

Replace WOP-based loop structure with buflen DIV 8 iterations. This fixes the post-loop BCS handling (CHEAT 3): since 8 divides buflen, the loop exhausts the entire buffer and the back-edge BCS is deterministically not taken after the last iteration. The intermediate postcondition at pc+256 now tracks REJ_NIBBLES_ETA4(inlist) directly without existential quantification or niblen < 272 bound. Remaining CHEATs: loop body (SIMD->spec), writeback phase. Signed-off-by: Jake Massimo <jakemas@amazon.com> Co-authored-by: Claude <noreply@anthropic.com>

oqs-bot · 2026-04-24T21:07:03Z

CBMC Results (ML-DSA-44, REDUCE-RAM)

⏭️ 16 proof(s) skipped (see proofs/cbmc/reduce_ram_skip.txt)

⚠️ Attention Required

Proof	Status	Current	Previous	Change
`rej_uniform_eta4_native_aarch64`	❌	-	-	-
`attempt_signature_generation`	⏭️	skipped	-	-
`compute_pack_z`	⏭️	skipped	-	-
`poly_uniform_4x`	⏭️	skipped	-	-
`polyvec_matrix_expand_eager`	⏭️	skipped	-	-
`polyvec_matrix_expand_eager_serial`	⏭️	skipped	-	-
`polyvec_matrix_pointwise_montgomery_eager`	⏭️	skipped	-	-
`polyvecl_pointwise_acc_montgomery`	⏭️	skipped	-	-
`polyvecl_pointwise_acc_montgomery_c`	⏭️	skipped	-	-
`polyvecl_pointwise_acc_montgomery_native`	⏭️	skipped	-	-
`shake128x4_absorb_once`	⏭️	skipped	-	-
`shake128x4_squeezeblocks`	⏭️	skipped	-	-
`sign_keypair_internal`	⏭️	skipped	-	-
`sign_pk_from_sk`	⏭️	skipped	-	-
`sign_signature_internal`	⏭️	skipped	-	-
`sign_verify_internal`	⏭️	skipped	-	-
`unpack_sk`	⏭️	skipped	-	-

Full Results (187 proofs)

