Skip to content

Use heap allocation + valgrind in backend unit test#1089

Merged
mkannwischer merged 3 commits intomainfrom
port_1633
May 4, 2026
Merged

Use heap allocation + valgrind in backend unit test#1089
mkannwischer merged 3 commits intomainfrom
port_1633

Conversation

@hanno-becker
Copy link
Copy Markdown
Contributor

@hanno-becker hanno-becker commented May 3, 2026
edited by mkannwischer
Loading

Port of mlkem-native#1633 to mldsa-native.

  • Replace aligned_alloc + MLD_ALIGN_UP with posix_memalign in custom_heap_alloc_config.h. Unlike aligned_alloc, posix_memalign does not require the size to be a multiple of the alignment, removing the need for MLD_ALIGN_UP rounding. This ensures that allocations are exact-sized, allowing memory-safety tests like valgrind and ASan to detect overflows at precise buffer boundaries. On Windows, _aligned_malloc is used instead. Also adds the missing configs.yml entry so the file is tracked by autogen.

  • Replace all stack-allocated buffers in test_unit.c with heap allocations via MLD_ALLOC/MLD_FREE, using the custom_heap_alloc_config. This enables valgrind to detect buffer overflows in assembly backends, which operate on these buffers.

  • Build the unit test objects with custom_heap_alloc_config.h by adding the appropriate -DMLD_CONFIG_FILE, -std=c11, and -D_GNU_SOURCE flags in components.mk, factored through a new UNIT_CFLAGS variable.

  • Add unit_valgrind job to ci.yml that runs the unit tests under valgrind on x86_64 and aarch64 runners. This catches buffer overflows in hand-written assembly that ASan cannot detect, since ASan only instruments compiler-generated code.

@hanno-becker hanno-becker force-pushed the port_1633 branch 2 times, most recently from c694808 to 781325d Compare May 3, 2026 06:00
@oqs-bot
Copy link
Copy Markdown
Contributor

oqs-bot commented May 3, 2026
edited
Loading

CBMC Results (ML-DSA-44, REDUCE-RAM)

Full Results (200 proofs)
Proof Status Current Previous Change
**TOTAL** 1496s 1504s -0.5%
poly_pointwise_montgomery_c 177s 178s -1%
rej_uniform_native 109s 111s -2%
mld_invntt_layer 103s 108s -5%
mld_ct_memcmp 75s 80s -6%
polyvec_matrix_pointwise_montgomery_yvec 64s 63s +2%
mld_ntt_layer 42s 44s -5%
sign_verify_internal 31s 28s +11%
fqmul 28s 32s -12%
keccakf1600x4_permute_native 21s 23s -9%
rej_uniform 21s 20s +5%
mld_attempt_signature_generation 20s 17s +18%
rej_uniform_c 20s 19s +5%
polyeta_unpack 18s 18s +0%
mld_ntt_butterfly_block 15s 15s +0%
polyveck_use_hint 15s 15s +0%
poly_chknorm_c 14s 12s +17%
sign_keypair_internal 14s 15s -7%
sign_pk_from_sk 14s 11s +27%
mld_check_pct 13s 12s +8%
poly_uniform_eta_4x 13s 13s +0%
keccak_absorb_once_x4 12s 8s +50%
poly_add 12s 12s +0%
polyt0_unpack 12s 12s +0%
polyveck_pointwise_poly_montgomery 11s 8s +38%
poly_invntt_tomont_c 9s 10s -10%
polyvecl_chknorm 9s 6s +50%
polyveck_chknorm 8s 6s +33%
polyveck_decompose 8s 6s +33%
polyveck_power2round 8s 6s +33%
keccakf1600_permute 7s 5s +40%
mld_compute_pack_z 7s 5s +40%
poly_decompose_c 7s 8s -12%
poly_power2round 7s 8s -12%
poly_shiftl 7s 9s -22%
polyvec_matrix_pointwise_montgomery_row 7s 6s +17%
polyveck_reduce 7s 7s +0%
polyvecl_ntt 7s 5s +40%
sign_signature 7s 7s +0%
keccak_absorb 6s 7s -14%
keccak_squeezeblocks_x4 6s 3s +100%
keccakf1600_permute_native 6s 6s +0%
poly_caddq_c 6s 7s -14%
poly_make_hint 6s 3s +100%
polyveck_add 6s 7s -14%
polyvecl_pointwise_acc_montgomery 6s 4s +50%
sign_verify_pre_hash_internal 6s 4s +50%
mld_sample_s1_s2 5s 6s -17%
nttunpack_native_x86_64 5s 3s +67%
pointwise_native_x86_64 5s 2s +150%
poly_challenge 5s 4s +25%
poly_ntt_native 5s 3s +67%
poly_uniform_gamma1 5s 2s +150%
poly_use_hint_native_aarch64 5s 3s +67%
polyeta_pack 5s 5s +0%
polyvec_matrix_expand_serial 5s 6s -17%
polyveck_invntt_tomont 5s 5s +0%
polyveck_ntt 5s 5s +0%
polyvecl_uniform_gamma1 5s 4s +25%
polyvecl_uniform_gamma1_serial 5s 3s +67%
shake128_squeeze 5s 2s +150%
shake256_finalize 5s 2s +150%
shake256_squeeze 5s 2s +150%
shake256x4_squeezeblocks 5s 2s +150%
sign 5s 6s -17%
sign_signature_extmu 5s 6s -17%
sign_signature_internal 5s 3s +67%
sign_signature_pre_hash_shake256 5s 3s +67%
