Skip to content

sign: Use MLD_ALLOC for all secret buffers in sign.c#1077

Open
mkannwischer wants to merge 1 commit intomainfrom
sign-rnd-on-stack
Open

sign: Use MLD_ALLOC for all secret buffers in sign.c#1077
mkannwischer wants to merge 1 commit intomainfrom
sign-rnd-on-stack

Conversation

@mkannwischer
Copy link
Copy Markdown
Contributor

@mkannwischer mkannwischer commented Apr 30, 2026
edited
Loading

As a follow-up to 64067ca, vonvert the stack-allocated rnd/seed/pre buffers in the public sign API
wrappers to MLD_ALLOC so that consumers using a custom allocator
(MLD_CONFIG_CUSTOM_ALLOC_FREE) place all sensitive material through the
same allocation path.

Fixed-size, non-secret stack buffers (hpk, ph, message[1] in PCT) are
left on the stack so that all verify routines perform the same set of
MLD_ALLOC allocations (and likewise for sign), which keeps a single
MLD_TOTAL_ALLOC_*_VERIFY / *_SIGN constant accurate without one variant
inflating the bound for the others.

@oqs-bot
Copy link
Copy Markdown
Contributor

oqs-bot commented Apr 30, 2026
edited
Loading

CBMC Results (ML-DSA-44)

Full Results (200 proofs)
Proof Status Current Previous Change
**TOTAL** 1670s 1692s -1.3%
sign_verify_internal 136s 135s +1%
rej_uniform_native 115s 120s -4%
polyvecl_pointwise_acc_montgomery_c 111s 118s -6%
mld_invntt_layer 94s 95s -1%
poly_pointwise_montgomery_c 87s 92s -5%
mld_ct_memcmp 75s 81s -7%
mld_attempt_signature_generation 53s 52s +2%
mld_ntt_layer 42s 43s -2%
fqmul 29s 29s +0%
polyvec_matrix_expand 26s 25s +4%
polyvec_matrix_pointwise_montgomery 26s 23s +13%
sign_keypair_internal 24s 22s +9%
keccakf1600x4_permute_native 22s 22s +0%
sign_signature_internal 21s 21s +0%
sign_pk_from_sk 19s 20s -5%
rej_uniform_c 18s 19s -5%
mld_ntt_butterfly_block 17s 16s +6%
poly_chknorm_c 17s 17s +0%
rej_uniform 16s 16s +0%
polyveck_chknorm 15s 18s -17%
poly_uniform_eta_4x 14s 14s +0%
polyt0_unpack 14s 15s -7%
keccak_absorb_once_x4 13s 8s +62%
polyz_unpack_c 13s 12s +8%
polyeta_unpack 12s 11s +9%
polyvec_matrix_pointwise_montgomery_yvec 12s 14s -14%
poly_add 11s 10s +10%
poly_uniform_4x 11s 12s -8%
mld_check_pct 9s 11s -18%
keccakf1600_permute_native 8s 6s +33%
poly_invntt_tomont_c 8s 8s +0%
poly_power2round 8s 9s -11%
polyveck_decompose 8s 5s +60%
sign 8s 7s +14%
keccak_squeezeblocks_x4 7s 5s +40%
keccakf1600_permute 7s 7s +0%
mld_compute_pack_z 7s 6s +17%
polyveck_use_hint 7s 6s +17%
decompose 6s 3s +100%
intt_native_x86_64 6s 3s +100%
keccak_absorb 6s 7s -14%
mld_h 6s 3s +100%
pointwise_acc_native_x86_64 6s 6s +0%
poly_caddq_c 6s 3s +100%
polyveck_pointwise_poly_montgomery 6s 7s -14%
polyveck_power2round 6s 6s +0%
polyvecl_ntt 6s 5s +20%
sign_signature_pre_hash_internal 6s 4s +50%
mld_polymat_expand_entry 5s 4s +25%
mld_sample_s1_s2 5s 5s +0%
mld_value_barrier_u32 5s 3s +67%
nttunpack_native_x86_64 5s 2s +150%
pointwise_acc_native_aarch64 5s 5s +0%
poly_chknorm_native_aarch64 5s 2s +150%
poly_permute_bitrev_to_custom_optional_native 5s 5s +0%
poly_uniform 5s 3s +67%
polyvec_matrix_pointwise_montgomery_row 5s 3s +67%
polyveck_add 5s 9s -44%
polyveck_sub 5s 4s +25%
polyveck_unpack_t0 5s 3s +67%
polyvecl_chknorm 5s 4s +25%
polyw1_pack 5s 3s +67%
shake128x4_absorb_once 5s 2s +150%
shake128x4_squeezeblocks 5s 3s +67%
shake256 5s 4s +25%
sig_unpack_hints 5s 5s +0%
sign_signature_extmu 5s 2s +150%
sign_signature_pre_hash_shake256 5s 5s +0%
fqscale 4s 2s +100%
mld_ct_get_optblocker_i64 4s 1s +300%
mld_value_barrier_i64 4s 1s +300%
mld_value_barrier_u8 4s 2s +100%
montgomery_reduce 4s 4s +0%
pack_pk 4s 3s +33%
pack_sk_rho_key_tr_s2_t0 4s 3s +33%
pointwise_native_aarch64 4s 3s +33%
poly_chknorm 4s 5s -20%
poly_decompose 4s 2s +100%
poly_decompose_c 4s 6s -33%