Proof	Status	Current	Previous	Change
`TOTAL`	✅	1153s	1271s	-9.3%
`poly_pointwise_montgomery_c`	✅	109s	130s	-16%
`rej_uniform_native`	✅	107s	116s	-8%
`mld_invntt_layer`	✅	102s	114s	-11%
`mld_ct_memcmp`	✅	75s	88s	-15%
`mld_ntt_layer`	✅	42s	47s	-11%
`fqmul`	✅	31s	33s	-6%
`keccakf1600x4_permute_native`	✅	25s	26s	-4%
`mld_ntt_butterfly_block`	✅	16s	16s	+0%
`polyeta_unpack`	✅	16s	15s	+7%
`poly_chknorm_c`	✅	15s	16s	-6%
`polyt0_unpack`	✅	15s	18s	-17%
`polyz_unpack_c`	✅	15s	15s	+0%
`mld_check_pct`	✅	12s	14s	-14%
`poly_uniform_eta_4x`	✅	12s	12s	+0%
`keccak_absorb_once_x4`	✅	10s	10s	+0%
`poly_invntt_tomont_c`	✅	10s	8s	+25%
`polyveck_power2round`	✅	10s	13s	-23%
`keccakf1600_permute`	✅	9s	9s	+0%
`poly_add`	✅	9s	14s	-36%
`rej_uniform_c`	✅	9s	10s	-10%
`poly_caddq_c`	✅	8s	8s	+0%
`polyveck_add`	✅	8s	7s	+14%
`polyvecl_unpack_eta`	✅	8s	4s	+100%
`keccakf1600_permute_native`	✅	7s	8s	-12%
`pointwise_acc_native_aarch64`	✅	7s	6s	+17%
`polyveck_shiftl`	✅	7s	6s	+17%
`rej_uniform`	✅	7s	7s	+0%
`keccak_absorb`	✅	6s	7s	-14%
`mld_prepare_domain_separation_prefix`	✅	6s	3s	+100%
`poly_shiftl`	✅	6s	6s	+0%
`poly_uniform`	✅	6s	7s	-14%
`poly_use_hint_c`	✅	6s	8s	-25%
`rej_eta_native`	✅	6s	4s	+50%
`unpack_hints`	✅	6s	7s	-14%
`keccak_f1600_x4_native_aarch64_v84a`	✅	5s	3s	+67%
`mld_ct_cmask_nonzero_u8`	✅	5s	3s	+67%
`mld_h`	✅	5s	4s	+25%
`ntt_native_aarch64`	✅	5s	4s	+25%
`pack_pk`	✅	5s	2s	+150%
`pointwise_acc_native_x86_64`	✅	5s	6s	-17%
`poly_chknorm_native`	✅	5s	2s	+150%
`poly_decompose_c`	✅	5s	5s	+0%
`poly_sub`	✅	5s	3s	+67%
`polyt0_pack`	✅	5s	4s	+25%
`polyveck_decompose`	✅	5s	6s	-17%
`polyveck_ntt`	✅	5s	6s	-17%
`polyvecl_ntt`	✅	5s	7s	-29%
`polyvecl_uniform_gamma1`	✅	5s	3s	+67%
`rej_uniform_eta2_native_aarch64`	✅	5s	-	new
`sign`	✅	5s	6s	-17%
`sign_keypair`	✅	5s	4s	+25%
`sign_verify_pre_hash_internal`	✅	5s	4s	+25%
`sign_verify_pre_hash_shake256`	✅	5s	3s	+67%
`caddq`	✅	4s	2s	+100%
`keccak_f1600_x1_native_aarch64_v84a`	✅	4s	1s	+300%
`keccak_init`	✅	4s	2s	+100%
`keccak_squeezeblocks_x4`	✅	4s	4s	+0%
`keccakf1600_xor_bytes`	✅	4s	3s	+33%
`keccakf1600_xor_bytes (big endian)`	✅	4s	4s	+0%
`mld_ct_abs_i32`	✅	4s	3s	+33%
`mld_sample_s1_s2`	✅	4s	2s	+100%
`ntt_native_x86_64`	✅	4s	4s	+0%
`pack_sk_rho_key_tr_s2_t0`	✅	4s	4s	+0%
`pack_sk_s1`	✅	4s	2s	+100%
`poly_caddq`	✅	4s	2s	+100%
`poly_invntt_tomont_native`	✅	4s	2s	+100%
`poly_ntt_native`	✅	4s	3s	+33%
`poly_power2round`	✅	4s	6s	-33%
`poly_uniform_gamma1`	✅	4s	2s	+100%
`polyveck_pack_eta`	✅	4s	2s	+100%
`polyveck_pack_w1`	✅	4s	3s	+33%
`polyveck_pointwise_poly_montgomery`	✅	4s	6s	-33%
`polyveck_reduce`	✅	4s	5s	-20%
`polyveck_sub`	✅	4s	5s	-20%
`polyveck_unpack_eta`	✅	4s	3s	+33%
`polyveck_unpack_t0`	✅	4s	5s	-20%
`polyveck_use_hint`	✅	4s	3s	+33%
`polyz_pack`	✅	4s	3s	+33%
`rej_eta`	✅	4s	2s	+100%
`shake128_release`	✅	4s	2s	+100%
`shake128_squeeze`	✅	4s	4s	+0%
`shake256_squeeze`	✅	4s	6s	-33%
`sign_open`	✅	4s	6s	-33%
`sign_signature_extmu`	✅	4s	6s	-33%
`sign_signature_pre_hash_internal`	✅	4s	5s	-20%
`sign_verify_extmu`	✅	4s	5s	-20%
`unpack_pk`	✅	4s	3s	+33%
`decompose`	✅	3s	3s	+0%
`intt_native_x86_64`	✅	3s	4s	-25%
`keccak_f1600_x1_native_aarch64`	✅	3s	1s	+200%
`keccak_squeeze`	✅	3s	2s	+50%
`keccakf1600_extract_bytes (big endian)`	✅	3s	1s	+200%
`keccakf1600x4_permute`	✅	3s	3s	+0%
`make_hint`	✅	3s	3s	+0%
`mld_keccakf1600_extract_bytes`	✅	3s	3s	+0%
`montgomery_reduce`	✅	3s	2s	+50%
`pack_sig_z`	✅	3s	2s	+50%
`pointwise_native_x86_64`	✅	3s	4s	-25%
`poly_chknorm_native_aarch64`	✅	3s	4s	-25%
`poly_decompose`	✅	3s	6s	-50%
`poly_ntt_c`	✅	3s	5s	-40%
`poly_reduce`	✅	3s	3s	+0%
`poly_uniform_eta`	✅	3s	3s	+0%
`polyveck_caddq`	✅	3s	6s	-50%
`polyveck_chknorm`	✅	3s	4s	-25%
`polyveck_invntt_tomont`	✅	3s	3s	+0%
`polyvecl_chknorm`	✅	3s	2s	+50%
`polyvecl_pack_eta`	✅	3s	5s	-40%
`shake128_absorb`	✅	3s	2s	+50%
`shake128_init`	✅	3s	2s	+50%
`shake256_absorb`	✅	3s	3s	+0%
`shake256_init`	✅	3s	4s	-25%
`sign_signature_pre_hash_shake256`	✅	3s	3s	+0%
`sign_verify`	✅	3s	4s	-25%
`fqscale`	✅	2s	3s	-33%
`keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid`	✅	2s	3s	-33%
`keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid`	✅	2s	3s	-33%
`keccak_finalize`	✅	2s	2s	+0%
`keccakf1600x4_extract_bytes`	✅	2s	2s	+0%
`mld_ct_cmask_neg_i32`	✅	2s	2s	+0%
`mld_ct_cmask_nonzero_u32`	✅	2s	4s	-50%
`mld_ct_get_optblocker_i64`	✅	2s	2s	+0%
`mld_ct_get_optblocker_u8`	✅	2s	2s	+0%
`mld_sample_s1_s2_serial`	✅	2s	2s	+0%
`mld_value_barrier_i64`	✅	2s	4s	-50%
`mld_value_barrier_u32`	✅	2s	1s	+100%
`pack_sig_h_poly`	✅	2s	4s	-50%
`pointwise_native_aarch64`	✅	2s	3s	-33%
`poly_caddq_native_aarch64`	✅	2s	3s	-33%
`poly_challenge`	✅	2s	5s	-60%
`poly_chknorm`	✅	2s	4s	-50%
`poly_decompose_native`	✅	2s	3s	-33%
`poly_permute_bitrev_to_custom_optional`	✅	2s	3s	-33%
`poly_pointwise_montgomery`	✅	2s	6s	-67%
`poly_uniform_gamma1_4x`	✅	2s	7s	-71%
`poly_use_hint_native`	✅	2s	4s	-50%
`polyeta_pack`	✅	2s	2s	+0%
`polyt1_pack`	✅	2s	3s	-33%
`polyveck_pack_t0`	✅	2s	2s	+0%
`polyvecl_uniform_gamma1_serial`	✅	2s	2s	+0%
`polyvecl_unpack_z`	✅	2s	4s	-50%
`polyw1_pack`	✅	2s	2s	+0%
`polyz_unpack`	✅	2s	5s	-60%
`polyz_unpack_native`	✅	2s	4s	-50%
`power2round`	✅	2s	1s	+100%
`reduce32`	✅	2s	2s	+0%
`rej_eta_c`	✅	2s	4s	-50%
`shake128_finalize`	✅	2s	1s	+100%
`shake256`	✅	2s	1s	+100%
`shake256_finalize`	✅	2s	4s	-50%
`shake256_release`	✅	2s	2s	+0%
`shake256x4_absorb_once`	✅	2s	4s	-50%
`sign_signature`	✅	2s	6s	-67%
`sys_check_capability`	✅	2s	2s	+0%
`unpack_sig`	✅	2s	4s	-50%
`use_hint`	✅	2s	2s	+0%
`rej_uniform_eta4_native_aarch64`	❌	-	-	-
`keccakf1600x4_xor_bytes`	✅	1s	3s	-67%
`mld_ct_get_optblocker_u32`	✅	1s	2s	-50%
`mld_ct_sel_int32`	✅	1s	3s	-67%
`mld_value_barrier_u8`	✅	1s	5s	-80%
`pack_sig_c`	✅	1s	4s	-75%
`poly_caddq_native`	✅	1s	2s	-50%
`poly_invntt_tomont`	✅	1s	4s	-75%
`poly_make_hint`	✅	1s	4s	-75%
`poly_ntt`	✅	1s	3s	-67%
`poly_permute_bitrev_to_custom_optional_native`	✅	1s	5s	-80%
`poly_pointwise_montgomery_native`	✅	1s	3s	-67%
`poly_use_hint`	✅	1s	3s	-67%
`polyt1_unpack`	✅	1s	2s	-50%
`shake256x4_squeezeblocks`	✅	1s	5s	-80%
`attempt_signature_generation`	⏭️	skipped	-	-
`compute_pack_z`	⏭️	skipped	-	-
`poly_uniform_4x`	⏭️	skipped	-	-
`polyvec_matrix_expand_eager`	⏭️	skipped	-	-
`polyvec_matrix_expand_eager_serial`	⏭️	skipped	-	-
`polyvec_matrix_pointwise_montgomery_eager`	⏭️	skipped	-	-
`polyvecl_pointwise_acc_montgomery`	⏭️	skipped	-	-
`polyvecl_pointwise_acc_montgomery_c`	⏭️	skipped	-	-
`polyvecl_pointwise_acc_montgomery_native`	⏭️	skipped	-	-
`shake128x4_absorb_once`	⏭️	skipped	-	-
`shake128x4_squeezeblocks`	⏭️	skipped	-	-
`sign_keypair_internal`	⏭️	skipped	-	-
`sign_pk_from_sk`	⏭️	skipped	-	-
`sign_signature_internal`	⏭️	skipped	-	-
`sign_verify_internal`	⏭️	skipped	-	-
`unpack_sk`	⏭️	skipped	-	-