sk_s1hat_get_poly 5s 3s +67%
sys_check_capability 5s 1s +400%
mld_ct_cmask_nonzero_u32 4s 4s +0%
montgomery_reduce 4s 5s -20%
ntt_native_aarch64 4s 4s +0%
pack_sk_s1 4s 5s -20%
poly_chknorm_native 4s 2s +100%
poly_decompose_native 4s 4s +0%
poly_pointwise_montgomery 4s 3s +33%
poly_pointwise_montgomery_native 4s 4s +0%
poly_reduce 4s 4s +0%
poly_uniform 4s 5s -20%
polyt1_unpack 4s 2s +100%
polyveck_sub 4s 4s +0%
polyvecl_pointwise_acc_montgomery_c 4s 5s -20%
polyvecl_pointwise_acc_montgomery_native 4s 2s +100%
polyz_unpack_native 4s 2s +100%
sign_verify_pre_hash_shake256 4s 3s +33%
unpack_sk_t0hat 4s 5s -20%
use_hint 4s 4s +0%
yvec_get_poly 4s 3s +33%
yvec_init 4s 3s +33%
caddq 3s 4s -25%
fqscale 3s 2s +50%
intt_native_x86_64 3s 3s +0%
keccak_f1600_x4_native_avx2 3s 4s -25%
keccak_finalize 3s 4s -25%
keccak_init 3s 2s +50%
keccak_squeeze 3s 2s +50%
keccakf1600_extract_bytes (big endian) 3s 3s +0%
keccakf1600_xor_bytes 3s 4s -25%
keccakf1600x4_permute 3s 2s +50%
mld_ct_abs_i32 3s 2s +50%
mld_ct_get_optblocker_u8 3s 1s +200%
mld_h 3s 3s +0%
mld_polymat_expand_entry 3s 3s +0%
mld_prepare_domain_separation_prefix 3s 3s +0%
mld_sample_s1_s2_serial 3s 5s -40%
mld_value_barrier_i64 3s 3s +0%
mld_value_barrier_u8 3s 3s +0%
ntt_native_x86_64 3s 4s -25%
pack_sig_h_poly 3s 4s -25%
pointwise_acc_native_aarch64 3s 5s -40%
pointwise_acc_native_x86_64 3s 4s -25%
pointwise_native_aarch64 3s 3s +0%
poly_chknorm_native_aarch64 3s 3s +0%
poly_decompose 3s 4s -25%
poly_invntt_tomont 3s 2s +50%
poly_ntt 3s 2s +50%
poly_ntt_c 3s 3s +0%
poly_permute_bitrev_to_custom_optional 3s 3s +0%
poly_permute_bitrev_to_custom_optional_native 3s 3s +0%
poly_sub 3s 3s +0%
poly_uniform_4x 3s 2s +50%
poly_uniform_gamma1_4x 3s 2s +50%
poly_use_hint 3s 2s +50%
poly_use_hint_c 3s 2s +50%
poly_use_hint_native 3s 2s +50%
polyt0_pack 3s 6s -50%
polyt1_pack 3s 2s +50%
polyvec_matrix_expand 3s 3s +0%
polyvec_matrix_pointwise_montgomery 3s 3s +0%
polyveck_caddq 3s 5s -40%
polyveck_pack_t0 3s 2s +50%
polyveck_pack_w1 3s 3s +0%
polyveck_unpack_t0 3s 4s -25%
polyvecl_pack_eta 3s 3s +0%
polyvecl_unpack_eta 3s 2s +50%
polyz_pack 3s 4s -25%
power2round 3s 4s -25%
reduce32 3s 3s +0%
rej_eta_c 3s 4s -25%
rej_eta_native 3s 2s +50%
shake128_absorb 3s 3s +0%
shake128_release 3s 2s +50%
shake128x4_absorb_once 3s 2s +50%
shake128x4_squeezeblocks 3s 1s +200%
shake256_release 3s 3s +0%
sig_unpack_hints 3s 5s -40%
sign_keypair 3s 4s -25%
sign_open 3s 5s -40%
sign_signature_pre_hash_internal 3s 2s +50%
sign_verify 3s 4s -25%
sk_s2hat_get_poly 3s 4s -25%
unpack_pk_t1 3s 3s +0%
keccak_f1600_x1_native_aarch64 2s 6s -67%
keccak_f1600_x1_native_aarch64_v84a 2s 2s +0%
keccak_f1600_x4_native_aarch64_v84a 2s 3s -33%
keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid 2s 2s +0%
keccakf1600_xor_bytes (big endian) 2s 5s -60%
keccakf1600x4_extract_bytes 2s 4s -50%
keccakf1600x4_xor_bytes 2s 5s -60%
make_hint 2s 2s +0%
mld_ct_cmask_neg_i32 2s 4s -50%
mld_ct_cmask_nonzero_u8 2s 3s -33%
mld_keccakf1600_extract_bytes 2s 3s -33%
mld_value_barrier_u32 2s 4s -50%
pack_pk 2s 4s -50%
pack_sig_c 2s 2s +0%
pack_sig_z 2s 2s +0%
poly_caddq_native 2s 2s +0%
poly_caddq_native_aarch64 2s 2s +0%
poly_chknorm 2s 3s -33%
poly_invntt_tomont_native 2s 2s +0%
poly_uniform_eta 2s 5s -60%
polyveck_pack_eta 2s 3s -33%
polyveck_shiftl 2s 3s -33%
polyveck_unpack_eta 2s 3s -33%
polyvecl_unpack_z 2s 3s -33%
polyw1_pack 2s 4s -50%
polyz_unpack_17_native_aarch64 2s 2s +0%
polyz_unpack_c 2s 2s +0%
rej_eta 2s 3s -33%
shake128_finalize 2s 1s +100%
shake256 2s 2s +0%
shake256_absorb 2s 3s -33%
shake256x4_absorb_once 2s 4s -50%
sign_verify_extmu 2s 3s -33%
sk_t0hat_get_poly 2s 2s +0%
unpack_sk 2s 6s -67%
unpack_sk_s1hat 2s 3s -33%
unpack_sk_s2hat 2s 3s -33%
decompose 1s 2s -50%
keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid 1s 1s +0%
mld_ct_get_optblocker_i64 1s 1s +0%
mld_ct_get_optblocker_u32 1s 1s +0%
mld_ct_sel_int32 1s 2s -50%
pack_sk_rho_key_tr_s2_t0 1s 2s -50%
poly_caddq 1s 4s -75%
polyz_unpack 1s 4s -75%
polyz_unpack_19_native_aarch64 1s 4s -75%
shake128_init 1s 5s -80%
shake256_init 1s 6s -83%