poly_invntt_tomont 4s 3s +33%
poly_make_hint 4s 5s -20%
poly_permute_bitrev_to_custom_optional 4s 1s +300%
poly_pointwise_montgomery 4s 3s +33%
poly_pointwise_montgomery_native 4s 5s -20%
poly_shiftl 4s 4s +0%
poly_uniform_gamma1 4s 6s -33%
poly_uniform_gamma1_4x 4s 4s +0%
poly_use_hint 4s 5s -20%
polyvec_matrix_expand_serial 4s 6s -33%
polyveck_caddq 4s 7s -43%
polyveck_reduce 4s 5s -20%
polyvecl_pointwise_acc_montgomery 4s 2s +100%
polyvecl_unpack_eta 4s 2s +100%
polyvecl_unpack_z 4s 3s +33%
polyz_unpack_19_native_aarch64 4s 4s +0%
reduce32 4s 3s +33%
shake256_absorb 4s 3s +33%
shake256_release 4s 1s +300%
shake256_squeeze 4s 3s +33%
shake256x4_absorb_once 4s 3s +33%
sign_keypair 4s 3s +33%
sign_signature 4s 5s -20%
sign_verify 4s 6s -33%
sign_verify_extmu 4s 4s +0%
sign_verify_pre_hash_internal 4s 3s +33%
sign_verify_pre_hash_shake256 4s 2s +100%
sk_t0hat_get_poly 4s 3s +33%
caddq 3s 2s +50%
keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid 3s 2s +50%
keccakf1600_extract_bytes (big endian) 3s 2s +50%
keccakf1600x4_permute 3s 2s +50%
mld_ct_cmask_neg_i32 3s 4s -25%
mld_ct_cmask_nonzero_u8 3s 3s +0%
mld_ct_get_optblocker_u32 3s 2s +50%
mld_ct_get_optblocker_u8 3s 2s +50%
mld_keccakf1600_extract_bytes 3s 1s +200%
mld_prepare_domain_separation_prefix 3s 2s +50%
mld_sample_s1_s2_serial 3s 2s +50%
ntt_native_aarch64 3s 5s -40%
pack_sig_c 3s 1s +200%
pack_sig_h_poly 3s 4s -25%
pointwise_native_x86_64 3s 7s -57%
poly_challenge 3s 3s +0%
poly_invntt_tomont_native 3s 2s +50%
poly_reduce 3s 4s -25%
poly_sub 3s 4s -25%
poly_uniform_eta 3s 5s -40%
poly_use_hint_native 3s 4s -25%
poly_use_hint_native_aarch64 3s 2s +50%
polyeta_pack 3s 3s +0%
polyt0_pack 3s 3s +0%
polyt1_pack 3s 2s +50%
polyt1_unpack 3s 3s +0%
polyveck_invntt_tomont 3s 5s -40%
polyveck_ntt 3s 4s -25%
polyveck_pack_w1 3s 3s +0%
polyveck_shiftl 3s 3s +0%
polyveck_unpack_eta 3s 4s -25%
polyvecl_pack_eta 3s 2s +50%
polyvecl_pointwise_acc_montgomery_native 3s 3s +0%
polyvecl_uniform_gamma1 3s 3s +0%
polyz_unpack_17_native_aarch64 3s 4s -25%
rej_eta 3s 4s -25%
rej_eta_c 3s 6s -50%
rej_eta_native 3s 4s -25%
shake128_absorb 3s 3s +0%
shake128_finalize 3s 5s -40%
shake256_init 3s 2s +50%
sign_open 3s 6s -50%
unpack_pk_t1 3s 3s +0%
unpack_sk 3s 3s +0%
unpack_sk_s2hat 3s 3s +0%
keccak_f1600_x1_native_aarch64_v84a 2s 3s -33%
keccak_f1600_x4_native_aarch64_v84a 2s 2s +0%
keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid 2s 3s -33%
keccak_finalize 2s 3s -33%
keccak_squeeze 2s 4s -50%
keccakf1600x4_xor_bytes 2s 3s -33%
make_hint 2s 2s +0%
mld_ct_cmask_nonzero_u32 2s 3s -33%
mld_ct_sel_int32 2s 4s -50%
pack_sig_z 2s 5s -60%
pack_sk_s1 2s 4s -50%
poly_caddq_native 2s 3s -33%
poly_caddq_native_aarch64 2s 4s -50%
poly_chknorm_native 2s 3s -33%
poly_decompose_native 2s 2s +0%
poly_ntt 2s 2s +0%
poly_ntt_c 2s 2s +0%
poly_use_hint_c 2s 3s -33%
polyveck_pack_eta 2s 2s +0%
polyveck_pack_t0 2s 2s +0%
polyvecl_uniform_gamma1_serial 2s 2s +0%
polyz_unpack 2s 2s +0%
polyz_unpack_native 2s 1s +100%
shake128_squeeze 2s 1s +100%
shake256_finalize 2s 3s -33%
shake256x4_squeezeblocks 2s 3s -33%
sk_s2hat_get_poly 2s 1s +100%
sys_check_capability 2s 2s +0%
unpack_sk_t0hat 2s 4s -50%
yvec_get_poly 2s 3s -33%
yvec_init 2s 4s -50%
keccak_f1600_x1_native_aarch64 1s 3s -67%
keccak_f1600_x4_native_avx2 1s 5s -80%
keccak_init 1s 2s -50%
keccakf1600_xor_bytes 1s 2s -50%
keccakf1600_xor_bytes (big endian) 1s 5s -80%
keccakf1600x4_extract_bytes 1s 4s -75%
mld_ct_abs_i32 1s 1s +0%
ntt_native_x86_64 1s 3s -67%
poly_caddq 1s 5s -80%
poly_ntt_native 1s 5s -80%
polyz_pack 1s 2s -50%
power2round 1s 2s -50%
shake128_init 1s 3s -67%
shake128_release 1s 2s -50%
sk_s1hat_get_poly 1s 4s -75%
unpack_sk_s1hat 1s 2s -50%
use_hint 1s 2s -50%