oqs-bot · 2026-04-24T21:07:17Z

CBMC Results (ML-DSA-87, REDUCE-RAM)

⏭️ 16 proof(s) skipped (see proofs/cbmc/reduce_ram_skip.txt)

⚠️ Attention Required

Proof	Status	Current	Previous	Change
`rej_uniform_eta4_native_aarch64`	❌	-	-	-
`attempt_signature_generation`	⏭️	skipped	-	-
`compute_pack_z`	⏭️	skipped	-	-
`poly_uniform_4x`	⏭️	skipped	-	-
`polyvec_matrix_expand_eager`	⏭️	skipped	-	-
`polyvec_matrix_expand_eager_serial`	⏭️	skipped	-	-
`polyvec_matrix_pointwise_montgomery_eager`	⏭️	skipped	-	-
`polyvecl_pointwise_acc_montgomery`	⏭️	skipped	-	-
`polyvecl_pointwise_acc_montgomery_c`	⏭️	skipped	-	-
`polyvecl_pointwise_acc_montgomery_native`	⏭️	skipped	-	-
`shake128x4_absorb_once`	⏭️	skipped	-	-
`shake128x4_squeezeblocks`	⏭️	skipped	-	-
`sign_keypair_internal`	⏭️	skipped	-	-
`sign_pk_from_sk`	⏭️	skipped	-	-
`sign_signature_internal`	⏭️	skipped	-	-
`sign_verify_internal`	⏭️	skipped	-	-
`unpack_sk`	⏭️	skipped	-	-

Full Results (187 proofs)