@oqs-bot
Copy link
Copy Markdown
Contributor

oqs-bot commented May 3, 2026
edited
Loading

CBMC Results (ML-DSA-44)

Full Results (200 proofs)
Proof Status Current Previous Change
**TOTAL** 1750s 1631s +7.3%
sign_verify_internal 140s 133s +5%
polyvecl_pointwise_acc_montgomery_c 125s 116s +8%
rej_uniform_native 124s 110s +13%
mld_invntt_layer 93s 92s +1%
poly_pointwise_montgomery_c 92s 86s +7%
mld_ct_memcmp 78s 74s +5%
mld_attempt_signature_generation 52s 53s -2%
mld_ntt_layer 43s 42s +2%
fqmul 27s 28s -4%
polyvec_matrix_pointwise_montgomery 26s 23s +13%
polyvec_matrix_expand 24s 25s -4%
keccakf1600x4_permute_native 23s 22s +5%
sign_keypair_internal 22s 27s -19%
sign_signature_internal 22s 21s +5%
sign_pk_from_sk 20s 20s +0%
mld_ntt_butterfly_block 16s 16s +0%
poly_chknorm_c 16s 16s +0%
polyveck_chknorm 16s 15s +7%
rej_uniform 16s 15s +7%
rej_uniform_c 16s 22s -27%
polyeta_unpack 15s 13s +15%
poly_uniform_4x 14s 11s +27%
polyz_unpack_c 14s 12s +17%
mld_check_pct 13s 15s -13%
poly_uniform_eta_4x 13s 12s +8%
polyt0_unpack 13s 14s -7%
poly_add 11s 10s +10%
polyvec_matrix_pointwise_montgomery_yvec 11s 12s -8%
keccak_absorb 10s 7s +43%
poly_invntt_tomont_c 10s 8s +25%
poly_power2round 9s 12s -25%
keccak_absorb_once_x4 8s 8s +0%
mld_compute_pack_z 8s 7s +14%
pointwise_acc_native_x86_64 8s 4s +100%
polyveck_decompose 8s 7s +14%
keccakf1600_permute_native 7s 7s +0%
mld_sample_s1_s2 7s 4s +75%
pointwise_acc_native_aarch64 7s 4s +75%
polyveck_use_hint 7s 8s -12%
fqscale 6s 2s +200%
keccakf1600_permute 6s 7s -14%
poly_caddq_c 6s 5s +20%
poly_challenge 6s 2s +200%
poly_decompose_c 6s 4s +50%
polyveck_unpack_eta 6s 5s +20%
sign_verify_extmu 6s 3s +100%
sign_verify_pre_hash_internal 6s 4s +50%
intt_native_x86_64 5s 4s +25%
keccakf1600x4_extract_bytes 5s 4s +25%
mld_h 5s 2s +150%
mld_sample_s1_s2_serial 5s 2s +150%
pack_sig_c 5s 2s +150%
pointwise_native_x86_64 5s 4s +25%
poly_chknorm 5s 2s +150%
poly_invntt_tomont 5s 3s +67%
poly_shiftl 5s 4s +25%
poly_uniform 5s 5s +0%
poly_use_hint_c 5s 2s +150%
polyt1_pack 5s 3s +67%
polyvec_matrix_expand_serial 5s 4s +25%
polyveck_add 5s 4s +25%
polyveck_pointwise_poly_montgomery 5s 6s -17%
polyveck_power2round 5s 6s -17%
polyvecl_chknorm 5s 7s -29%
polyvecl_ntt 5s 8s -38%
polyz_unpack_17_native_aarch64 5s 4s +25%
rej_eta_c 5s 8s -38%
sign 5s 3s +67%
sign_keypair 5s 3s +67%
sign_open 5s 5s +0%
sign_signature 5s 3s +67%
sign_verify_pre_hash_shake256 5s 3s +67%
sys_check_capability 5s 3s +67%
unpack_sk_t0hat 5s 3s +67%
keccak_f1600_x1_native_aarch64 4s 2s +100%
keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid 4s 2s +100%
keccak_squeezeblocks_x4 4s 3s +33%
make_hint 4s 4s +0%
mld_ct_cmask_nonzero_u8 4s 4s +0%
mld_ct_get_optblocker_i64 4s 2s +100%
mld_ct_sel_int32 4s 1s +300%
mld_prepare_domain_separation_prefix 4s 3s +33%
ntt_native_x86_64 4s 3s +33%
nttunpack_native_x86_64 4s 3s +33%
poly_caddq 4s 4s +0%
poly_caddq_native_aarch64 4s 3s +33%
poly_chknorm_native 4s 4s +0%
poly_decompose 4s 3s +33%
poly_decompose_native 4s 4s +0%
poly_ntt_c 4s 2s +100%
poly_permute_bitrev_to_custom_optional_native 4s 3s +33%
poly_uniform_gamma1_4x 4s 7s -43%
poly_use_hint_native 4s 1s +300%
poly_use_hint_native_aarch64 4s 2s +100%
polyeta_pack 4s 2s +100%
polyveck_invntt_tomont 4s 4s +0%
polyveck_pack_t0 4s 3s +33%
polyveck_reduce 4s 4s +0%
polyveck_sub 4s 4s +0%
polyvecl_pointwise_acc_montgomery_native 4s 2s +100%
polyvecl_uniform_gamma1 4s 3s +33%
polyvecl_uniform_gamma1_serial 4s 3s +33%
polyvecl_unpack_eta 4s 3s +33%
polyz_pack 4s 3s +33%
polyz_unpack_native 4s 4s +0%
rej_eta 4s 4s +0%
rej_eta_native 4s 3s +33%
shake256x4_absorb_once 4s 2s +100%
sign_signature_extmu 4s 4s +0%
sign_verify 4s 2s +100%
sk_s1hat_get_poly 4s 2s +100%
unpack_pk_t1 4s 2s +100%
unpack_sk 4s 4s +0%
yvec_get_poly 4s 2s +100%
yvec_init 4s 5s -20%
caddq 3s 5s -40%
decompose 3s 4s -25%
keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid 3s 2s +50%
keccak_f1600_x4_native_avx2 3s 3s +0%
keccak_init 3s 2s +50%
keccak_squeeze 3s 2s +50%
keccakf1600_extract_bytes (big endian) 3s 1s +200%
keccakf1600_xor_bytes 3s 2s +50%
keccakf1600_xor_bytes (big endian) 3s 3s +0%
keccakf1600x4_permute 3s 1s +200%
mld_ct_cmask_nonzero_u32 3s 3s +0%
mld_polymat_expand_entry 3s 3s +0%
mld_value_barrier_u32 3s 3s +0%
mld_value_barrier_u8 3s 1s +200%
ntt_native_aarch64 3s 4s -25%
pack_pk 3s 4s -25%
pack_sig_h_poly 3s 5s -40%
pack_sk_rho_key_tr_s2_t0 3s 3s +0%
pointwise_native_aarch64 3s 5s -40%
poly_caddq_native 3s 4s -25%
poly_chknorm_native_aarch64 3s 3s +0%
poly_invntt_tomont_native 3s 4s -25%
poly_ntt_native 3s 3s +0%
poly_pointwise_montgomery_native 3s 4s -25%
poly_reduce 3s 4s -25%
poly_sub 3s 3s +0%
poly_uniform_eta 3s 3s +0%
poly_uniform_gamma1 3s 2s +50%
polyt0_pack 3s 3s +0%
polyt1_unpack 3s 5s -40%
polyvec_matrix_pointwise_montgomery_row 3s 2s +50%
polyveck_caddq 3s 4s -25%
polyveck_ntt 3s 4s -25%
polyveck_pack_w1 3s 2s +50%
polyveck_shiftl 3s 3s +0%
polyvecl_unpack_z 3s 2s +50%
polyw1_pack 3s 4s -25%
polyz_unpack_19_native_aarch64 3s 4s -25%
reduce32 3s 2s +50%
shake128_absorb 3s 1s +200%
shake128_finalize 3s 2s +50%
shake128_init 3s 2s +50%
shake128_squeeze 3s 3s +0%
shake128x4_squeezeblocks 3s 3s +0%
shake256_absorb 3s 3s +0%
shake256_finalize 3s 1s +200%
sig_unpack_hints 3s 3s +0%
sign_signature_pre_hash_shake256 3s 3s +0%
sk_s2hat_get_poly 3s 2s +50%
sk_t0hat_get_poly 3s 2s +50%
unpack_sk_s1hat 3s 3s +0%
unpack_sk_s2hat 3s 2s +50%
use_hint 3s 3s +0%
keccak_f1600_x1_native_aarch64_v84a 2s 2s +0%
keccak_f1600_x4_native_aarch64_v84a 2s 4s -50%
keccak_finalize 2s 2s +0%
mld_ct_abs_i32 2s 2s +0%
mld_ct_get_optblocker_u32 2s 3s -33%
mld_ct_get_optblocker_u8 2s 2s +0%
mld_keccakf1600_extract_bytes 2s 2s +0%
mld_value_barrier_i64 2s 1s +100%
montgomery_reduce 2s 5s -60%
pack_sig_z 2s 2s +0%
pack_sk_s1 2s 2s +0%
poly_make_hint 2s 2s +0%
poly_ntt 2s 2s +0%
poly_permute_bitrev_to_custom_optional 2s 4s -50%
poly_pointwise_montgomery 2s 3s -33%
poly_use_hint 2s 2s +0%
polyveck_pack_eta 2s 3s -33%
polyveck_unpack_t0 2s 1s +100%
polyvecl_pack_eta 2s 3s -33%
polyz_unpack 2s 5s -60%
power2round 2s 2s +0%
shake128_release 2s 3s -33%
shake128x4_absorb_once 2s 5s -60%
shake256_init 2s 2s +0%
shake256_release 2s 2s +0%
shake256_squeeze 2s 2s +0%
shake256x4_squeezeblocks 2s 2s +0%
sign_signature_pre_hash_internal 2s 3s -33%
keccakf1600x4_xor_bytes 1s 3s -67%
mld_ct_cmask_neg_i32 1s 2s -50%
polyvecl_pointwise_acc_montgomery 1s 3s -67%
shake256 1s 1s +0%

@oqs-bot
Copy link
Copy Markdown
Contributor

oqs-bot commented May 3, 2026
edited
Loading

CBMC Results (ML-DSA-65, REDUCE-RAM)