@oqs-bot
Copy link
Copy Markdown
Contributor

oqs-bot commented Apr 30, 2026
edited
Loading

CBMC Results (ML-DSA-44, REDUCE-RAM)

Full Results (200 proofs)
Proof Status Current Previous Change
**TOTAL** 1449s 1544s -6.2%
poly_pointwise_montgomery_c 164s 186s -12%
rej_uniform_native 104s 111s -6%
mld_invntt_layer 102s 111s -8%
mld_ct_memcmp 68s 82s -17%
polyvec_matrix_pointwise_montgomery_yvec 58s 67s -13%
mld_ntt_layer 42s 44s -5%
sign_verify_internal 30s 30s +0%
fqmul 27s 30s -10%
keccakf1600x4_permute_native 25s 24s +4%
mld_attempt_signature_generation 19s 18s +6%
rej_uniform 19s 19s +0%
rej_uniform_c 19s 20s -5%
polyeta_unpack 18s 18s +0%
mld_ntt_butterfly_block 17s 19s -11%
sign_keypair_internal 15s 15s +0%
sign_pk_from_sk 15s 13s +15%
poly_chknorm_c 14s 15s -7%
polyveck_use_hint 13s 14s -7%
poly_add 12s 11s +9%
poly_uniform_eta_4x 12s 12s +0%
keccak_absorb_once_x4 11s 11s +0%
mld_check_pct 11s 12s -8%
polyt0_unpack 10s 11s -9%
polyveck_pointwise_poly_montgomery 10s 8s +25%
poly_invntt_tomont_c 9s 8s +12%
poly_power2round 9s 7s +29%
keccakf1600_permute 8s 8s +0%
keccakf1600_permute_native 8s 6s +33%
poly_caddq_c 8s 11s -27%
polyvecl_chknorm 8s 6s +33%
poly_decompose_c 7s 8s -12%
polyveck_add 7s 8s -12%
polyveck_reduce 7s 4s +75%
keccak_absorb 6s 6s +0%
keccak_squeezeblocks_x4 6s 4s +50%
mld_compute_pack_z 6s 7s -14%
polyt0_pack 6s 3s +100%
polyvec_matrix_pointwise_montgomery_row 6s 8s -25%
polyveck_chknorm 6s 9s -33%
polyveck_decompose 6s 5s +20%
polyvecl_uniform_gamma1_serial 6s 4s +50%
sign 6s 9s -33%
sign_verify_pre_hash_internal 6s 4s +50%
keccak_f1600_x1_native_aarch64 5s 1s +400%
mld_polymat_expand_entry 5s 3s +67%
mld_value_barrier_u8 5s 4s +25%
nttunpack_native_x86_64 5s 3s +67%
pointwise_acc_native_aarch64 5s 7s -29%
pointwise_acc_native_x86_64 5s 6s -17%
poly_challenge 5s 6s -17%
poly_chknorm_native 5s 6s -17%
poly_shiftl 5s 5s +0%
polyeta_pack 5s 3s +67%
polyvec_matrix_expand 5s 3s +67%
polyveck_ntt 5s 3s +67%
polyveck_pack_eta 5s 4s +25%
polyvecl_ntt 5s 4s +25%
polyvecl_uniform_gamma1 5s 3s +67%
rej_eta_c 5s 6s -17%
sign_open 5s 3s +67%
sign_signature_pre_hash_shake256 5s 5s +0%
sk_t0hat_get_poly 5s 3s +67%
sys_check_capability 5s 3s +67%
unpack_sk 5s 4s +25%
intt_native_x86_64 4s 4s +0%
keccak_f1600_x4_native_aarch64_v84a 4s 1s +300%
keccak_init 4s 2s +100%
keccakf1600_extract_bytes (big endian) 4s 4s +0%
keccakf1600_xor_bytes 4s 2s +100%
mld_ct_abs_i32 4s 3s +33%
mld_ct_sel_int32 4s 3s +33%
poly_caddq_native 4s 2s +100%
poly_chknorm 4s 6s -33%
poly_chknorm_native_aarch64 4s 3s +33%
poly_permute_bitrev_to_custom_optional 4s 3s +33%
poly_permute_bitrev_to_custom_optional_native 4s 3s +33%
poly_pointwise_montgomery_native 4s 4s +0%
poly_use_hint_c 4s 3s +33%
polyvec_matrix_expand_serial 4s 2s +100%
polyvec_matrix_pointwise_montgomery 4s 5s -20%
polyveck_caddq 4s 3s +33%
polyveck_power2round 4s 5s -20%
polyveck_shiftl 4s 4s +0%
polyveck_sub 4s 4s +0%
polyveck_unpack_eta 4s 4s +0%
polyvecl_unpack_eta 4s 1s +300%
polyvecl_unpack_z 4s 2s +100%
shake128_release 4s 2s +100%
shake256_squeeze 4s 4s +0%
sig_unpack_hints 4s 5s -20%
sign_keypair 4s 3s +33%
sign_signature_internal 4s 7s -43%
sign_verify 4s 5s -20%
sign_verify_extmu 4s 3s +33%
unpack_pk_t1 4s 5s -20%
unpack_sk_s1hat 4s 3s +33%
caddq 3s 2s +50%
decompose 3s 2s +50%
keccak_f1600_x1_native_aarch64_v84a 3s 2s +50%
keccak_squeeze 3s 4s -25%
keccakf1600_xor_bytes (big endian) 3s 2s +50%
keccakf1600x4_extract_bytes 3s 3s +0%
keccakf1600x4_xor_bytes 3s 2s +50%
mld_ct_cmask_nonzero_u32 3s 2s +50%
mld_h 3s 2s +50%
mld_prepare_domain_separation_prefix 3s 4s -25%
mld_sample_s1_s2 3s 5s -40%
mld_sample_s1_s2_serial 3s 5s -40%
mld_value_barrier_u32 3s 5s -40%
pack_pk 3s 4s -25%
pack_sig_z 3s 3s +0%
pointwise_native_aarch64 3s 4s -25%
poly_caddq_native_aarch64 3s 5s -40%
poly_decompose_native 3s 4s -25%
poly_invntt_tomont 3s 5s -40%
poly_make_hint 3s 2s +50%
poly_ntt 3s 2s +50%
poly_ntt_c 3s 3s +0%
poly_ntt_native 3s 3s +0%
poly_reduce 3s 3s +0%
poly_sub 3s 1s +200%
poly_uniform 3s 5s -40%
poly_uniform_4x 3s 2s +50%
poly_uniform_eta 3s 6s -50%
poly_uniform_gamma1 3s 2s +50%
poly_use_hint 3s 2s +50%
poly_use_hint_native 3s 2s +50%
poly_use_hint_native_aarch64 3s 5s -40%
polyveck_invntt_tomont 3s 8s -62%
polyveck_pack_t0 3s 3s +0%
polyveck_pack_w1 3s 5s -40%
polyvecl_pack_eta 3s 3s +0%
polyvecl_pointwise_acc_montgomery 3s 5s -40%
polyvecl_pointwise_acc_montgomery_native 3s 3s +0%
polyw1_pack 3s 3s +0%
polyz_unpack 3s 2s +50%
polyz_unpack_17_native_aarch64 3s 5s -40%
polyz_unpack_c 3s 3s +0%
power2round 3s 1s +200%
reduce32 3s 1s +200%
rej_eta 3s 3s +0%
rej_eta_native 3s 4s -25%
shake256_finalize 3s 3s +0%
sign_signature 3s 6s -50%
sign_signature_extmu 3s 5s -40%
sign_signature_pre_hash_internal 3s 2s +50%
sign_verify_pre_hash_shake256 3s 4s -25%
unpack_sk_s2hat 3s 4s -25%
unpack_sk_t0hat 3s 3s +0%
yvec_get_poly 3s 2s +50%
fqscale 2s 4s -50%
keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid 2s 2s +0%
keccak_f1600_x4_native_avx2 2s 3s -33%
keccak_finalize 2s 2s +0%
make_hint 2s 2s +0%
mld_ct_cmask_neg_i32 2s 3s -33%
mld_ct_cmask_nonzero_u8 2s 2s +0%
mld_ct_get_optblocker_i64 2s 2s +0%
mld_ct_get_optblocker_u32 2s 3s -33%
mld_ct_get_optblocker_u8 2s 3s -33%
mld_keccakf1600_extract_bytes 2s 3s -33%
mld_value_barrier_i64 2s 5s -60%
montgomery_reduce 2s 4s -50%
pack_sig_c 2s 6s -67%
pack_sig_h_poly 2s 1s +100%
pack_sk_rho_key_tr_s2_t0 2s 4s -50%
pack_sk_s1 2s 2s +0%
pointwise_native_x86_64 2s 3s -33%
poly_caddq 2s 1s +100%
poly_decompose 2s 4s -50%
poly_invntt_tomont_native 2s 2s +0%
poly_pointwise_montgomery 2s 2s +0%
poly_uniform_gamma1_4x 2s 3s -33%
polyt1_pack 2s 4s -50%
polyt1_unpack 2s 3s -33%
polyveck_unpack_t0 2s 2s +0%
polyz_pack 2s 2s +0%
polyz_unpack_native 2s 4s -50%
shake128_absorb 2s 3s -33%
shake128_finalize 2s 3s -33%
shake128_squeeze 2s 4s -50%
shake128x4_absorb_once 2s 1s +100%
shake256 2s 2s +0%
shake256_absorb 2s 4s -50%
shake256_init 2s 2s +0%
shake256_release 2s 3s -33%
sk_s2hat_get_poly 2s 3s -33%
use_hint 2s 1s +100%
keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid 1s 1s +0%
keccakf1600x4_permute 1s 3s -67%
ntt_native_aarch64 1s 3s -67%
ntt_native_x86_64 1s 5s -80%
polyvecl_pointwise_acc_montgomery_c 1s 4s -75%
polyz_unpack_19_native_aarch64 1s 3s -67%
shake128_init 1s 3s -67%
shake128x4_squeezeblocks 1s 4s -75%
shake256x4_absorb_once 1s 2s -50%
shake256x4_squeezeblocks 1s 3s -67%
sk_s1hat_get_poly 1s 1s +0%
yvec_init 1s 3s -67%

@oqs-bot
Copy link
Copy Markdown
Contributor

oqs-bot commented Apr 30, 2026
edited
Loading

CBMC Results (ML-DSA-87, REDUCE-RAM)