Proof	Status	Current	Previous	Change
`TOTAL`	✅	1248s	1158s	+7.8%
`poly_pointwise_montgomery_c`	✅	111s	106s	+5%
`mld_invntt_layer`	✅	108s	95s	+14%
`rej_uniform_native`	✅	107s	104s	+3%
`mld_ct_memcmp`	✅	73s	68s	+7%
`mld_ntt_layer`	✅	43s	40s	+7%
`fqmul`	✅	29s	26s	+12%
`keccakf1600x4_permute_native`	✅	26s	25s	+4%
`polyveck_decompose`	✅	22s	18s	+22%
`poly_chknorm_c`	✅	17s	14s	+21%
`mld_ntt_butterfly_block`	✅	16s	14s	+14%
`mld_check_pct`	✅	15s	11s	+36%
`polyeta_unpack`	✅	14s	14s	+0%
`polyt0_unpack`	✅	14s	14s	+0%
`polyveck_pointwise_poly_montgomery`	✅	13s	10s	+30%
`poly_uniform_eta_4x`	✅	12s	12s	+0%
`polyveck_power2round`	✅	12s	10s	+20%
`rej_uniform_c`	✅	11s	9s	+22%
`poly_add`	✅	10s	10s	+0%
`keccak_absorb_once_x4`	✅	9s	9s	+0%
`keccakf1600_permute`	✅	9s	7s	+29%
`poly_caddq_c`	✅	9s	7s	+29%
`polyveck_reduce`	✅	9s	6s	+50%
`rej_uniform`	✅	9s	7s	+29%
`keccakf1600_permute_native`	✅	8s	9s	-11%
`poly_invntt_tomont_c`	✅	8s	7s	+14%
`poly_use_hint`	✅	8s	2s	+300%
`polyveck_add`	✅	8s	8s	+0%
`polyveck_caddq`	✅	8s	9s	-11%
`polyveck_invntt_tomont`	✅	8s	7s	+14%
`polyveck_use_hint`	✅	8s	7s	+14%
`polyz_unpack_c`	✅	8s	10s	-20%
`keccak_absorb`	✅	7s	7s	+0%
`mld_sample_s1_s2_serial`	✅	7s	5s	+40%
`mld_value_barrier_u32`	✅	7s	4s	+75%
`pointwise_acc_native_aarch64`	✅	7s	6s	+17%
`poly_invntt_tomont_native`	✅	7s	5s	+40%
`poly_uniform_gamma1_4x`	✅	7s	6s	+17%
`polyvecl_ntt`	✅	7s	5s	+40%
`sign`	✅	7s	6s	+17%
`sign_signature_extmu`	✅	7s	4s	+75%
`mld_sample_s1_s2`	✅	6s	7s	-14%
`pack_sig_z`	✅	6s	4s	+50%
`pointwise_acc_native_x86_64`	✅	6s	6s	+0%
`poly_uniform_eta`	✅	6s	3s	+100%
`poly_use_hint_c`	✅	6s	5s	+20%
`polyveck_ntt`	✅	6s	7s	-14%
`polyveck_shiftl`	✅	6s	5s	+20%
`sign_verify_extmu`	✅	6s	3s	+100%
`keccak_squeezeblocks_x4`	✅	5s	6s	-17%
`pointwise_native_x86_64`	✅	5s	3s	+67%
`poly_challenge`	✅	5s	3s	+67%
`poly_decompose_c`	✅	5s	4s	+25%
`poly_uniform`	✅	5s	3s	+67%
`polyeta_pack`	✅	5s	1s	+400%
`polyveck_sub`	✅	5s	7s	-29%
`polyvecl_chknorm`	✅	5s	5s	+0%
`polyvecl_unpack_eta`	✅	5s	3s	+67%
`rej_eta_native`	✅	5s	4s	+25%
`rej_uniform_eta2_native_aarch64`	✅	5s	-	new
`sign_open`	✅	5s	3s	+67%
`sign_signature`	✅	5s	3s	+67%
`sign_signature_pre_hash_internal`	✅	5s	5s	+0%
`sign_verify_pre_hash_shake256`	✅	5s	6s	-17%
`keccak_squeeze`	✅	4s	3s	+33%
`mld_ct_cmask_nonzero_u32`	✅	4s	4s	+0%
`mld_prepare_domain_separation_prefix`	✅	4s	1s	+300%
`ntt_native_x86_64`	✅	4s	3s	+33%
`pack_pk`	✅	4s	2s	+100%
`pack_sig_c`	✅	4s	2s	+100%
`pack_sk_rho_key_tr_s2_t0`	✅	4s	3s	+33%
`pack_sk_s1`	✅	4s	3s	+33%
`poly_decompose`	✅	4s	3s	+33%
`poly_ntt_native`	✅	4s	4s	+0%
`poly_permute_bitrev_to_custom_optional_native`	✅	4s	4s	+0%
`poly_shiftl`	✅	4s	8s	-50%
`poly_uniform_gamma1`	✅	4s	3s	+33%
`polyveck_chknorm`	✅	4s	6s	-33%
`polyveck_pack_eta`	✅	4s	5s	-20%
`polyveck_unpack_eta`	✅	4s	4s	+0%
`polyvecl_uniform_gamma1`	✅	4s	4s	+0%
`polyw1_pack`	✅	4s	3s	+33%
`polyz_pack`	✅	4s	4s	+0%
`rej_eta`	✅	4s	3s	+33%
`rej_eta_c`	✅	4s	3s	+33%
`shake128_squeeze`	✅	4s	3s	+33%
`shake256x4_absorb_once`	✅	4s	4s	+0%
`sign_keypair`	✅	4s	3s	+33%
`sign_verify_pre_hash_internal`	✅	4s	2s	+100%
`unpack_hints`	✅	4s	5s	-20%
`unpack_pk`	✅	4s	5s	-20%
`unpack_sig`	✅	4s	4s	+0%
`decompose`	✅	3s	2s	+50%
`intt_native_x86_64`	✅	3s	4s	-25%
`keccak_init`	✅	3s	3s	+0%
`make_hint`	✅	3s	3s	+0%
`mld_ct_cmask_neg_i32`	✅	3s	2s	+50%
`mld_ct_cmask_nonzero_u8`	✅	3s	4s	-25%
`mld_ct_get_optblocker_i64`	✅	3s	2s	+50%
`mld_ct_get_optblocker_u32`	✅	3s	4s	-25%
`mld_ct_get_optblocker_u8`	✅	3s	2s	+50%
`mld_ct_sel_int32`	✅	3s	2s	+50%
`mld_h`	✅	3s	3s	+0%
`mld_keccakf1600_extract_bytes`	✅	3s	3s	+0%
`mld_value_barrier_u8`	✅	3s	1s	+200%
`montgomery_reduce`	✅	3s	3s	+0%
`pack_sig_h_poly`	✅	3s	6s	-50%
`poly_caddq`	✅	3s	2s	+50%
`poly_caddq_native`	✅	3s	4s	-25%
`poly_chknorm`	✅	3s	2s	+50%
`poly_chknorm_native`	✅	3s	2s	+50%
`poly_chknorm_native_aarch64`	✅	3s	2s	+50%
`poly_invntt_tomont`	✅	3s	3s	+0%
`poly_pointwise_montgomery`	✅	3s	4s	-25%
`poly_power2round`	✅	3s	2s	+50%
`poly_sub`	✅	3s	4s	-25%
`polyt0_pack`	✅	3s	4s	-25%
`polyt1_pack`	✅	3s	6s	-50%
`polyt1_unpack`	✅	3s	4s	-25%
`polyveck_pack_t0`	✅	3s	3s	+0%
`polyveck_unpack_t0`	✅	3s	3s	+0%
`polyvecl_pack_eta`	✅	3s	4s	-25%
`polyvecl_uniform_gamma1_serial`	✅	3s	2s	+50%
`polyvecl_unpack_z`	✅	3s	3s	+0%
`polyz_unpack`	✅	3s	4s	-25%
`shake128_finalize`	✅	3s	3s	+0%
`shake256`	✅	3s	3s	+0%
`shake256_squeeze`	✅	3s	1s	+200%
`sign_verify`	✅	3s	3s	+0%
`use_hint`	✅	3s	3s	+0%
`fqscale`	✅	2s	1s	+100%
`keccak_f1600_x1_native_aarch64`	✅	2s	3s	-33%
`keccak_f1600_x1_native_aarch64_v84a`	✅	2s	2s	+0%
`keccak_f1600_x4_native_aarch64_v84a`	✅	2s	2s	+0%
`keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid`	✅	2s	1s	+100%
`keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid`	✅	2s	2s	+0%
`keccak_finalize`	✅	2s	2s	+0%
`keccakf1600_xor_bytes (big endian)`	✅	2s	3s	-33%
`keccakf1600x4_extract_bytes`	✅	2s	2s	+0%
`keccakf1600x4_permute`	✅	2s	5s	-60%
`keccakf1600x4_xor_bytes`	✅	2s	5s	-60%
`mld_value_barrier_i64`	✅	2s	3s	-33%
`pointwise_native_aarch64`	✅	2s	3s	-33%
`poly_caddq_native_aarch64`	✅	2s	3s	-33%
`poly_decompose_native`	✅	2s	5s	-60%
`poly_make_hint`	✅	2s	1s	+100%
`poly_ntt`	✅	2s	2s	+0%
`poly_ntt_c`	✅	2s	3s	-33%
`poly_permute_bitrev_to_custom_optional`	✅	2s	1s	+100%
`poly_pointwise_montgomery_native`	✅	2s	2s	+0%
`poly_reduce`	✅	2s	2s	+0%
`poly_use_hint_native`	✅	2s	4s	-50%
`polyveck_pack_w1`	✅	2s	5s	-60%
`polyz_unpack_native`	✅	2s	2s	+0%
`power2round`	✅	2s	3s	-33%
`reduce32`	✅	2s	2s	+0%
`shake128_absorb`	✅	2s	1s	+100%
`shake128_release`	✅	2s	2s	+0%
`shake256_absorb`	✅	2s	2s	+0%
`shake256_init`	✅	2s	3s	-33%
`shake256_release`	✅	2s	3s	-33%
`sign_signature_pre_hash_shake256`	✅	2s	3s	-33%
`sys_check_capability`	✅	2s	2s	+0%
`rej_uniform_eta4_native_aarch64`	❌	-	-	-
`caddq`	✅	1s	2s	-50%
`keccakf1600_extract_bytes (big endian)`	✅	1s	3s	-67%
`keccakf1600_xor_bytes`	✅	1s	2s	-50%
`mld_ct_abs_i32`	✅	1s	3s	-67%
`ntt_native_aarch64`	✅	1s	2s	-50%
`shake128_init`	✅	1s	1s	+0%
`shake256_finalize`	✅	1s	3s	-67%
`shake256x4_squeezeblocks`	✅	1s	2s	-50%
`attempt_signature_generation`	⏭️	skipped	-	-
`compute_pack_z`	⏭️	skipped	-	-
`poly_uniform_4x`	⏭️	skipped	-	-
`polyvec_matrix_expand_eager`	⏭️	skipped	-	-
`polyvec_matrix_expand_eager_serial`	⏭️	skipped	-	-
`polyvec_matrix_pointwise_montgomery_eager`	⏭️	skipped	-	-
`polyvecl_pointwise_acc_montgomery`	⏭️	skipped	-	-
`polyvecl_pointwise_acc_montgomery_c`	⏭️	skipped	-	-
`polyvecl_pointwise_acc_montgomery_native`	⏭️	skipped	-	-
`shake128x4_absorb_once`	⏭️	skipped	-	-
`shake128x4_squeezeblocks`	⏭️	skipped	-	-
`sign_keypair_internal`	⏭️	skipped	-	-
`sign_pk_from_sk`	⏭️	skipped	-	-
`sign_signature_internal`	⏭️	skipped	-	-
`sign_verify_internal`	⏭️	skipped	-	-
`unpack_sk`	⏭️	skipped	-	-