Full Results (200 proofs)
Proof Status Current Previous Change
**TOTAL** 1544s 1537s +0.5%
poly_pointwise_montgomery_c 177s 174s +2%
mld_invntt_layer 112s 104s +8%
rej_uniform_native 107s 106s +1%
mld_ct_memcmp 74s 71s +4%
polyvec_matrix_pointwise_montgomery_yvec 74s 75s -1%
mld_ntt_layer 44s 42s +5%
mld_attempt_signature_generation 33s 30s +10%
fqmul 27s 27s +0%
sign_keypair_internal 23s 23s +0%
keccakf1600x4_permute_native 22s 24s -8%
sign_verify_internal 22s 21s +5%
rej_uniform 20s 21s -5%
rej_uniform_c 19s 20s -5%
mld_ntt_butterfly_block 17s 14s +21%
polyveck_power2round 17s 15s +13%
poly_chknorm_c 16s 14s +14%
polyveck_decompose 16s 17s -6%
mld_check_pct 14s 11s +27%
poly_uniform_eta_4x 14s 12s +17%
sign_pk_from_sk 13s 13s +0%
poly_add 11s 10s +10%
polyveck_add 11s 12s -8%
polyvec_matrix_pointwise_montgomery_row 10s 15s -33%
polyveck_chknorm 10s 8s +25%
keccak_absorb_once_x4 9s 9s +0%
poly_caddq_c 9s 8s +12%
polyt0_unpack 9s 10s -10%
polyveck_invntt_tomont 9s 7s +29%
keccak_absorb 8s 7s +14%
mld_compute_pack_z 8s 7s +14%
poly_invntt_tomont_c 8s 9s -11%
polyveck_pointwise_poly_montgomery 8s 8s +0%
polyveck_use_hint 8s 9s -11%
keccakf1600_permute_native 7s 11s -36%
pack_sk_s1 7s 2s +250%
poly_shiftl 7s 7s +0%
polyveck_caddq 7s 8s -12%
polyveck_reduce 7s 6s +17%
polyvecl_chknorm 7s 7s +0%
polyvecl_ntt 7s 8s -12%
sign 7s 7s +0%
pointwise_acc_native_aarch64 6s 6s +0%
pointwise_acc_native_x86_64 6s 5s +20%
poly_caddq_native 6s 5s +20%
poly_power2round 6s 8s -25%
poly_uniform_4x 6s 3s +100%
poly_use_hint_c 6s 5s +20%
polyveck_ntt 6s 6s +0%
sign_signature_extmu 6s 5s +20%
sign_verify_extmu 6s 3s +100%
unpack_sk 6s 4s +50%
decompose 5s 2s +150%
intt_native_x86_64 5s 5s +0%
keccakf1600_permute 5s 8s -38%
mld_sample_s1_s2 5s 5s +0%
mld_sample_s1_s2_serial 5s 5s +0%
pointwise_native_aarch64 5s 3s +67%
poly_caddq 5s 4s +25%
poly_chknorm 5s 2s +150%
poly_decompose_c 5s 4s +25%
poly_pointwise_montgomery_native 5s 4s +25%
polyvec_matrix_expand 5s 2s +150%
polyvec_matrix_pointwise_montgomery 5s 4s +25%
polyveck_shiftl 5s 4s +25%
polyveck_sub 5s 6s -17%
polyvecl_pointwise_acc_montgomery 5s 2s +150%
sig_unpack_hints 5s 6s -17%
sign_open 5s 4s +25%
sign_signature_internal 5s 4s +25%
keccak_f1600_x1_native_aarch64 4s 3s +33%
keccak_squeezeblocks_x4 4s 5s -20%
mld_prepare_domain_separation_prefix 4s 6s -33%
mld_value_barrier_i64 4s 2s +100%
ntt_native_aarch64 4s 4s +0%
ntt_native_x86_64 4s 1s +300%
pack_sig_z 4s 2s +100%
pack_sk_rho_key_tr_s2_t0 4s 1s +300%
pointwise_native_x86_64 4s 3s +33%
poly_challenge 4s 4s +0%
poly_invntt_tomont_native 4s 4s +0%
poly_make_hint 4s 5s -20%
poly_ntt 4s 4s +0%
poly_permute_bitrev_to_custom_optional 4s 4s +0%
poly_pointwise_montgomery 4s 2s +100%
poly_uniform 4s 3s +33%
poly_uniform_eta 4s 4s +0%
poly_use_hint_native 4s 5s -20%
polyeta_pack 4s 4s +0%
polyt0_pack 4s 6s -33%
polyt1_pack 4s 2s +100%
polyveck_pack_t0 4s 2s +100%
polyveck_pack_w1 4s 1s +300%
polyvecl_unpack_eta 4s 2s +100%
polyz_unpack 4s 4s +0%
polyz_unpack_17_native_aarch64 4s 3s +33%
rej_eta_native 4s 3s +33%
sign_signature 4s 5s -20%
sign_signature_pre_hash_shake256 4s 4s +0%
sign_verify 4s 5s -20%
sign_verify_pre_hash_shake256 4s 2s +100%
sk_s1hat_get_poly 4s 5s -20%
sk_s2hat_get_poly 4s 4s +0%
caddq 3s 1s +200%
fqscale 3s 4s -25%
keccak_f1600_x4_native_avx2 3s 2s +50%
keccakf1600_extract_bytes (big endian) 3s 3s +0%
keccakf1600x4_extract_bytes 3s 1s +200%
make_hint 3s 3s +0%
mld_ct_abs_i32 3s 1s +200%
mld_ct_cmask_nonzero_u8 3s 5s -40%
mld_ct_get_optblocker_u32 3s 4s -25%
mld_ct_get_optblocker_u8 3s 3s +0%
mld_polymat_expand_entry 3s 2s +50%
mld_value_barrier_u32 3s 2s +50%
nttunpack_native_x86_64 3s 2s +50%
poly_chknorm_native 3s 3s +0%
poly_chknorm_native_aarch64 3s 2s +50%
poly_decompose 3s 3s +0%
poly_decompose_native 3s 5s -40%
poly_ntt_c 3s 2s +50%
poly_sub 3s 2s +50%
poly_use_hint 3s 1s +200%
poly_use_hint_native_aarch64 3s 3s +0%
polyeta_unpack 3s 5s -40%
polyt1_unpack 3s 6s -50%
polyvec_matrix_expand_serial 3s 3s +0%
polyveck_unpack_eta 3s 4s -25%
polyvecl_pack_eta 3s 3s +0%
polyvecl_uniform_gamma1 3s 3s +0%
polyvecl_uniform_gamma1_serial 3s 4s -25%
polyw1_pack 3s 3s +0%
polyz_unpack_c 3s 4s -25%
power2round 3s 6s -50%
rej_eta_c 3s 2s +50%
shake128_absorb 3s 6s -50%
shake128_init 3s 4s -25%
shake256_squeeze 3s 2s +50%
shake256x4_absorb_once 3s 3s +0%
shake256x4_squeezeblocks 3s 2s +50%
sign_signature_pre_hash_internal 3s 3s +0%
sk_t0hat_get_poly 3s 1s +200%
sys_check_capability 3s 5s -40%
unpack_sk_t0hat 3s 4s -25%
use_hint 3s 4s -25%
yvec_init 3s 4s -25%
keccak_f1600_x1_native_aarch64_v84a 2s 1s +100%
keccak_finalize 2s 2s +0%
keccak_init 2s 3s -33%
keccak_squeeze 2s 3s -33%
keccakf1600_xor_bytes 2s 3s -33%
keccakf1600_xor_bytes (big endian) 2s 1s +100%
keccakf1600x4_permute 2s 4s -50%
keccakf1600x4_xor_bytes 2s 1s +100%
mld_ct_cmask_neg_i32 2s 2s +0%
mld_ct_cmask_nonzero_u32 2s 2s +0%
mld_ct_get_optblocker_i64 2s 3s -33%
mld_h 2s 6s -67%
mld_keccakf1600_extract_bytes 2s 1s +100%
montgomery_reduce 2s 2s +0%
pack_sig_c 2s 3s -33%
pack_sig_h_poly 2s 2s +0%
poly_caddq_native_aarch64 2s 3s -33%
poly_invntt_tomont 2s 3s -33%
poly_ntt_native 2s 6s -67%
poly_permute_bitrev_to_custom_optional_native 2s 5s -60%
poly_reduce 2s 2s +0%
poly_uniform_gamma1_4x 2s 3s -33%
polyveck_pack_eta 2s 3s -33%
polyveck_unpack_t0 2s 3s -33%
polyvecl_pointwise_acc_montgomery_c 2s 3s -33%
polyvecl_pointwise_acc_montgomery_native 2s 3s -33%
polyvecl_unpack_z 2s 4s -50%
polyz_unpack_19_native_aarch64 2s 3s -33%
polyz_unpack_native 2s 4s -50%
shake128_finalize 2s 2s +0%
shake128_release 2s 1s +100%
shake128_squeeze 2s 3s -33%
shake128x4_absorb_once 2s 2s +0%
shake128x4_squeezeblocks 2s 5s -60%
shake256 2s 2s +0%
shake256_absorb 2s 2s +0%
shake256_finalize 2s 2s +0%
shake256_init 2s 3s -33%
sign_keypair 2s 2s +0%
sign_verify_pre_hash_internal 2s 3s -33%
unpack_pk_t1 2s 3s -33%
unpack_sk_s1hat 2s 2s +0%
unpack_sk_s2hat 2s 4s -50%
keccak_f1600_x4_native_aarch64_v84a 1s 3s -67%
keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid 1s 4s -75%
keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid 1s 1s +0%
mld_ct_sel_int32 1s 3s -67%
mld_value_barrier_u8 1s 3s -67%
pack_pk 1s 3s -67%
poly_uniform_gamma1 1s 3s -67%
polyz_pack 1s 3s -67%
reduce32 1s 2s -50%
rej_eta 1s 7s -86%
shake256_release 1s 1s +0%
yvec_get_poly 1s 2s -50%

@oqs-bot
Copy link
Copy Markdown
Contributor

oqs-bot commented May 3, 2026
edited
Loading

CBMC Results (ML-DSA-87, REDUCE-RAM)