Full Results (200 proofs)
Proof Status Current Previous Change
**TOTAL** 1760s 1753s +0.4%
poly_pointwise_montgomery_c 215s 200s +7%
polyvec_matrix_pointwise_montgomery_yvec 151s 150s +1%
rej_uniform_native 117s 114s +3%
mld_invntt_layer 113s 111s +2%
mld_ct_memcmp 84s 83s +1%
mld_ntt_layer 47s 44s +7%
sign_verify_internal 44s 44s +0%
sign_keypair_internal 32s 31s +3%
fqmul 30s 29s +3%
mld_attempt_signature_generation 26s 24s +8%
rej_uniform 22s 23s -4%
rej_uniform_c 22s 21s +5%
keccakf1600x4_permute_native 21s 21s +0%
sign_pk_from_sk 19s 23s -17%
mld_ntt_butterfly_block 18s 18s +0%
polyeta_unpack 18s 18s +0%
poly_uniform_eta_4x 15s 14s +7%
poly_chknorm_c 14s 15s -7%
polyt0_unpack 13s 14s -7%
polyvec_matrix_pointwise_montgomery_row 13s 13s +0%
polyveck_decompose 13s 15s -13%
poly_add 12s 10s +20%
mld_check_pct 11s 13s -15%
poly_caddq_c 11s 7s +57%
keccak_absorb_once_x4 10s 12s -17%
polyveck_invntt_tomont 10s 10s +0%
polyveck_pointwise_poly_montgomery 10s 12s -17%
keccakf1600_permute 8s 9s -11%
poly_power2round 8s 10s -20%
polyveck_add 8s 11s -27%
polyveck_power2round 8s 8s +0%
polyveck_use_hint 8s 7s +14%
keccak_absorb 7s 8s -12%
keccakf1600_permute_native 7s 8s -12%
mld_compute_pack_z 7s 7s +0%
mld_sample_s1_s2 7s 6s +17%
pointwise_acc_native_aarch64 7s 7s +0%
pointwise_acc_native_x86_64 7s 7s +0%
poly_invntt_tomont_c 7s 8s -12%
poly_use_hint_c 7s 5s +40%
polyveck_ntt 7s 6s +17%
polyveck_sub 7s 5s +40%
sign 7s 5s +40%
keccak_squeezeblocks_x4 6s 5s +20%
mld_sample_s1_s2_serial 6s 7s -14%
poly_sub 6s 4s +50%
polyt1_pack 6s 2s +200%
polyveck_caddq 6s 7s -14%
polyveck_reduce 6s 4s +50%
polyvecl_ntt 6s 7s -14%
sig_unpack_hints 6s 5s +20%
sign_open 6s 5s +20%
sign_verify 6s 4s +50%
decompose 5s 4s +25%
keccak_f1600_x4_native_aarch64_v84a 5s 3s +67%
keccak_init 5s 3s +67%
mld_ct_cmask_nonzero_u8 5s 1s +400%
ntt_native_aarch64 5s 3s +67%
ntt_native_x86_64 5s 3s +67%
pack_pk 5s 3s +67%
poly_caddq 5s 2s +150%
poly_ntt 5s 3s +67%
poly_ntt_native 5s 3s +67%
poly_reduce 5s 3s +67%
poly_shiftl 5s 5s +0%
poly_uniform_eta 5s 6s -17%
poly_use_hint_native_aarch64 5s 3s +67%
polyvec_matrix_pointwise_montgomery 5s 8s -38%
polyveck_unpack_eta 5s 4s +25%
polyvecl_chknorm 5s 5s +0%
polyvecl_pointwise_acc_montgomery 5s 4s +25%
polyz_unpack 5s 2s +150%
polyz_unpack_c 5s 5s +0%
rej_eta_c 5s 3s +67%
shake128x4_squeezeblocks 5s 5s +0%
sign_signature_pre_hash_shake256 5s 4s +25%
sign_verify_pre_hash_shake256 5s 4s +25%
sk_s1hat_get_poly 5s 1s +400%
unpack_pk_t1 5s 4s +25%
use_hint 5s 6s -17%
keccak_f1600_x1_native_aarch64 4s 1s +300%
keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid 4s 2s +100%
keccak_squeeze 4s 3s +33%
mld_ct_sel_int32 4s 2s +100%
mld_h 4s 5s -20%
mld_prepare_domain_separation_prefix 4s 5s -20%
mld_value_barrier_u32 4s 2s +100%
pack_sk_rho_key_tr_s2_t0 4s 3s +33%
pointwise_native_x86_64 4s 4s +0%
poly_challenge 4s 4s +0%
poly_decompose_c 4s 6s -33%
poly_decompose_native 4s 6s -33%
poly_invntt_tomont_native 4s 2s +100%
poly_pointwise_montgomery 4s 3s +33%
poly_uniform 4s 5s -20%
polyt0_pack 4s 4s +0%
polyt1_unpack 4s 1s +300%
polyvec_matrix_expand_serial 4s 3s +33%
polyveck_shiftl 4s 6s -33%
polyvecl_uniform_gamma1 4s 3s +33%
rej_eta_native 4s 3s +33%
shake128_init 4s 1s +300%
shake256 4s 3s +33%
shake256_absorb 4s 4s +0%
sign_signature 4s 4s +0%
sign_signature_extmu 4s 5s -20%
sign_signature_internal 4s 10s -60%
sign_verify_extmu 4s 6s -33%
sign_verify_pre_hash_internal 4s 4s +0%
sk_s2hat_get_poly 4s 3s +33%
sk_t0hat_get_poly 4s 3s +33%
unpack_sk_s2hat 4s 2s +100%
intt_native_x86_64 3s 1s +200%
keccakf1600_extract_bytes (big endian) 3s 5s -40%
keccakf1600_xor_bytes 3s 3s +0%
keccakf1600x4_permute 3s 2s +50%
make_hint 3s 3s +0%
mld_ct_cmask_neg_i32 3s 3s +0%
mld_ct_get_optblocker_i64 3s 1s +200%
mld_value_barrier_i64 3s 4s -25%
mld_value_barrier_u8 3s 2s +50%
nttunpack_native_x86_64 3s 3s +0%
pack_sig_z 3s 4s -25%
pack_sk_s1 3s 6s -50%
pointwise_native_aarch64 3s 3s +0%
poly_caddq_native_aarch64 3s 2s +50%
poly_chknorm 3s 1s +200%
poly_chknorm_native 3s 5s -40%
poly_decompose 3s 5s -40%
poly_invntt_tomont 3s 4s -25%
poly_make_hint 3s 4s -25%
poly_permute_bitrev_to_custom_optional 3s 4s -25%
poly_pointwise_montgomery_native 3s 5s -40%
poly_uniform_gamma1 3s 1s +200%
poly_uniform_gamma1_4x 3s 3s +0%
poly_use_hint 3s 2s +50%
poly_use_hint_native 3s 2s +50%
polyeta_pack 3s 3s +0%
polyvec_matrix_expand 3s 4s -25%
polyveck_chknorm 3s 4s -25%
polyveck_unpack_t0 3s 5s -40%
polyvecl_pointwise_acc_montgomery_c 3s 3s +0%
polyvecl_unpack_eta 3s 4s -25%
polyvecl_unpack_z 3s 4s -25%
polyz_unpack_19_native_aarch64 3s 5s -40%
polyz_unpack_native 3s 3s +0%
power2round 3s 4s -25%
shake128_squeeze 3s 1s +200%
shake256_release 3s 3s +0%
shake256_squeeze 3s 5s -40%
shake256x4_squeezeblocks 3s 3s +0%
sign_signature_pre_hash_internal 3s 6s -50%
unpack_sk 3s 6s -50%
unpack_sk_t0hat 3s 2s +50%
keccak_f1600_x1_native_aarch64_v84a 2s 2s +0%
keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid 2s 2s +0%
keccak_f1600_x4_native_avx2 2s 2s +0%
keccak_finalize 2s 5s -60%
mld_ct_cmask_nonzero_u32 2s 4s -50%
mld_ct_get_optblocker_u32 2s 3s -33%
mld_ct_get_optblocker_u8 2s 2s +0%
mld_keccakf1600_extract_bytes 2s 3s -33%
mld_polymat_expand_entry 2s 4s -50%
montgomery_reduce 2s 3s -33%
pack_sig_c 2s 2s +0%
pack_sig_h_poly 2s 3s -33%
poly_caddq_native 2s 3s -33%
poly_chknorm_native_aarch64 2s 1s +100%
poly_ntt_c 2s 4s -50%
poly_permute_bitrev_to_custom_optional_native 2s 2s +0%
polyveck_pack_eta 2s 4s -50%
polyveck_pack_t0 2s 6s -67%
polyveck_pack_w1 2s 2s +0%
polyvecl_pack_eta 2s 5s -60%
polyvecl_pointwise_acc_montgomery_native 2s 4s -50%
polyvecl_uniform_gamma1_serial 2s 1s +100%
polyw1_pack 2s 2s +0%
polyz_pack 2s 4s -50%
polyz_unpack_17_native_aarch64 2s 3s -33%
reduce32 2s 2s +0%
shake128_absorb 2s 1s +100%
shake128_finalize 2s 3s -33%
shake128_release 2s 2s +0%
shake128x4_absorb_once 2s 4s -50%
shake256_finalize 2s 2s +0%
shake256x4_absorb_once 2s 2s +0%
sign_keypair 2s 3s -33%
sys_check_capability 2s 4s -50%
unpack_sk_s1hat 2s 2s +0%
yvec_get_poly 2s 5s -60%
yvec_init 2s 4s -50%
caddq 1s 2s -50%
fqscale 1s 2s -50%
keccakf1600_xor_bytes (big endian) 1s 2s -50%
keccakf1600x4_extract_bytes 1s 3s -67%
keccakf1600x4_xor_bytes 1s 5s -80%
mld_ct_abs_i32 1s 2s -50%
poly_uniform_4x 1s 4s -75%
rej_eta 1s 3s -67%
shake256_init 1s 3s -67%

@oqs-bot
Copy link
Copy Markdown
Contributor

oqs-bot commented Apr 30, 2026
edited
Loading

CBMC Results (ML-DSA-65, REDUCE-RAM)