oqs-bot · 2026-04-24T21:07:29Z

CBMC Results (ML-DSA-65, REDUCE-RAM)

⏭️ 16 proof(s) skipped (see proofs/cbmc/reduce_ram_skip.txt)

⚠️ Attention Required

Proof	Status	Current	Previous	Change
`rej_uniform_eta2_native_aarch64`	❌	-	-	-
`attempt_signature_generation`	⏭️	skipped	-	-
`compute_pack_z`	⏭️	skipped	-	-
`poly_uniform_4x`	⏭️	skipped	-	-
`polyvec_matrix_expand_eager`	⏭️	skipped	-	-
`polyvec_matrix_expand_eager_serial`	⏭️	skipped	-	-
`polyvec_matrix_pointwise_montgomery_eager`	⏭️	skipped	-	-
`polyvecl_pointwise_acc_montgomery`	⏭️	skipped	-	-
`polyvecl_pointwise_acc_montgomery_c`	⏭️	skipped	-	-
`polyvecl_pointwise_acc_montgomery_native`	⏭️	skipped	-	-
`shake128x4_absorb_once`	⏭️	skipped	-	-
`shake128x4_squeezeblocks`	⏭️	skipped	-	-
`sign_keypair_internal`	⏭️	skipped	-	-
`sign_pk_from_sk`	⏭️	skipped	-	-
`sign_signature_internal`	⏭️	skipped	-	-
`sign_verify_internal`	⏭️	skipped	-	-
`unpack_sk`	⏭️	skipped	-	-

Full Results (187 proofs)