Full Results (200 proofs)
Proof Status Current Previous Change
**TOTAL** 1624s 1701s -4.5%
poly_pointwise_montgomery_c 171s 194s -12%
polyvec_matrix_pointwise_montgomery_yvec 141s 146s -3%
rej_uniform_native 111s 109s +2%
mld_invntt_layer 102s 108s -6%
mld_ct_memcmp 73s 80s -9%
mld_ntt_layer 42s 46s -9%
sign_verify_internal 42s 43s -2%
sign_keypair_internal 32s 37s -14%
mld_attempt_signature_generation 28s 27s +4%
fqmul 26s 33s -21%
keccakf1600x4_permute_native 23s 23s +0%
rej_uniform 20s 18s +11%
sign_pk_from_sk 20s 21s -5%
polyeta_unpack 19s 19s +0%
mld_ntt_butterfly_block 18s 18s +0%
rej_uniform_c 17s 20s -15%
poly_uniform_eta_4x 14s 14s +0%
polyveck_decompose 13s 13s +0%
mld_check_pct 12s 13s -8%
poly_chknorm_c 12s 17s -29%
polyvec_matrix_pointwise_montgomery_row 12s 13s -8%
polyveck_pointwise_poly_montgomery 12s 10s +20%
poly_invntt_tomont_c 11s 10s +10%
keccak_absorb_once_x4 10s 8s +25%
pointwise_acc_native_x86_64 10s 7s +43%
poly_add 10s 11s -9%
polyt0_unpack 10s 12s -17%
polyveck_add 9s 10s -10%
polyveck_invntt_tomont 9s 8s +12%
poly_caddq_c 8s 9s -11%
poly_power2round 8s 6s +33%
keccak_absorb 7s 5s +40%
keccakf1600_permute 7s 6s +17%
poly_uniform 7s 6s +17%
polyvec_matrix_pointwise_montgomery 7s 4s +75%
polyveck_caddq 7s 8s -12%
polyveck_sub 7s 4s +75%
polyvecl_ntt 7s 8s -12%
sign 7s 7s +0%
pack_sk_rho_key_tr_s2_t0 6s 3s +100%
polyt1_pack 6s 4s +50%
polyveck_power2round 6s 9s -33%
polyveck_use_hint 6s 8s -25%
sign_signature_extmu 6s 2s +200%
sign_verify_pre_hash_internal 6s 4s +50%
decompose 5s 3s +67%
keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid 5s 5s +0%
keccakf1600_permute_native 5s 6s -17%
mld_compute_pack_z 5s 6s -17%
mld_sample_s1_s2 5s 7s -29%
mld_sample_s1_s2_serial 5s 5s +0%
nttunpack_native_x86_64 5s 4s +25%
pointwise_acc_native_aarch64 5s 7s -29%
poly_pointwise_montgomery 5s 3s +67%
poly_shiftl 5s 6s -17%
poly_sub 5s 5s +0%
polyveck_chknorm 5s 6s -17%
polyveck_ntt 5s 7s -29%
polyveck_reduce 5s 4s +25%
polyveck_shiftl 5s 5s +0%
polyvecl_chknorm 5s 6s -17%
polyvecl_pack_eta 5s 4s +25%
polyvecl_unpack_eta 5s 4s +25%
reduce32 5s 5s +0%
shake256_absorb 5s 3s +67%
shake256_squeeze 5s 2s +150%
shake256x4_squeezeblocks 5s 4s +25%
sign_keypair 5s 3s +67%
sign_signature_internal 5s 5s +0%
sign_signature_pre_hash_internal 5s 4s +25%
sign_signature_pre_hash_shake256 5s 6s -17%
keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid 4s 3s +33%
mld_ct_cmask_nonzero_u8 4s 3s +33%
mld_ct_get_optblocker_i64 4s 1s +300%
mld_ct_get_optblocker_u8 4s 2s +100%
mld_h 4s 5s -20%
ntt_native_x86_64 4s 4s +0%
pack_pk 4s 2s +100%
pack_sig_c 4s 4s +0%
pointwise_native_x86_64 4s 3s +33%
poly_challenge 4s 5s -20%
poly_chknorm_native_aarch64 4s 2s +100%
poly_decompose 4s 1s +300%
poly_decompose_c 4s 4s +0%
poly_invntt_tomont_native 4s 4s +0%
poly_ntt_c 4s 3s +33%
poly_ntt_native 4s 3s +33%
poly_permute_bitrev_to_custom_optional_native 4s 2s +100%
poly_uniform_4x 4s 4s +0%
poly_uniform_gamma1 4s 1s +300%
poly_use_hint_c 4s 6s -33%
polyeta_pack 4s 2s +100%
polyvec_matrix_expand 4s 1s +300%
polyvec_matrix_expand_serial 4s 2s +100%
polyveck_pack_eta 4s 1s +300%
polyveck_pack_t0 4s 6s -33%
polyveck_unpack_t0 4s 5s -20%
polyvecl_uniform_gamma1 4s 3s +33%
polyw1_pack 4s 2s +100%
polyz_unpack_c 4s 5s -20%
power2round 4s 2s +100%
rej_eta_c 4s 3s +33%
rej_eta_native 4s 4s +0%
sig_unpack_hints 4s 7s -43%
sign_open 4s 5s -20%
sign_signature 4s 6s -33%
sign_verify 4s 3s +33%
unpack_sk_s1hat 4s 4s +0%
use_hint 4s 4s +0%
intt_native_x86_64 3s 2s +50%
keccak_init 3s 3s +0%
keccak_squeezeblocks_x4 3s 4s -25%
keccakf1600x4_permute 3s 1s +200%
keccakf1600x4_xor_bytes 3s 1s +200%
make_hint 3s 3s +0%
mld_ct_cmask_neg_i32 3s 3s +0%
mld_prepare_domain_separation_prefix 3s 5s -40%
mld_value_barrier_i64 3s 2s +50%
ntt_native_aarch64 3s 5s -40%
pack_sig_h_poly 3s 4s -25%
pack_sig_z 3s 3s +0%
pointwise_native_aarch64 3s 4s -25%
poly_caddq 3s 2s +50%
poly_caddq_native 3s 3s +0%
poly_caddq_native_aarch64 3s 3s +0%
poly_chknorm_native 3s 4s -25%
poly_invntt_tomont 3s 3s +0%
poly_make_hint 3s 2s +50%
polyt0_pack 3s 5s -40%
polyveck_pack_w1 3s 5s -40%
polyveck_unpack_eta 3s 3s +0%
polyvecl_pointwise_acc_montgomery_c 3s 3s +0%
polyvecl_pointwise_acc_montgomery_native 3s 3s +0%
polyvecl_uniform_gamma1_serial 3s 4s -25%
polyz_pack 3s 2s +50%
polyz_unpack 3s 2s +50%
polyz_unpack_19_native_aarch64 3s 2s +50%
polyz_unpack_native 3s 4s -25%
shake128_squeeze 3s 3s +0%
shake128x4_absorb_once 3s 3s +0%
shake256x4_absorb_once 3s 3s +0%
sign_verify_extmu 3s 4s -25%
sign_verify_pre_hash_shake256 3s 4s -25%
sk_s2hat_get_poly 3s 3s +0%
sk_t0hat_get_poly 3s 4s -25%
caddq 2s 5s -60%
fqscale 2s 3s -33%
keccak_f1600_x1_native_aarch64 2s 2s +0%
keccak_f1600_x1_native_aarch64_v84a 2s 2s +0%
keccak_f1600_x4_native_avx2 2s 2s +0%
keccak_squeeze 2s 1s +100%
keccakf1600_xor_bytes 2s 4s -50%
keccakf1600_xor_bytes (big endian) 2s 4s -50%
keccakf1600x4_extract_bytes 2s 3s -33%
mld_ct_abs_i32 2s 5s -60%
mld_ct_cmask_nonzero_u32 2s 3s -33%
mld_ct_get_optblocker_u32 2s 3s -33%
mld_ct_sel_int32 2s 2s +0%
mld_keccakf1600_extract_bytes 2s 1s +100%
mld_polymat_expand_entry 2s 3s -33%
mld_value_barrier_u32 2s 2s +0%
mld_value_barrier_u8 2s 2s +0%
montgomery_reduce 2s 2s +0%
pack_sk_s1 2s 2s +0%
poly_chknorm 2s 3s -33%
poly_decompose_native 2s 3s -33%
poly_ntt 2s 2s +0%
poly_permute_bitrev_to_custom_optional 2s 2s +0%
poly_reduce 2s 1s +100%
poly_uniform_eta 2s 3s -33%
poly_uniform_gamma1_4x 2s 2s +0%
poly_use_hint_native_aarch64 2s 5s -60%
polyt1_unpack 2s 5s -60%
polyvecl_pointwise_acc_montgomery 2s 2s +0%
polyvecl_unpack_z 2s 4s -50%
polyz_unpack_17_native_aarch64 2s 2s +0%
rej_eta 2s 3s -33%
shake128_absorb 2s 2s +0%
shake256 2s 1s +100%
shake256_init 2s 3s -33%
shake256_release 2s 4s -50%
sk_s1hat_get_poly 2s 3s -33%
unpack_pk_t1 2s 3s -33%
unpack_sk 2s 5s -60%
unpack_sk_s2hat 2s 4s -50%
unpack_sk_t0hat 2s 3s -33%
yvec_init 2s 3s -33%
keccak_f1600_x4_native_aarch64_v84a 1s 2s -50%
keccak_finalize 1s 3s -67%
keccakf1600_extract_bytes (big endian) 1s 3s -67%
poly_pointwise_montgomery_native 1s 4s -75%
poly_use_hint 1s 3s -67%
poly_use_hint_native 1s 4s -75%
shake128_finalize 1s 4s -75%
shake128_init 1s 1s +0%
shake128_release 1s 3s -67%
shake128x4_squeezeblocks 1s 2s -50%
shake256_finalize 1s 1s +0%
sys_check_capability 1s 2s -50%
yvec_get_poly 1s 3s -67%