Full Results (200 proofs)
Proof Status Current Previous Change
**TOTAL** 1498s 1648s -9.1%
poly_pointwise_montgomery_c 164s 217s -24%
rej_uniform_native 103s 116s -11%
mld_invntt_layer 96s 115s -17%
polyvec_matrix_pointwise_montgomery_yvec 74s 79s -6%
mld_ct_memcmp 69s 87s -21%
mld_ntt_layer 41s 44s -7%
mld_attempt_signature_generation 30s 34s -12%
fqmul 27s 32s -16%
keccakf1600x4_permute_native 21s 23s -9%
sign_keypair_internal 21s 22s -5%
sign_verify_internal 20s 21s -5%
rej_uniform 19s 22s -14%
rej_uniform_c 18s 20s -10%
mld_ntt_butterfly_block 16s 17s -6%
polyveck_decompose 16s 16s +0%
polyvec_matrix_pointwise_montgomery_row 15s 15s +0%
polyveck_power2round 15s 17s -12%
poly_chknorm_c 14s 15s -7%
poly_uniform_eta_4x 14s 12s +17%
polyveck_add 13s 14s -7%
sign_pk_from_sk 13s 17s -24%
poly_add 12s 13s -8%
mld_check_pct 11s 10s +10%
polyt0_unpack 11s 11s +0%
keccak_absorb_once_x4 10s 10s +0%
polyveck_chknorm 9s 12s -25%
polyveck_invntt_tomont 9s 8s +12%
polyveck_use_hint 9s 8s +12%
poly_caddq_c 8s 9s -11%
poly_invntt_tomont_c 8s 9s -11%
polyveck_caddq 8s 8s +0%
keccakf1600_permute 7s 7s +0%
mld_compute_pack_z 7s 6s +17%
pointwise_acc_native_x86_64 7s 6s +17%
poly_ntt_native 7s 2s +250%
polyveck_ntt 7s 5s +40%
polyveck_pointwise_poly_montgomery 7s 7s +0%
polyveck_shiftl 7s 6s +17%
polyveck_sub 7s 8s -12%
polyvecl_chknorm 7s 9s -22%
sign_verify 7s 6s +17%
keccak_absorb 6s 9s -33%
keccak_f1600_x4_native_avx2 6s 3s +100%
keccakf1600_permute_native 6s 5s +20%
pointwise_acc_native_aarch64 6s 6s +0%
poly_caddq_native_aarch64 6s 3s +100%
poly_power2round 6s 7s -14%
poly_shiftl 6s 6s +0%
poly_uniform_eta 6s 3s +100%
polyveck_reduce 6s 7s -14%
polyvecl_ntt 6s 6s +0%
polyvecl_unpack_z 6s 3s +100%
power2round 6s 4s +50%
sig_unpack_hints 6s 7s -14%
sign 6s 6s +0%
sign_signature_pre_hash_shake256 6s 3s +100%
keccak_squeezeblocks_x4 5s 5s +0%
keccakf1600x4_extract_bytes 5s 3s +67%
make_hint 5s 3s +67%
mld_ct_cmask_nonzero_u8 5s 4s +25%
mld_prepare_domain_separation_prefix 5s 3s +67%
mld_sample_s1_s2_serial 5s 5s +0%
polyvec_matrix_pointwise_montgomery 5s 4s +25%
polyveck_unpack_t0 5s 3s +67%
polyz_unpack_c 5s 4s +25%
rej_eta_c 5s 5s +0%
sign_signature_pre_hash_internal 5s 5s +0%
sign_verify_extmu 5s 4s +25%
sk_t0hat_get_poly 5s 3s +67%
keccak_f1600_x1_native_aarch64 4s 2s +100%
keccak_squeeze 4s 4s +0%
mld_ct_cmask_neg_i32 4s 2s +100%
mld_h 4s 4s +0%
mld_value_barrier_u32 4s 2s +100%
montgomery_reduce 4s 3s +33%
ntt_native_aarch64 4s 3s +33%
ntt_native_x86_64 4s 3s +33%
nttunpack_native_x86_64 4s 2s +100%
pack_sk_s1 4s 3s +33%
poly_challenge 4s 2s +100%
poly_decompose 4s 2s +100%
poly_decompose_c 4s 5s -20%
poly_ntt_c 4s 3s +33%
poly_use_hint 4s 2s +100%
polyeta_unpack 4s 4s +0%
polyt0_pack 4s 5s -20%
polyt1_pack 4s 2s +100%
polyveck_pack_t0 4s 4s +0%
polyvecl_pointwise_acc_montgomery_c 4s 2s +100%
polyvecl_pointwise_acc_montgomery_native 4s 5s -20%
polyvecl_uniform_gamma1_serial 4s 3s +33%
polyz_unpack_17_native_aarch64 4s 3s +33%
sign_signature_extmu 4s 7s -43%
sign_signature_internal 4s 5s -20%
sk_s2hat_get_poly 4s 5s -20%
unpack_sk_s1hat 4s 2s +100%
caddq 3s 5s -40%
decompose 3s 3s +0%
fqscale 3s 3s +0%
keccak_f1600_x1_native_aarch64_v84a 3s 2s +50%
keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid 3s 2s +50%
keccak_finalize 3s 4s -25%
keccak_init 3s 1s +200%
keccakf1600x4_permute 3s 5s -40%
keccakf1600x4_xor_bytes 3s 2s +50%
mld_ct_cmask_nonzero_u32 3s 2s +50%
mld_keccakf1600_extract_bytes 3s 3s +0%
mld_polymat_expand_entry 3s 2s +50%
mld_value_barrier_i64 3s 2s +50%
pack_pk 3s 4s -25%
pack_sig_h_poly 3s 2s +50%
pack_sig_z 3s 3s +0%
pack_sk_rho_key_tr_s2_t0 3s 2s +50%
pointwise_native_x86_64 3s 4s -25%
poly_caddq 3s 2s +50%
poly_chknorm_native 3s 4s -25%
poly_chknorm_native_aarch64 3s 3s +0%
poly_invntt_tomont 3s 4s -25%
poly_ntt 3s 3s +0%
poly_permute_bitrev_to_custom_optional_native 3s 3s +0%
poly_pointwise_montgomery 3s 2s +50%
poly_reduce 3s 4s -25%
poly_sub 3s 3s +0%
poly_uniform 3s 5s -40%
poly_uniform_gamma1 3s 3s +0%
poly_use_hint_c 3s 4s -25%
polyveck_pack_eta 3s 2s +50%
polyveck_pack_w1 3s 4s -25%
polyveck_unpack_eta 3s 4s -25%
polyvecl_pack_eta 3s 3s +0%
polyvecl_pointwise_acc_montgomery 3s 2s +50%
polyvecl_unpack_eta 3s 2s +50%
polyz_unpack 3s 3s +0%
polyz_unpack_19_native_aarch64 3s 6s -50%
polyz_unpack_native 3s 3s +0%
reduce32 3s 2s +50%
rej_eta_native 3s 6s -50%
shake128_absorb 3s 2s +50%
shake128_finalize 3s 1s +200%
shake128_init 3s 3s +0%
shake128_squeeze 3s 4s -25%
shake256 3s 2s +50%
shake256_finalize 3s 3s +0%
sign_keypair 3s 4s -25%
sign_open 3s 4s -25%
sign_verify_pre_hash_shake256 3s 5s -40%
unpack_pk_t1 3s 3s +0%
unpack_sk_t0hat 3s 2s +50%
yvec_get_poly 3s 2s +50%
yvec_init 3s 3s +0%
keccak_f1600_x4_native_aarch64_v84a 2s 2s +0%
keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid 2s 3s -33%
keccakf1600_extract_bytes (big endian) 2s 2s +0%
keccakf1600_xor_bytes 2s 1s +100%
mld_ct_abs_i32 2s 3s -33%
mld_ct_get_optblocker_i64 2s 2s +0%
mld_ct_get_optblocker_u32 2s 2s +0%
mld_ct_get_optblocker_u8 2s 1s +100%
mld_ct_sel_int32 2s 1s +100%
mld_sample_s1_s2 2s 6s -67%
mld_value_barrier_u8 2s 4s -50%
pointwise_native_aarch64 2s 4s -50%
poly_caddq_native 2s 4s -50%
poly_chknorm 2s 3s -33%
poly_decompose_native 2s 2s +0%
poly_make_hint 2s 3s -33%
poly_uniform_4x 2s 2s +0%
poly_uniform_gamma1_4x 2s 3s -33%
poly_use_hint_native 2s 4s -50%
poly_use_hint_native_aarch64 2s 4s -50%
polyt1_unpack 2s 1s +100%
polyvec_matrix_expand 2s 3s -33%
polyvec_matrix_expand_serial 2s 3s -33%
polyw1_pack 2s 2s +0%
polyz_pack 2s 4s -50%
rej_eta 2s 1s +100%
shake128x4_absorb_once 2s 2s +0%
shake128x4_squeezeblocks 2s 3s -33%
shake256_absorb 2s 3s -33%
shake256_init 2s 4s -50%
shake256_release 2s 5s -60%
shake256x4_absorb_once 2s 3s -33%
shake256x4_squeezeblocks 2s 2s +0%
sign_signature 2s 3s -33%
sign_verify_pre_hash_internal 2s 5s -60%
sk_s1hat_get_poly 2s 3s -33%
sys_check_capability 2s 4s -50%
unpack_sk 2s 3s -33%
use_hint 2s 2s +0%
intt_native_x86_64 1s 5s -80%
keccakf1600_xor_bytes (big endian) 1s 2s -50%
pack_sig_c 1s 6s -83%
poly_invntt_tomont_native 1s 5s -80%
poly_permute_bitrev_to_custom_optional 1s 2s -50%
poly_pointwise_montgomery_native 1s 3s -67%
polyeta_pack 1s 4s -75%
polyvecl_uniform_gamma1 1s 3s -67%
shake128_release 1s 1s +0%
shake256_squeeze 1s 3s -67%
unpack_sk_s2hat 1s 3s -67%