Proof	Status	Current	Previous	Change
`TOTAL`	✅	1245s	1207s	+3.1%
`poly_pointwise_montgomery_c`	✅	118s	114s	+4%
`rej_uniform_native`	✅	108s	108s	+0%
`mld_invntt_layer`	✅	106s	103s	+3%
`mld_ct_memcmp`	✅	76s	75s	+1%
`mld_ntt_layer`	✅	44s	43s	+2%
`fqmul`	✅	31s	29s	+7%
`keccakf1600x4_permute_native`	✅	23s	24s	-4%
`mld_ntt_butterfly_block`	✅	19s	19s	+0%
`polyveck_power2round`	✅	18s	18s	+0%
`poly_chknorm_c`	✅	16s	16s	+0%
`polyt0_unpack`	✅	15s	15s	+0%
`poly_uniform_eta_4x`	✅	14s	14s	+0%
`polyveck_decompose`	✅	13s	15s	-13%
`polyveck_add`	✅	12s	11s	+9%
`polyveck_use_hint`	✅	12s	8s	+50%
`poly_add`	✅	11s	11s	+0%
`mld_check_pct`	✅	10s	11s	-9%
`poly_invntt_tomont_c`	✅	10s	10s	+0%
`polyveck_caddq`	✅	10s	7s	+43%
`polyveck_invntt_tomont`	✅	10s	7s	+43%
`sign`	✅	10s	8s	+25%
`keccak_absorb_once_x4`	✅	9s	8s	+12%
`polyveck_pointwise_poly_montgomery`	✅	9s	12s	-25%
`polyvecl_ntt`	✅	9s	10s	-10%
`polyz_unpack_c`	✅	9s	9s	+0%
`rej_uniform_c`	✅	9s	9s	+0%
`poly_caddq_c`	✅	8s	8s	+0%
`poly_shiftl`	✅	8s	4s	+100%
`polyveck_ntt`	✅	8s	8s	+0%
`polyveck_shiftl`	✅	8s	6s	+33%
`keccak_absorb`	✅	7s	6s	+17%
`keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid`	✅	7s	3s	+133%
`keccakf1600_permute`	✅	7s	7s	+0%
`rej_uniform`	✅	7s	7s	+0%
`decompose`	✅	6s	2s	+200%
`keccak_squeezeblocks_x4`	✅	6s	4s	+50%
`keccakf1600_permute_native`	✅	6s	9s	-33%
`poly_decompose_c`	✅	6s	5s	+20%
`poly_reduce`	✅	6s	3s	+100%
`poly_uniform_gamma1`	✅	6s	3s	+100%
`polyveck_chknorm`	✅	6s	4s	+50%
`sign_signature`	✅	6s	6s	+0%
`keccak_squeeze`	✅	5s	3s	+67%
`mld_prepare_domain_separation_prefix`	✅	5s	5s	+0%
`mld_sample_s1_s2_serial`	✅	5s	3s	+67%
`pack_sk_rho_key_tr_s2_t0`	✅	5s	2s	+150%
`pointwise_acc_native_aarch64`	✅	5s	6s	-17%
`pointwise_acc_native_x86_64`	✅	5s	7s	-29%
`poly_power2round`	✅	5s	2s	+150%
`poly_uniform`	✅	5s	3s	+67%
`poly_uniform_eta`	✅	5s	3s	+67%
`poly_uniform_gamma1_4x`	✅	5s	5s	+0%
`poly_use_hint_c`	✅	5s	5s	+0%
`polyveck_reduce`	✅	5s	5s	+0%
`polyveck_sub`	✅	5s	8s	-38%
`polyveck_unpack_t0`	✅	5s	3s	+67%
`rej_uniform_eta4_native_aarch64`	✅	5s	-	new
`shake128_init`	✅	5s	3s	+67%
`sign_signature_pre_hash_shake256`	✅	5s	8s	-38%
`sign_verify_pre_hash_internal`	✅	5s	5s	+0%
`sign_verify_pre_hash_shake256`	✅	5s	3s	+67%
`unpack_hints`	✅	5s	6s	-17%
`unpack_sig`	✅	5s	2s	+150%
`keccak_f1600_x4_native_aarch64_v84a`	✅	4s	1s	+300%
`keccakf1600_extract_bytes (big endian)`	✅	4s	2s	+100%
`mld_ct_get_optblocker_u8`	✅	4s	3s	+33%
`mld_sample_s1_s2`	✅	4s	5s	-20%
`pack_pk`	✅	4s	2s	+100%
`pack_sig_c`	✅	4s	3s	+33%
`pack_sig_h_poly`	✅	4s	4s	+0%
`pack_sk_s1`	✅	4s	3s	+33%
`pointwise_native_aarch64`	✅	4s	3s	+33%
`poly_caddq_native`	✅	4s	3s	+33%
`poly_chknorm`	✅	4s	2s	+100%
`poly_decompose_native`	✅	4s	2s	+100%
`poly_ntt_native`	✅	4s	3s	+33%
`poly_permute_bitrev_to_custom_optional_native`	✅	4s	3s	+33%
`poly_pointwise_montgomery`	✅	4s	4s	+0%
`polyt0_pack`	✅	4s	4s	+0%
`polyt1_unpack`	✅	4s	4s	+0%
`polyveck_pack_w1`	✅	4s	6s	-33%
`polyveck_unpack_eta`	✅	4s	3s	+33%
`polyw1_pack`	✅	4s	3s	+33%
`polyz_unpack_native`	✅	4s	3s	+33%
`reduce32`	✅	4s	2s	+100%
`rej_eta_c`	✅	4s	1s	+300%
`rej_eta_native`	✅	4s	4s	+0%
`shake256_init`	✅	4s	3s	+33%
`shake256x4_squeezeblocks`	✅	4s	3s	+33%
`sign_keypair`	✅	4s	5s	-20%
`sign_open`	✅	4s	5s	-20%
`sign_signature_extmu`	✅	4s	3s	+33%
`sign_signature_pre_hash_internal`	✅	4s	4s	+0%
`sign_verify_extmu`	✅	4s	3s	+33%