@oqs-bot
Copy link
Copy Markdown
Contributor

oqs-bot commented May 3, 2026
edited
Loading

CBMC Results (ML-DSA-87)

Full Results (200 proofs)
Proof Status Current Previous Change
**TOTAL** 2673s 2475s +8.0%
sign_verify_internal 411s 375s +10%
polyvecl_pointwise_acc_montgomery_c 366s 322s +14%
polyvec_matrix_expand 171s 156s +10%
rej_uniform_native 135s 117s +15%
mld_attempt_signature_generation 121s 108s +12%
mld_invntt_layer 101s 92s +10%
poly_pointwise_montgomery_c 100s 90s +11%
mld_ct_memcmp 80s 70s +14%
polyvec_matrix_expand_serial 59s 53s +11%
sign_keypair_internal 53s 53s +0%
mld_ntt_layer 45s 40s +12%
sign_signature_internal 41s 36s +14%
polyveck_power2round 35s 33s +6%
sign_pk_from_sk 33s 33s +0%
fqmul 29s 27s +7%
polyvec_matrix_pointwise_montgomery 28s 28s +0%
keccakf1600x4_permute_native 23s 25s -8%
polyvec_matrix_pointwise_montgomery_yvec 20s 19s +5%
mld_ntt_butterfly_block 19s 18s +6%
rej_uniform_c 18s 17s +6%
poly_chknorm_c 17s 17s +0%
rej_uniform 17s 17s +0%
polyt0_unpack 16s 13s +23%
poly_uniform_4x 13s 12s +8%
poly_uniform_eta_4x 12s 13s -8%
polyveck_decompose 12s 10s +20%
poly_add 11s 12s -8%
poly_power2round 11s 9s +22%
polyeta_unpack 11s 15s -27%
polyveck_add 11s 12s -8%
polyveck_use_hint 11s 8s +38%
keccak_absorb_once_x4 10s 8s +25%
mld_compute_pack_z 10s 7s +43%
polyveck_ntt 10s 11s -9%
polyveck_pointwise_poly_montgomery 10s 9s +11%
mld_check_pct 9s 8s +12%
poly_invntt_tomont_c 9s 8s +12%
keccak_absorb 8s 8s +0%
pointwise_acc_native_aarch64 8s 8s +0%
pointwise_acc_native_x86_64 8s 6s +33%
poly_decompose_c 8s 7s +14%
polyvecl_ntt 8s 7s +14%
sig_unpack_hints 8s 6s +33%
keccakf1600_permute 7s 8s -12%
keccakf1600_permute_native 7s 9s -22%
polyveck_shiftl 7s 6s +17%
sign 7s 7s +0%
sign_verify_pre_hash_internal 7s 4s +75%
mld_h 6s 2s +200%
poly_permute_bitrev_to_custom_optional_native 6s 3s +100%
poly_uniform_eta 6s 5s +20%
polyt0_pack 6s 4s +50%
polyveck_caddq 6s 4s +50%
polyveck_chknorm 6s 5s +20%
polyveck_reduce 6s 6s +0%
polyveck_sub 6s 8s -25%
fqscale 5s 2s +150%
keccak_squeezeblocks_x4 5s 3s +67%
mld_ct_cmask_nonzero_u8 5s 3s +67%
mld_sample_s1_s2 5s 5s +0%
pointwise_native_x86_64 5s 5s +0%
poly_pointwise_montgomery_native 5s 3s +67%
poly_uniform_gamma1_4x 5s 5s +0%
polyveck_invntt_tomont 5s 7s -29%
polyz_unpack_19_native_aarch64 5s 2s +150%
polyz_unpack_c 5s 8s -38%
rej_eta_c 5s 3s +67%
shake256_finalize 5s 1s +400%
sign_signature 5s 4s +25%
sign_signature_pre_hash_shake256 5s 5s +0%
sys_check_capability 5s 2s +150%
unpack_pk_t1 5s 4s +25%
decompose 4s 3s +33%
keccak_f1600_x1_native_aarch64_v84a 4s 2s +100%
keccakf1600_extract_bytes (big endian) 4s 2s +100%
keccakf1600_xor_bytes 4s 2s +100%
keccakf1600x4_permute 4s 1s +300%
mld_keccakf1600_extract_bytes 4s 2s +100%
mld_prepare_domain_separation_prefix 4s 6s -33%
mld_sample_s1_s2_serial 4s 5s -20%
nttunpack_native_x86_64 4s 5s -20%
pack_sig_h_poly 4s 3s +33%
poly_caddq_c 4s 3s +33%
poly_caddq_native 4s 5s -20%
poly_challenge 4s 3s +33%
poly_decompose_native 4s 3s +33%
poly_ntt_c 4s 2s +100%
poly_ntt_native 4s 3s +33%
poly_permute_bitrev_to_custom_optional 4s 3s +33%
poly_shiftl 4s 3s +33%
poly_sub 4s 3s +33%
poly_use_hint_c 4s 3s +33%
polyt1_pack 4s 3s +33%
polyveck_unpack_eta 4s 4s +0%
polyvecl_uniform_gamma1 4s 6s -33%
polyvecl_uniform_gamma1_serial 4s 3s +33%
polyvecl_unpack_z 4s 3s +33%
polyz_pack 4s 4s +0%
polyz_unpack 4s 2s +100%
polyz_unpack_17_native_aarch64 4s 4s +0%
polyz_unpack_native 4s 3s +33%
rej_eta_native 4s 5s -20%
shake128_init 4s 3s +33%
shake128x4_absorb_once 4s 2s +100%
sign_keypair 4s 5s -20%
sign_signature_extmu 4s 3s +33%
sign_signature_pre_hash_internal 4s 3s +33%
sign_verify 4s 5s -20%
sign_verify_pre_hash_shake256 4s 2s +100%
sk_s1hat_get_poly 4s 5s -20%
sk_s2hat_get_poly 4s 4s +0%
unpack_sk 4s 2s +100%
unpack_sk_s1hat 4s 4s +0%
unpack_sk_s2hat 4s 5s -20%
unpack_sk_t0hat 4s 2s +100%
intt_native_x86_64 3s 3s +0%
keccak_f1600_x1_native_aarch64 3s 1s +200%
keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid 3s 2s +50%
keccak_squeeze 3s 4s -25%
make_hint 3s 1s +200%
mld_ct_abs_i32 3s 3s +0%
mld_ct_cmask_neg_i32 3s 3s +0%
mld_polymat_expand_entry 3s 2s +50%
mld_value_barrier_u32 3s 2s +50%
montgomery_reduce 3s 4s -25%
ntt_native_aarch64 3s 2s +50%
ntt_native_x86_64 3s 3s +0%
pack_sk_rho_key_tr_s2_t0 3s 3s +0%
poly_caddq 3s 2s +50%
poly_caddq_native_aarch64 3s 2s +50%
poly_invntt_tomont 3s 3s +0%
poly_invntt_tomont_native 3s 3s +0%
poly_make_hint 3s 5s -40%
poly_ntt 3s 2s +50%
poly_reduce 3s 3s +0%
poly_uniform 3s 4s -25%
poly_uniform_gamma1 3s 2s +50%
poly_use_hint 3s 2s +50%
poly_use_hint_native_aarch64 3s 4s -25%
polyeta_pack 3s 2s +50%
polyt1_unpack 3s 1s +200%
polyvec_matrix_pointwise_montgomery_row 3s 2s +50%
polyveck_pack_eta 3s 5s -40%
polyveck_pack_t0 3s 6s -50%
polyvecl_chknorm 3s 5s -40%
polyvecl_pack_eta 3s 4s -25%
polyvecl_pointwise_acc_montgomery_native 3s 7s -57%
polyvecl_unpack_eta 3s 4s -25%
polyw1_pack 3s 5s -40%
power2round 3s 2s +50%
shake128_release 3s 3s +0%
shake256x4_absorb_once 3s 3s +0%
sign_verify_extmu 3s 3s +0%
yvec_init 3s 5s -40%
caddq 2s 4s -50%
keccak_f1600_x4_native_aarch64_v84a 2s 4s -50%
keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid 2s 3s -33%
keccak_finalize 2s 1s +100%
keccak_init 2s 3s -33%
mld_ct_cmask_nonzero_u32 2s 4s -50%
mld_ct_get_optblocker_i64 2s 3s -33%
mld_ct_get_optblocker_u32 2s 4s -50%
mld_ct_get_optblocker_u8 2s 1s +100%
mld_ct_sel_int32 2s 4s -50%
mld_value_barrier_u8 2s 1s +100%
pack_pk 2s 3s -33%
pack_sig_c 2s 3s -33%
pack_sig_z 2s 4s -50%
pack_sk_s1 2s 2s +0%
pointwise_native_aarch64 2s 3s -33%
poly_chknorm_native 2s 3s -33%
poly_chknorm_native_aarch64 2s 3s -33%
poly_decompose 2s 2s +0%
poly_pointwise_montgomery 2s 3s -33%
poly_use_hint_native 2s 4s -50%
polyveck_pack_w1 2s 5s -60%
polyveck_unpack_t0 2s 5s -60%
polyvecl_pointwise_acc_montgomery 2s 3s -33%
reduce32 2s 1s +100%
rej_eta 2s 4s -50%
shake128_absorb 2s 2s +0%
shake128_finalize 2s 1s +100%
shake128x4_squeezeblocks 2s 3s -33%
shake256 2s 1s +100%
shake256_absorb 2s 2s +0%
shake256_init 2s 4s -50%
shake256_release 2s 2s +0%
shake256_squeeze 2s 3s -33%
shake256x4_squeezeblocks 2s 2s +0%
sign_open 2s 3s -33%
sk_t0hat_get_poly 2s 3s -33%
use_hint 2s 4s -50%
yvec_get_poly 2s 4s -50%
keccak_f1600_x4_native_avx2 1s 3s -67%
keccakf1600_xor_bytes (big endian) 1s 1s +0%
keccakf1600x4_extract_bytes 1s 3s -67%
keccakf1600x4_xor_bytes 1s 1s +0%
mld_value_barrier_i64 1s 2s -50%
poly_chknorm 1s 5s -80%
shake128_squeeze 1s 4s -75%