@oqs-bot
Copy link
Copy Markdown
Contributor

oqs-bot commented Apr 30, 2026
edited
Loading

CBMC Results (ML-DSA-87)

Full Results (200 proofs)
Proof Status Current Previous Change
**TOTAL** 2791s 2476s +12.7%
sign_verify_internal 416s 372s +12%
polyvecl_pointwise_acc_montgomery_c 385s 317s +21%
polyvec_matrix_expand 186s 159s +17%
rej_uniform_native 133s 120s +11%
mld_attempt_signature_generation 121s 110s +10%
mld_invntt_layer 108s 94s +15%
poly_pointwise_montgomery_c 108s 88s +23%
mld_ct_memcmp 85s 74s +15%
polyvec_matrix_expand_serial 62s 56s +11%
sign_keypair_internal 54s 49s +10%
mld_ntt_layer 46s 42s +10%
sign_signature_internal 40s 37s +8%
polyveck_power2round 36s 34s +6%
sign_pk_from_sk 34s 35s -3%
fqmul 31s 28s +11%
polyvec_matrix_pointwise_montgomery 31s 29s +7%
keccakf1600x4_permute_native 23s 22s +5%
mld_ntt_butterfly_block 21s 15s +40%
rej_uniform_c 21s 18s +17%
polyvec_matrix_pointwise_montgomery_yvec 20s 20s +0%
rej_uniform 17s 15s +13%
poly_chknorm_c 16s 16s +0%
polyt0_unpack 16s 14s +14%
poly_uniform_eta_4x 15s 13s +15%
poly_add 14s 10s +40%
poly_uniform_4x 13s 10s +30%
polyeta_unpack 13s 13s +0%
polyveck_add 13s 11s +18%
polyveck_decompose 13s 10s +30%
polyveck_ntt 13s 9s +44%
mld_check_pct 12s 9s +33%
keccak_absorb_once_x4 11s 8s +38%
polyveck_use_hint 11s 10s +10%
poly_power2round 10s 7s +43%
poly_invntt_tomont_c 9s 9s +0%
polyveck_pointwise_poly_montgomery 9s 9s +0%
polyveck_shiftl 9s 7s +29%
keccakf1600_permute_native 8s 9s -11%
mld_compute_pack_z 8s 7s +14%
pointwise_acc_native_aarch64 8s 9s -11%
pointwise_acc_native_x86_64 8s 10s -20%
poly_invntt_tomont_native 8s 2s +300%
keccak_absorb 7s 6s +17%
keccakf1600_permute 7s 7s +0%
poly_challenge 7s 3s +133%
poly_decompose_c 7s 9s -22%
polyveck_invntt_tomont 7s 5s +40%
polyveck_reduce 7s 5s +40%
polyveck_sub 7s 7s +0%
sign 7s 5s +40%
poly_decompose 6s 4s +50%
poly_pointwise_montgomery_native 6s 3s +100%
poly_shiftl 6s 3s +100%
poly_uniform_eta 6s 4s +50%
poly_uniform_gamma1_4x 6s 4s +50%
polyveck_pack_eta 6s 6s +0%
polyvecl_ntt 6s 6s +0%
polyz_unpack_c 6s 5s +20%
sig_unpack_hints 6s 8s -25%
sign_verify_pre_hash_shake256 6s 3s +100%
keccak_squeeze 5s 1s +400%
keccak_squeezeblocks_x4 5s 4s +25%
keccakf1600_extract_bytes (big endian) 5s 1s +400%
keccakf1600x4_permute 5s 3s +67%
mld_sample_s1_s2 5s 8s -38%
montgomery_reduce 5s 4s +25%
nttunpack_native_x86_64 5s 3s +67%
pack_pk 5s 7s -29%
poly_caddq_c 5s 4s +25%
poly_chknorm_native_aarch64 5s 4s +25%
poly_invntt_tomont 5s 4s +25%
poly_ntt_c 5s 2s +150%
poly_use_hint_c 5s 5s +0%
polyeta_pack 5s 4s +25%
polyt0_pack 5s 4s +25%
polyveck_caddq 5s 4s +25%
polyveck_chknorm 5s 4s +25%
polyveck_unpack_t0 5s 5s +0%
polyvecl_uniform_gamma1 5s 5s +0%
rej_eta_native 5s 5s +0%
shake256_squeeze 5s 1s +400%
sign_open 5s 2s +150%
sign_signature_extmu 5s 5s +0%
sign_signature_pre_hash_shake256 5s 3s +67%
sys_check_capability 5s 2s +150%
unpack_sk 5s 4s +25%
unpack_sk_t0hat 5s 5s +0%
keccakf1600x4_extract_bytes 4s 3s +33%
mld_h 4s 5s -20%
mld_prepare_domain_separation_prefix 4s 4s +0%
mld_sample_s1_s2_serial 4s 6s -33%
mld_value_barrier_u32 4s 3s +33%
pack_sig_z 4s 4s +0%
pack_sk_s1 4s 5s -20%
poly_caddq_native 4s 2s +100%
poly_decompose_native 4s 3s +33%
poly_ntt 4s 2s +100%
poly_reduce 4s 3s +33%
poly_uniform 4s 3s +33%
poly_use_hint 4s 5s -20%
poly_use_hint_native 4s 2s +100%
poly_use_hint_native_aarch64 4s 4s +0%
polyt1_pack 4s 4s +0%
polyvec_matrix_pointwise_montgomery_row 4s 4s +0%
polyveck_pack_w1 4s 3s +33%
polyveck_unpack_eta 4s 3s +33%
polyvecl_chknorm 4s 4s +0%
polyvecl_pack_eta 4s 2s +100%
polyvecl_pointwise_acc_montgomery_native 4s 4s +0%
polyvecl_unpack_eta 4s 6s -33%
polyz_unpack 4s 2s +100%
polyz_unpack_native 4s 3s +33%
shake128_squeeze 4s 2s +100%
shake128x4_absorb_once 4s 2s +100%
shake256_init 4s 3s +33%
shake256x4_absorb_once 4s 3s +33%
shake256x4_squeezeblocks 4s 4s +0%
sign_keypair 4s 4s +0%
sign_verify 4s 2s +100%
use_hint 4s 2s +100%
yvec_init 4s 3s +33%
fqscale 3s 4s -25%
intt_native_x86_64 3s 3s +0%
keccak_f1600_x4_native_aarch64_v84a 3s 3s +0%
keccak_finalize 3s 2s +50%
keccakf1600_xor_bytes 3s 3s +0%
mld_ct_abs_i32 3s 1s +200%
mld_ct_cmask_nonzero_u32 3s 2s +50%
mld_ct_get_optblocker_i64 3s 1s +200%
mld_ct_get_optblocker_u8 3s 2s +50%
ntt_native_aarch64 3s 3s +0%
ntt_native_x86_64 3s 5s -40%
pack_sig_c 3s 4s -25%
pack_sig_h_poly 3s 3s +0%
poly_caddq_native_aarch64 3s 5s -40%
poly_chknorm 3s 3s +0%
poly_chknorm_native 3s 2s +50%
poly_make_hint 3s 5s -40%
poly_permute_bitrev_to_custom_optional 3s 4s -25%
poly_pointwise_montgomery 3s 2s +50%
polyveck_pack_t0 3s 2s +50%
polyvecl_uniform_gamma1_serial 3s 3s +0%
polyz_pack 3s 4s -25%
polyz_unpack_17_native_aarch64 3s 2s +50%
shake128_absorb 3s 2s +50%
shake128_finalize 3s 2s +50%
shake128_init 3s 3s +0%
shake128_release 3s 5s -40%
shake128x4_squeezeblocks 3s 2s +50%
shake256 3s 2s +50%
sign_signature_pre_hash_internal 3s 3s +0%
sign_verify_extmu 3s 5s -40%
sign_verify_pre_hash_internal 3s 2s +50%
sk_s1hat_get_poly 3s 3s +0%
sk_t0hat_get_poly 3s 2s +50%
unpack_pk_t1 3s 3s +0%
unpack_sk_s2hat 3s 3s +0%
caddq 2s 3s -33%
decompose 2s 3s -33%
keccak_f1600_x1_native_aarch64 2s 2s +0%
keccak_f1600_x1_native_aarch64_v84a 2s 3s -33%
keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid 2s 4s -50%
keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid 2s 1s +100%
keccak_init 2s 1s +100%
keccakf1600_xor_bytes (big endian) 2s 2s +0%
keccakf1600x4_xor_bytes 2s 5s -60%
make_hint 2s 4s -50%
mld_ct_cmask_neg_i32 2s 2s +0%
mld_ct_cmask_nonzero_u8 2s 2s +0%
mld_ct_get_optblocker_u32 2s 1s +100%
mld_keccakf1600_extract_bytes 2s 4s -50%
mld_polymat_expand_entry 2s 2s +0%
mld_value_barrier_i64 2s 2s +0%
mld_value_barrier_u8 2s 1s +100%
pack_sk_rho_key_tr_s2_t0 2s 3s -33%
pointwise_native_aarch64 2s 5s -60%
pointwise_native_x86_64 2s 3s -33%
poly_caddq 2s 4s -50%
poly_permute_bitrev_to_custom_optional_native 2s 2s +0%
poly_uniform_gamma1 2s 3s -33%
polyt1_unpack 2s 1s +100%
polyvecl_pointwise_acc_montgomery 2s 3s -33%
polyvecl_unpack_z 2s 4s -50%
polyw1_pack 2s 3s -33%
polyz_unpack_19_native_aarch64 2s 5s -60%
power2round 2s 3s -33%
rej_eta 2s 2s +0%
rej_eta_c 2s 4s -50%
shake256_absorb 2s 3s -33%
shake256_finalize 2s 2s +0%
shake256_release 2s 3s -33%
sign_signature 2s 6s -67%
sk_s2hat_get_poly 2s 4s -50%
unpack_sk_s1hat 2s 4s -50%
yvec_get_poly 2s 3s -33%
keccak_f1600_x4_native_avx2 1s 2s -50%
mld_ct_sel_int32 1s 4s -75%
poly_ntt_native 1s 3s -67%
poly_sub 1s 2s -50%
reduce32 1s 2s -50%