`fqscale`	✅	3s	3s	+0%
`intt_native_x86_64`	✅	3s	4s	-25%
`keccak_f1600_x1_native_aarch64`	✅	3s	2s	+50%
`keccak_finalize`	✅	3s	3s	+0%
`keccak_init`	✅	3s	4s	-25%
`keccakf1600_xor_bytes (big endian)`	✅	3s	3s	+0%
`keccakf1600x4_extract_bytes`	✅	3s	1s	+200%
`keccakf1600x4_xor_bytes`	✅	3s	2s	+50%
`make_hint`	✅	3s	2s	+50%
`mld_ct_cmask_nonzero_u32`	✅	3s	2s	+50%
`mld_ct_cmask_nonzero_u8`	✅	3s	4s	-25%
`mld_value_barrier_u32`	✅	3s	1s	+200%
`mld_value_barrier_u8`	✅	3s	4s	-25%
`ntt_native_aarch64`	✅	3s	3s	+0%
`pack_sig_z`	✅	3s	4s	-25%
`poly_caddq`	✅	3s	2s	+50%
`poly_challenge`	✅	3s	5s	-40%
`poly_invntt_tomont`	✅	3s	4s	-25%
`poly_make_hint`	✅	3s	2s	+50%
`poly_ntt_c`	✅	3s	3s	+0%
`poly_sub`	✅	3s	4s	-25%
`poly_use_hint_native`	✅	3s	2s	+50%
`polyeta_pack`	✅	3s	3s	+0%
`polyeta_unpack`	✅	3s	3s	+0%
`polyveck_pack_eta`	✅	3s	2s	+50%
`polyveck_pack_t0`	✅	3s	4s	-25%
`polyvecl_pack_eta`	✅	3s	3s	+0%
`polyvecl_uniform_gamma1_serial`	✅	3s	3s	+0%
`polyvecl_unpack_eta`	✅	3s	2s	+50%
`polyz_pack`	✅	3s	4s	-25%
`rej_eta`	✅	3s	3s	+0%
`shake256_finalize`	✅	3s	2s	+50%
`shake256x4_absorb_once`	✅	3s	2s	+50%
`sign_verify`	✅	3s	5s	-40%
`use_hint`	✅	3s	2s	+50%
`caddq`	✅	2s	4s	-50%
`keccak_f1600_x1_native_aarch64_v84a`	✅	2s	4s	-50%
`keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid`	✅	2s	2s	+0%
`keccakf1600x4_permute`	✅	2s	3s	-33%
`mld_ct_abs_i32`	✅	2s	2s	+0%
`mld_ct_cmask_neg_i32`	✅	2s	2s	+0%
`mld_ct_get_optblocker_i64`	✅	2s	3s	-33%
`mld_ct_get_optblocker_u32`	✅	2s	4s	-50%
`mld_ct_sel_int32`	✅	2s	1s	+100%
`mld_h`	✅	2s	4s	-50%
`mld_value_barrier_i64`	✅	2s	3s	-33%
`ntt_native_x86_64`	✅	2s	3s	-33%
`pointwise_native_x86_64`	✅	2s	4s	-50%
`poly_caddq_native_aarch64`	✅	2s	3s	-33%
`poly_chknorm_native`	✅	2s	2s	+0%
`poly_chknorm_native_aarch64`	✅	2s	2s	+0%
`poly_decompose`	✅	2s	4s	-50%
`poly_invntt_tomont_native`	✅	2s	6s	-67%
`poly_ntt`	✅	2s	3s	-33%
`poly_permute_bitrev_to_custom_optional`	✅	2s	3s	-33%
`poly_pointwise_montgomery_native`	✅	2s	3s	-33%
`poly_use_hint`	✅	2s	2s	+0%
`polyt1_pack`	✅	2s	4s	-50%
`polyvecl_chknorm`	✅	2s	5s	-60%
`polyvecl_uniform_gamma1`	✅	2s	2s	+0%
`polyvecl_unpack_z`	✅	2s	5s	-60%
`power2round`	✅	2s	3s	-33%
`shake128_release`	✅	2s	2s	+0%
`shake256_absorb`	✅	2s	1s	+100%
`shake256_squeeze`	✅	2s	3s	-33%
`sys_check_capability`	✅	2s	3s	-33%
`rej_uniform_eta2_native_aarch64`	❌	-	-	-
`keccakf1600_xor_bytes`	✅	1s	1s	+0%
`mld_keccakf1600_extract_bytes`	✅	1s	2s	-50%
`montgomery_reduce`	✅	1s	2s	-50%
`polyz_unpack`	✅	1s	3s	-67%
`shake128_absorb`	✅	1s	4s	-75%
`shake128_finalize`	✅	1s	2s	-50%
`shake128_squeeze`	✅	1s	1s	+0%
`shake256`	✅	1s	3s	-67%
`shake256_release`	✅	1s	3s	-67%
`unpack_pk`	✅	1s	4s	-75%
`attempt_signature_generation`	⏭️	skipped	-	-
`compute_pack_z`	⏭️	skipped	-	-
`poly_uniform_4x`	⏭️	skipped	-	-
`polyvec_matrix_expand_eager`	⏭️	skipped	-	-
`polyvec_matrix_expand_eager_serial`	⏭️	skipped	-	-
`polyvec_matrix_pointwise_montgomery_eager`	⏭️	skipped	-	-
`polyvecl_pointwise_acc_montgomery`	⏭️	skipped	-	-
`polyvecl_pointwise_acc_montgomery_c`	⏭️	skipped	-	-
`polyvecl_pointwise_acc_montgomery_native`	⏭️	skipped	-	-
`shake128x4_absorb_once`	⏭️	skipped	-	-
`shake128x4_squeezeblocks`	⏭️	skipped	-	-
`sign_keypair_internal`	⏭️	skipped	-	-
`sign_pk_from_sk`	⏭️	skipped	-	-
`sign_signature_internal`	⏭️	skipped	-	-
`sign_verify_internal`	⏭️	skipped	-	-
`unpack_sk`	⏭️	skipped	-	-