@oqs-bot
Copy link
Copy Markdown
Contributor

oqs-bot commented May 3, 2026
edited
Loading

CBMC Results (ML-DSA-65)

Full Results (200 proofs)
Proof Status Current Previous Change
**TOTAL** 2588s 2292s +12.9%
polyvecl_pointwise_acc_montgomery_c 628s 489s +28%
sign_verify_internal 269s 252s +7%
polyvec_matrix_expand 137s 122s +12%
rej_uniform_native 134s 119s +13%
poly_pointwise_montgomery_c 106s 93s +14%
mld_invntt_layer 100s 88s +14%
mld_ct_memcmp 84s 73s +15%
mld_attempt_signature_generation 45s 40s +12%
mld_ntt_layer 45s 41s +10%
fqmul 33s 31s +6%
sign_keypair_internal 30s 31s -3%
polyvec_matrix_expand_serial 27s 24s +12%
sign_signature_internal 27s 26s +4%
keccakf1600x4_permute_native 22s 24s -8%
polyvec_matrix_pointwise_montgomery_yvec 22s 20s +10%
polyvec_matrix_pointwise_montgomery 21s 21s +0%
sign_pk_from_sk 20s 18s +11%
mld_ntt_butterfly_block 18s 14s +29%
polyveck_power2round 18s 13s +38%
rej_uniform 18s 16s +12%
rej_uniform_c 18s 20s -10%
polyveck_decompose 17s 13s +31%
poly_uniform_eta_4x 16s 12s +33%
poly_chknorm_c 15s 14s +7%
polyt0_unpack 15s 14s +7%
keccak_absorb_once_x4 12s 10s +20%
poly_uniform_4x 12s 12s +0%
poly_add 11s 10s +10%
poly_power2round 11s 9s +22%
polyveck_add 11s 9s +22%
mld_check_pct 10s 9s +11%
polyveck_pointwise_poly_montgomery 10s 7s +43%
polyveck_use_hint 10s 10s +0%
sign 10s 7s +43%
poly_invntt_tomont_c 9s 9s +0%
polyz_unpack_c 9s 6s +50%
mld_compute_pack_z 8s 8s +0%
keccak_absorb 7s 8s -12%
keccakf1600_permute 7s 6s +17%
polyveck_invntt_tomont 7s 5s +40%
polyveck_shiftl 7s 5s +40%
polyvecl_chknorm 7s 7s +0%
polyvecl_ntt 7s 7s +0%
sign_open 7s 7s +0%
fqscale 6s 5s +20%
intt_native_x86_64 6s 2s +200%
keccak_f1600_x1_native_aarch64 6s 3s +100%
keccakf1600_extract_bytes (big endian) 6s 3s +100%
keccakf1600_permute_native 6s 9s -33%
mld_sample_s1_s2 6s 6s +0%
pointwise_acc_native_x86_64 6s 6s +0%
polyveck_chknorm 6s 4s +50%
polyveck_ntt 6s 5s +20%
polyveck_reduce 6s 5s +20%
polyveck_sub 6s 5s +20%
sig_unpack_hints 6s 6s +0%
sign_signature_extmu 6s 3s +100%
sign_signature_pre_hash_shake256 6s 8s -25%
sign_verify_pre_hash_internal 6s 3s +100%
caddq 5s 3s +67%
keccak_squeezeblocks_x4 5s 3s +67%
mld_prepare_domain_separation_prefix 5s 5s +0%
nttunpack_native_x86_64 5s 3s +67%
pack_sig_c 5s 3s +67%
pack_sk_s1 5s 3s +67%
pointwise_acc_native_aarch64 5s 5s +0%
pointwise_native_x86_64 5s 3s +67%
poly_invntt_tomont_native 5s 4s +25%
poly_permute_bitrev_to_custom_optional_native 5s 3s +67%
poly_shiftl 5s 4s +25%
polyt0_pack 5s 5s +0%
polyveck_caddq 5s 8s -38%
polyvecl_pointwise_acc_montgomery_native 5s 3s +67%
polyz_unpack_19_native_aarch64 5s 1s +400%
sign_keypair 5s 3s +67%
sign_signature 5s 3s +67%
sign_signature_pre_hash_internal 5s 6s -17%
sign_verify_pre_hash_shake256 5s 4s +25%
unpack_pk_t1 5s 2s +150%
unpack_sk 5s 4s +25%
keccak_f1600_x4_native_aarch64_v84a 4s 2s +100%
keccakf1600x4_xor_bytes 4s 3s +33%
ntt_native_aarch64 4s 4s +0%
ntt_native_x86_64 4s 5s -20%
pointwise_native_aarch64 4s 3s +33%
poly_caddq_c 4s 5s -20%
poly_challenge 4s 5s -20%
poly_chknorm_native_aarch64 4s 2s +100%
poly_make_hint 4s 2s +100%
poly_ntt_native 4s 2s +100%
poly_uniform 4s 3s +33%
poly_use_hint_native 4s 2s +100%
polyeta_unpack 4s 3s +33%
polyt1_unpack 4s 5s -20%
polyveck_pack_eta 4s 2s +100%
polyveck_pack_w1 4s 3s +33%
polyveck_unpack_t0 4s 5s -20%
polyvecl_uniform_gamma1 4s 3s +33%
polyvecl_unpack_eta 4s 2s +100%
polyz_unpack_17_native_aarch64 4s 4s +0%
polyz_unpack_native 4s 4s +0%
reduce32 4s 4s +0%
rej_eta_c 4s 3s +33%
rej_eta_native 4s 4s +0%
shake256 4s 3s +33%
unpack_sk_s2hat 4s 4s +0%
unpack_sk_t0hat 4s 3s +33%
use_hint 4s 2s +100%
decompose 3s 3s +0%
keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid 3s 2s +50%
keccak_f1600_x4_native_avx2 3s 3s +0%
make_hint 3s 3s +0%
mld_ct_cmask_nonzero_u8 3s 4s -25%
mld_ct_get_optblocker_i64 3s 3s +0%
mld_ct_get_optblocker_u32 3s 3s +0%
mld_h 3s 3s +0%
mld_sample_s1_s2_serial 3s 5s -40%
mld_value_barrier_i64 3s 1s +200%
mld_value_barrier_u8 3s 1s +200%
montgomery_reduce 3s 4s -25%
pack_pk 3s 2s +50%
pack_sig_h_poly 3s 4s -25%
poly_caddq_native 3s 3s +0%
poly_caddq_native_aarch64 3s 3s +0%
poly_chknorm 3s 4s -25%
poly_chknorm_native 3s 2s +50%
poly_decompose 3s 2s +50%
poly_decompose_c 3s 3s +0%
poly_decompose_native 3s 4s -25%
poly_ntt_c 3s 2s +50%
poly_permute_bitrev_to_custom_optional 3s 3s +0%
poly_pointwise_montgomery 3s 4s -25%
poly_pointwise_montgomery_native 3s 4s -25%
poly_sub 3s 2s +50%
poly_uniform_eta 3s 3s +0%
poly_uniform_gamma1 3s 3s +0%
poly_uniform_gamma1_4x 3s 3s +0%
poly_use_hint_c 3s 4s -25%
poly_use_hint_native_aarch64 3s 5s -40%
polyvec_matrix_pointwise_montgomery_row 3s 5s -40%
polyveck_pack_t0 3s 4s -25%
polyveck_unpack_eta 3s 3s +0%
polyvecl_pack_eta 3s 2s +50%
polyvecl_uniform_gamma1_serial 3s 3s +0%
polyvecl_unpack_z 3s 3s +0%
polyw1_pack 3s 3s +0%
polyz_pack 3s 2s +50%
polyz_unpack 3s 2s +50%
power2round 3s 2s +50%
shake128_finalize 3s 6s -50%
shake128x4_squeezeblocks 3s 1s +200%
shake256_finalize 3s 2s +50%
shake256_release 3s 2s +50%
shake256_squeeze 3s 7s -57%
sign_verify_extmu 3s 4s -25%
sk_t0hat_get_poly 3s 3s +0%
unpack_sk_s1hat 3s 4s -25%
yvec_get_poly 3s 3s +0%
keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid 2s 1s +100%
keccak_finalize 2s 2s +0%
keccak_squeeze 2s 3s -33%
keccakf1600_xor_bytes 2s 2s +0%
keccakf1600_xor_bytes (big endian) 2s 2s +0%
keccakf1600x4_extract_bytes 2s 3s -33%
keccakf1600x4_permute 2s 4s -50%
mld_ct_abs_i32 2s 2s +0%
mld_ct_cmask_nonzero_u32 2s 5s -60%
mld_ct_get_optblocker_u8 2s 2s +0%
mld_ct_sel_int32 2s 1s +100%
mld_polymat_expand_entry 2s 5s -60%
mld_value_barrier_u32 2s 1s +100%
pack_sig_z 2s 4s -50%
poly_caddq 2s 3s -33%
poly_ntt 2s 3s -33%
poly_reduce 2s 2s +0%
poly_use_hint 2s 3s -33%
polyeta_pack 2s 3s -33%
polyt1_pack 2s 2s +0%
rej_eta 2s 3s -33%
shake128_init 2s 3s -33%
shake128x4_absorb_once 2s 1s +100%
shake256_absorb 2s 3s -33%
shake256_init 2s 2s +0%
shake256x4_absorb_once 2s 2s +0%
shake256x4_squeezeblocks 2s 3s -33%
sign_verify 2s 4s -50%
sk_s1hat_get_poly 2s 3s -33%
sk_s2hat_get_poly 2s 2s +0%
sys_check_capability 2s 3s -33%
yvec_init 2s 2s +0%
keccak_f1600_x1_native_aarch64_v84a 1s 3s -67%
keccak_init 1s 2s -50%
mld_ct_cmask_neg_i32 1s 4s -75%
mld_keccakf1600_extract_bytes 1s 3s -67%
pack_sk_rho_key_tr_s2_t0 1s 3s -67%
poly_invntt_tomont 1s 3s -67%
polyvecl_pointwise_acc_montgomery 1s 4s -75%
shake128_absorb 1s 2s -50%
shake128_release 1s 4s -75%
shake128_squeeze 1s 2s -50%