@oqs-bot
Copy link
Copy Markdown
Contributor

oqs-bot commented Apr 30, 2026
edited
Loading

CBMC Results (ML-DSA-65)

Full Results (200 proofs)
Proof Status Current Previous Change
**TOTAL** 2449s 2344s +4.5%
polyvecl_pointwise_acc_montgomery_c 560s 519s +8%
sign_verify_internal 258s 246s +5%
rej_uniform_native 127s 123s +3%
polyvec_matrix_expand 126s 125s +1%
poly_pointwise_montgomery_c 99s 95s +4%
mld_invntt_layer 96s 95s +1%
mld_ct_memcmp 78s 73s +7%
mld_attempt_signature_generation 43s 40s +7%
mld_ntt_layer 42s 40s +5%
sign_keypair_internal 30s 27s +11%
fqmul 29s 26s +12%
sign_signature_internal 29s 26s +12%
polyvec_matrix_expand_serial 26s 27s -4%
keccakf1600x4_permute_native 25s 23s +9%
polyvec_matrix_pointwise_montgomery 22s 21s +5%
rej_uniform_c 19s 18s +6%
sign_pk_from_sk 19s 20s -5%
polyvec_matrix_pointwise_montgomery_yvec 18s 18s +0%
rej_uniform 17s 16s +6%
mld_ntt_butterfly_block 16s 15s +7%
polyveck_power2round 16s 16s +0%
polyveck_decompose 15s 15s +0%
poly_chknorm_c 14s 16s -12%
polyt0_unpack 14s 15s -7%
poly_uniform_4x 13s 13s +0%
poly_uniform_eta_4x 13s 13s +0%
poly_add 11s 9s +22%
polyveck_add 11s 9s +22%
polyveck_use_hint 11s 9s +22%
keccak_absorb_once_x4 10s 8s +25%
pointwise_acc_native_x86_64 10s 6s +67%
poly_invntt_tomont_c 10s 9s +11%
poly_power2round 10s 12s -17%
keccak_absorb 9s 6s +50%
polyveck_pointwise_poly_montgomery 9s 7s +29%
sign 9s 7s +29%
keccakf1600_permute 8s 9s -11%
mld_check_pct 8s 9s -11%
mld_compute_pack_z 8s 7s +14%
polyveck_ntt 8s 8s +0%
keccakf1600_permute_native 7s 8s -12%
poly_challenge 7s 4s +75%
poly_shiftl 7s 4s +75%
polyveck_invntt_tomont 7s 7s +0%
polyveck_shiftl 7s 8s -12%
polyvecl_chknorm 7s 7s +0%
polyvecl_ntt 7s 7s +0%
sign_verify 7s 6s +17%
mld_sample_s1_s2 6s 3s +100%
pointwise_native_x86_64 6s 3s +100%
polyveck_caddq 6s 5s +20%
polyveck_reduce 6s 6s +0%
polyveck_sub 6s 7s -14%
polyvecl_pointwise_acc_montgomery_native 6s 3s +100%
rej_eta_c 6s 4s +50%
sig_unpack_hints 6s 4s +50%
sign_open 6s 5s +20%
sign_signature_extmu 6s 5s +20%
sign_signature_pre_hash_internal 6s 4s +50%
fqscale 5s 3s +67%
intt_native_x86_64 5s 5s +0%
keccakf1600_extract_bytes (big endian) 5s 2s +150%
keccakf1600x4_permute 5s 2s +150%
mld_prepare_domain_separation_prefix 5s 5s +0%
mld_sample_s1_s2_serial 5s 4s +25%
ntt_native_aarch64 5s 2s +150%
nttunpack_native_x86_64 5s 4s +25%
pack_sk_rho_key_tr_s2_t0 5s 3s +67%
pointwise_acc_native_aarch64 5s 5s +0%
poly_caddq_native_aarch64 5s 2s +150%
poly_invntt_tomont_native 5s 4s +25%
poly_ntt 5s 2s +150%
poly_use_hint_native_aarch64 5s 3s +67%
polyz_unpack_c 5s 5s +0%
sign_signature 5s 6s -17%
sign_signature_pre_hash_shake256 5s 4s +25%
sign_verify_extmu 5s 4s +25%
sys_check_capability 5s 3s +67%
unpack_sk 5s 2s +150%
decompose 4s 3s +33%
keccak_f1600_x1_native_aarch64 4s 3s +33%
keccak_squeezeblocks_x4 4s 4s +0%
mld_ct_cmask_nonzero_u32 4s 4s +0%
mld_h 4s 3s +33%
montgomery_reduce 4s 2s +100%
pack_sig_c 4s 3s +33%
pack_sig_h_poly 4s 4s +0%
poly_caddq_c 4s 5s -20%
poly_make_hint 4s 3s +33%
poly_uniform 4s 4s +0%
poly_uniform_eta 4s 3s +33%
poly_use_hint 4s 3s +33%
poly_use_hint_c 4s 3s +33%
polyt0_pack 4s 3s +33%
polyvec_matrix_pointwise_montgomery_row 4s 5s -20%
polyveck_chknorm 4s 3s +33%
polyveck_unpack_eta 4s 3s +33%
polyvecl_uniform_gamma1_serial 4s 3s +33%
polyz_unpack_17_native_aarch64 4s 3s +33%
polyz_unpack_native 4s 3s +33%
shake256_finalize 4s 2s +100%
sign_verify_pre_hash_internal 4s 4s +0%
sign_verify_pre_hash_shake256 4s 6s -33%
unpack_sk_t0hat 4s 3s +33%
yvec_get_poly 4s 2s +100%
keccak_f1600_x1_native_aarch64_v84a 3s 1s +200%
keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid 3s 6s -50%
keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid 3s 3s +0%
keccak_finalize 3s 3s +0%
keccak_init 3s 5s -40%
keccak_squeeze 3s 1s +200%
keccakf1600_xor_bytes 3s 3s +0%
keccakf1600_xor_bytes (big endian) 3s 4s -25%
keccakf1600x4_xor_bytes 3s 3s +0%
mld_ct_abs_i32 3s 3s +0%
mld_ct_cmask_nonzero_u8 3s 3s +0%
mld_ct_get_optblocker_i64 3s 3s +0%
mld_ct_get_optblocker_u32 3s 5s -40%
mld_ct_get_optblocker_u8 3s 5s -40%
mld_ct_sel_int32 3s 2s +50%
mld_polymat_expand_entry 3s 2s +50%
mld_value_barrier_u8 3s 1s +200%
ntt_native_x86_64 3s 3s +0%
pack_sk_s1 3s 5s -40%
pointwise_native_aarch64 3s 4s -25%
poly_chknorm 3s 1s +200%
poly_decompose 3s 3s +0%
poly_decompose_native 3s 2s +50%
poly_invntt_tomont 3s 5s -40%
poly_ntt_c 3s 2s +50%
poly_ntt_native 3s 2s +50%
poly_permute_bitrev_to_custom_optional_native 3s 4s -25%
poly_reduce 3s 3s +0%
poly_sub 3s 5s -40%
polyeta_unpack 3s 2s +50%
polyt1_pack 3s 5s -40%
polyveck_pack_t0 3s 2s +50%
polyveck_pack_w1 3s 6s -50%
polyveck_unpack_t0 3s 4s -25%
polyvecl_unpack_z 3s 5s -40%
polyz_unpack_19_native_aarch64 3s 3s +0%
power2round 3s 3s +0%
rej_eta 3s 4s -25%
rej_eta_native 3s 3s +0%
shake128_absorb 3s 2s +50%
shake128_finalize 3s 1s +200%
shake128x4_absorb_once 3s 4s -25%
shake256_init 3s 2s +50%
shake256_squeeze 3s 5s -40%
shake256x4_squeezeblocks 3s 3s +0%
sign_keypair 3s 4s -25%
unpack_sk_s2hat 3s 3s +0%
use_hint 3s 2s +50%
caddq 2s 2s +0%
keccak_f1600_x4_native_avx2 2s 1s +100%
make_hint 2s 5s -60%
mld_ct_cmask_neg_i32 2s 2s +0%
mld_keccakf1600_extract_bytes 2s 2s +0%
mld_value_barrier_u32 2s 4s -50%
poly_caddq 2s 4s -50%
poly_caddq_native 2s 4s -50%
poly_chknorm_native 2s 2s +0%
poly_decompose_c 2s 5s -60%
poly_permute_bitrev_to_custom_optional 2s 4s -50%
poly_pointwise_montgomery 2s 4s -50%
poly_pointwise_montgomery_native 2s 3s -33%
poly_uniform_gamma1 2s 4s -50%
poly_uniform_gamma1_4x 2s 3s -33%
poly_use_hint_native 2s 2s +0%
polyeta_pack 2s 2s +0%
polyt1_unpack 2s 5s -60%
polyveck_pack_eta 2s 3s -33%
polyvecl_pack_eta 2s 2s +0%
polyvecl_pointwise_acc_montgomery 2s 1s +100%
polyvecl_uniform_gamma1 2s 2s +0%
polyvecl_unpack_eta 2s 3s -33%
polyw1_pack 2s 3s -33%
polyz_pack 2s 3s -33%
polyz_unpack 2s 3s -33%
reduce32 2s 3s -33%
shake128_init 2s 2s +0%
shake128_squeeze 2s 4s -50%
shake128x4_squeezeblocks 2s 1s +100%
shake256_absorb 2s 4s -50%
sk_s2hat_get_poly 2s 3s -33%
sk_t0hat_get_poly 2s 3s -33%
unpack_pk_t1 2s 4s -50%
unpack_sk_s1hat 2s 2s +0%
yvec_init 2s 2s +0%
keccak_f1600_x4_native_aarch64_v84a 1s 2s -50%
keccakf1600x4_extract_bytes 1s 2s -50%
mld_value_barrier_i64 1s 1s +0%
pack_pk 1s 4s -75%
pack_sig_z 1s 4s -75%
poly_chknorm_native_aarch64 1s 3s -67%
shake128_release 1s 3s -67%
shake256 1s 6s -83%
shake256_release 1s 1s +0%
shake256x4_absorb_once 1s 1s +0%
sk_s1hat_get_poly 1s 3s -67%