jakemas requested a review from a team as a code owner April 14, 2026 21:41

jakemas marked this pull request as draft April 14, 2026 21:41

jakemas force-pushed the add-hol-light-rej-uniform-eta4 branch 7 times, most recently from a3673e9 to 0213d92 Compare April 14, 2026 22:00

jakemas force-pushed the add-hol-light-rej-uniform-eta4 branch from 0213d92 to 4558665 Compare April 14, 2026 22:03

jakemas force-pushed the add-hol-light-rej-uniform-eta4 branch from 4558665 to 73d8d61 Compare April 14, 2026 22:14

jakemas force-pushed the add-hol-light-rej-uniform-eta4 branch from 73d8d61 to a7cc582 Compare April 15, 2026 11:06

jakemas changed the title ~~Add HOL Light rej_uniform_eta4 proof for AArch64~~ Add HOL Light rej_uniform_eta proofs for AArch64 Apr 15, 2026

jakemas force-pushed the add-hol-light-rej-uniform-eta4 branch 9 times, most recently from 77cb935 to f986df8 Compare April 15, 2026 17:09

mkannwischer self-assigned this Apr 22, 2026

jakemas force-pushed the add-hol-light-rej-uniform-eta4 branch 2 times, most recently from 7607d25 to 37dfafd Compare April 24, 2026 20:08

jakemas force-pushed the add-hol-light-rej-uniform-eta4 branch from 37dfafd to ddd97de Compare April 24, 2026 20:10

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add HOL Light rej_uniform_eta proofs for AArch64#1040

Add HOL Light rej_uniform_eta proofs for AArch64#1040
jakemas wants to merge 2 commits intomainfrom
add-hol-light-rej-uniform-eta4

jakemas commented Apr 14, 2026 •

edited

Loading

Uh oh!

oqs-bot commented Apr 14, 2026 •

edited

Loading

Uh oh!

oqs-bot commented Apr 14, 2026 •

edited

Loading

Uh oh!

oqs-bot commented Apr 14, 2026 •

edited

Loading

Uh oh!

jakemas commented Apr 14, 2026 •

edited

Loading

CBMC Results (ML-DSA-44)

Uh oh!

oqs-bot commented Apr 24, 2026

Uh oh!

oqs-bot commented Apr 24, 2026

Uh oh!

oqs-bot commented Apr 24, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

jakemas commented Apr 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

oqs-bot commented Apr 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

CBMC Results (ML-DSA-44)

Uh oh!

oqs-bot commented Apr 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

CBMC Results (ML-DSA-65)

Uh oh!

oqs-bot commented Apr 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

CBMC Results (ML-DSA-87)

Uh oh!

jakemas commented Apr 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

CBMC Results (ML-DSA-44)

Uh oh!

oqs-bot commented Apr 24, 2026

CBMC Results (ML-DSA-44, REDUCE-RAM)

Uh oh!

oqs-bot commented Apr 24, 2026

CBMC Results (ML-DSA-87, REDUCE-RAM)

Uh oh!

oqs-bot commented Apr 24, 2026

CBMC Results (ML-DSA-65, REDUCE-RAM)

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

jakemas commented Apr 14, 2026 •

edited

Loading

oqs-bot commented Apr 14, 2026 •

edited

Loading

oqs-bot commented Apr 14, 2026 •

edited

Loading

oqs-bot commented Apr 14, 2026 •

edited

Loading

jakemas commented Apr 14, 2026 •

edited

Loading