@hanno-becker hanno-becker marked this pull request as ready for review May 3, 2026 06:45
@hanno-becker hanno-becker requested a review from a team as a code owner May 3, 2026 06:45
mkannwischer
mkannwischer requested changes May 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@mkannwischer mkannwischer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @hanno-becker. The port looks good to me.
Can we also cover the rejction sampling, please?

The commit message could use updating:

* Build the unit test objects with custom_heap_alloc_config.h by adding
  the appropriate -DMLD_CONFIG_FILE, -std=c11, and -D_GNU_SOURCE flags
  in components.mk, factored through a new UNIT_CFLAGS variable.

@hanno-becker
Copy link
Copy Markdown
Contributor Author

hanno-becker commented May 3, 2026

@mkannwischer This is a pre-existing test gap? It should be addressed, but seems orthogonal to this PR.

@hanno-becker
Copy link
Copy Markdown
Contributor Author

hanno-becker commented May 4, 2026
edited
Loading

Opened #1090 and addressed in the follow-up commit. Also fixed the commit message.

@hanno-becker hanno-becker requested a review from mkannwischer May 4, 2026 05:57
mkannwischer
mkannwischer approved these changes May 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@mkannwischer mkannwischer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @hanno-becker for adding that. LGTM. Happy if CI is.

@hanno-becker
Use heap allocation + valgrind in backend unit test
590a365 
Port of mlkem-native#1633 to mldsa-native.

* Replace aligned_alloc + MLD_ALIGN_UP with posix_memalign in
  custom_heap_alloc_config.h. Unlike aligned_alloc, posix_memalign
  does not require the size to be a multiple of the alignment,
  removing the need for MLD_ALIGN_UP rounding. This ensures that
  allocations are exact-sized, allowing memory-safety tests like
  valgrind and ASan to detect overflows at precise buffer boundaries.
  On Windows, _aligned_malloc is used instead. Also adds the missing
  configs.yml entry so the file is tracked by autogen.

* Replaced stack-allocated buffers in test_unit.c with allocations
  based on customizable MLD_ALLOC/FREE. The existing unit test run
  in CI remains stack-based for portability.

* Add separate unit_valgrind job to ci.yml that, on x86_64 and
  aarch64 runners, runs the unit tests using valgrind + heap-based
  MLD_ALLOC/FREE. This catches buffer overflows in hand-written assembly
  that ASan cannot detect, since ASan only instruments
  compiler-generated code.

Signed-off-by: Hanno Becker <beckphan@amazon.co.uk>
@hanno-becker
Add backend unit tests for rej_uniform and rej_uniform_eta{2,4}
4623fc7 
Add native-vs-C consistency tests for previously untested backends:
- mld_rej_uniform_native: compare against mld_rej_uniform_c
- mld_rej_uniform_eta2_native: compare against mld_rej_eta_c
- mld_rej_uniform_eta4_native: compare against mld_rej_eta_c

In line with mlkem-native, these tests call the native backends directly.

Signed-off-by: Hanno Becker <beckphan@amazon.co.uk>
@hanno-becker
AArch64: Avoid unaligned store in rejection sampling
14243f9 
Fixes #1092

Signed-off-by: Hanno Becker <beckphan@amazon.co.uk>
@hanno-becker
Copy link
Copy Markdown
Contributor Author

hanno-becker commented May 4, 2026

@mkannwischer Multiplexed the unit test for rej_uniform to cover N=1,2,3,4,5 blocks.

@mkannwischer mkannwischer merged commit a4fbc61 into main May 4, 2026
1687 of 1690 checks passed
@mkannwischer mkannwischer deleted the port_1633 branch May 4, 2026 12:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mkannwischer mkannwischer mkannwischer approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hanno-becker @oqs-bot @mkannwischer