hanno-becker
hanno-becker requested changes May 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@hanno-becker hanno-becker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure this is the right move -- the cost of an alloc/free is negligible, less important IMO than uniformity for the allocation mechanism. For the security-critical RNG bytes in particular, one could imagine a use case where the consumer has registered a dedicated allocator from a "special" -- in some sense -- to hold the security sensitive material.

Can we rather go the other way, and strive to use MLD_ALLOC/MLD_FREE exclusively?

@mkannwischer
Copy link
Copy Markdown
Contributor Author

mkannwischer commented May 1, 2026
edited
Loading

I'm not sure this is the right move -- the cost of an alloc/free is negligible, less important IMO than uniformity for the allocation mechanism. For the security-critical RNG bytes in particular, one could imagine a use case where the consumer has registered a dedicated allocator from a "special" -- in some sense -- to hold the security sensitive material.

Can we rather go the other way, and strive to use MLD_ALLOC/MLD_FREE exclusively?

I don't have a strong opinion which way - I just wanted it to be consistent and the majority of tiny buffers were on the stack.
Happy to change. I think the same applies to mlkem-native. No changes needed in mlkem-native.

@mkannwischer mkannwischer changed the title sign: Move rnd buffer to the stack in mld_sign_signature sign: Use MLD_ALLOC for all secret buffers in sign.c May 1, 2026
@mkannwischer mkannwischer force-pushed the sign-rnd-on-stack branch 3 times, most recently from 63c03d0 to 434f7e7 Compare May 1, 2026 14:16
@mkannwischer mkannwischer marked this pull request as ready for review May 2, 2026 02:04
@mkannwischer mkannwischer requested a review from a team as a code owner May 2, 2026 02:04
hanno-becker
hanno-becker reviewed May 2, 2026
View reviewed changes
Comment thread mldsa/src/sign.c Outdated
Comment on lines +1192 to +1193
MLD_ALLOC(pre, uint8_t, MLD_DOMAIN_SEPARATION_MAX_BYTES, context);

Copy link
Copy Markdown
Contributor

@hanno-becker hanno-becker May 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's follow the PR description "Fixed-size, non-secret stack buffers (hpk, ph, message[1] in PCT) are
left on the stack" and restrict the change to seed and rng for now.

hanno-becker
hanno-becker requested changes May 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@hanno-becker hanno-becker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @mkannwischer! Good to have that unified for the secret seed and rng buffers. As per the PR description, I think the public, small + statically sized domain separation prefix can be continued to be allocated on the stack for now.

@mkannwischer mkannwischer force-pushed the sign-rnd-on-stack branch 2 times, most recently from 97ada0c to 2ef6c69 Compare May 3, 2026 02:24
@mkannwischer
sign: Use MLD_ALLOC for secret seed/rnd buffers in sign.c
c58a86d 
Convert the stack-allocated rnd/seed buffers in the public sign API
wrappers to MLD_ALLOC so that consumers using a custom allocator
(MLD_CONFIG_CUSTOM_ALLOC_FREE) place RNG-derived secret material
through the same allocation path.

Signed-off-by: Matthias J. Kannwischer <matthias@zerorisc.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hanno-becker hanno-becker hanno-becker approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mkannwischer @oqs-bot @hanno-becker