Skip to content

Add AArch64 ML-DSA Forward NTT HOL Light proof#993

Open
dkostic wants to merge 4 commits intomainfrom
aarch64-ntt-hol
Open

Add AArch64 ML-DSA Forward NTT HOL Light proof#993
dkostic wants to merge 4 commits intomainfrom
aarch64-ntt-hol

Conversation

@dkostic
Copy link

@dkostic dkostic commented Mar 10, 2026
edited by mkannwischer
Loading

Port the ML-DSA Forward NTT implementation and its HOL Light proof of correctness from s2n-bignum to mldsa-native. The proof verifies the AArch64 NEON NTT implementation at the object-code level, showing that the output coefficients are congruent to the forward NTT of the input modulo 8380417, with bounded output coefficients. A constant-time and memory safety proof is also included.

New files:

  • aarch64/mldsa/mldsa_ntt.S: Assembly derived from dev/aarch64_opt/src/ntt.S
  • aarch64/proofs/mldsa_ntt.ml: HOL Light proof (MLDSA_NTT_CORRECT, MLDSA_NTT_SUBROUTINE_CORRECT, and MLDSA_NTT_SUBROUTINE_SAFE theorems)
  • aarch64/proofs/mldsa_specs.ml: Self-contained ML-DSA specifications and congruence/bounds propagation infrastructure, ported from s2n-bignum's common/mlkem_mldsa.ml with only ARM ML-DSA relevant definitions
  • aarch64/proofs/subroutine_signatures.ml: ML-DSA subroutine signatures for the safety proof infrastructure

Modified files:

@dkostic dkostic requested a review from a team as a code owner March 10, 2026 04:13
@dkostic
Copy link
Author

dkostic commented Mar 10, 2026
edited
Loading

addresses #919

@oqs-bot
Copy link
Contributor

oqs-bot commented Mar 10, 2026
edited
Loading

CBMC Results (ML-DSA-44)

Full Results (176 proofs)
Proof Status Current Previous Change
**TOTAL** 2097s 2039s +2.8%
mld_attempt_signature_generation 244s 247s -1%
polyvecl_pointwise_acc_montgomery_c 237s 221s +7%
poly_pointwise_montgomery_c 173s 161s +7%
rej_uniform_native 151s 151s +0%
sign_verify_internal 127s 132s -4%
mld_invntt_layer 95s 88s +8%
mld_ct_memcmp 84s 76s +11%
mld_ntt_layer 55s 56s -2%
keccak_squeezeblocks_x4 44s 44s +0%
sign_signature_internal 34s 35s -3%
polyvec_matrix_expand 30s 27s +11%
poly_chknorm_c 21s 21s +0%
fqmul 20s 19s +5%
rej_uniform 20s 22s -9%
mld_compute_t0_t1_tr_from_sk_components 18s 15s +20%
polyeta_unpack 18s 17s +6%
rej_uniform_c 18s 14s +29%
poly_uniform_eta_4x 17s 18s -6%
polymat_permute_bitrev_to_custom 15s 16s -6%
poly_uniform_4x 14s 16s -12%
polyt0_unpack 14s 15s -7%
polyvec_matrix_expand_serial 14s 11s +27%
polyvec_matrix_pointwise_montgomery 14s 11s +27%
polyveck_power2round 14s 11s +27%
mld_ntt_butterfly_block 13s 12s +8%
poly_add 13s 13s +0%
keccakf1600x4_permute_native 12s 14s -14%
polyz_unpack_c 11s 11s +0%
sign 11s 6s +83%
keccak_absorb_once_x4 10s 10s +0%
keccakf1600_permute_native 9s 8s +12%
keccakf1600_permute 8s 8s +0%
polyveck_use_hint 8s 7s +14%
sign_pk_from_sk 8s 5s +60%
keccak_absorb 7s 8s -12%
mld_check_pct 7s 7s +0%
mld_polyvecl_permute_bitrev_to_custom_native 7s 7s +0%
poly_challenge 7s 5s +40%
poly_uniform_eta 7s 3s +133%
poly_use_hint_c 7s 5s +40%
polyveck_chknorm 7s 6s +17%
polyveck_sub 7s 4s +75%
poly_caddq_c 6s 6s +0%
poly_invntt_tomont_c 6s 6s +0%
polyveck_add 6s 7s -14%
polyveck_pointwise_poly_montgomery 6s 6s +0%
polyveck_reduce 6s 5s +20%
polyveck_shiftl 6s 6s +0%
polyvecl_ntt 6s 3s +100%
unpack_hints 6s 5s +20%
keccak_init 5s 2s +150%
mld_compute_pack_z 5s 10s -50%
mld_ct_cmask_neg_i32 5s 2s +150%
mld_h 5s 3s +67%
poly_uniform_gamma1_4x 5s 2s +150%
polyveck_caddq 5s 5s +0%
polyveck_pack_w1 5s 4s +25%
polyvecl_pointwise_acc_montgomery_native 5s 3s +67%
sign_keypair_internal 5s 4s +25%
sign_signature_extmu 5s 3s +67%
sign_signature_pre_hash_shake256 5s 7s -29%
sign_verify_pre_hash_shake256 5s 4s +25%
unpack_sk 5s 3s +67%
use_hint 5s 4s +25%
caddq 4s 3s +33%
fqscale 4s 3s +33%
intt_native_x86_64 4s 4s +0%
keccak_squeeze 4s 3s +33%
keccakf1600x4_xor_bytes 4s 2s +100%
make_hint 4s 2s +100%
mld_sample_s1_s2 4s 6s -33%
pack_sk 4s 2s +100%
poly_caddq 4s 4s +0%
poly_chknorm 4s 2s +100%
poly_decompose_c 4s 4s +0%
poly_decompose_native 4s 3s +33%
poly_ntt_native 4s 3s +33%
poly_power2round 4s 4s +0%
poly_reduce 4s 3s +33%
poly_sub 4s 3s +33%
poly_uniform 4s 3s +33%
poly_use_hint_native 4s 3s +33%
polyveck_decompose 4s 5s -20%
polyveck_invntt_tomont 4s 5s -20%
polyveck_make_hint 4s 6s -33%
polyveck_ntt 4s 6s -33%
polyveck_unpack_t0 4s 2s +100%
polyvecl_chknorm 4s 5s -20%
polyvecl_pointwise_acc_montgomery 4s 4s +0%
polyvecl_uniform_gamma1 4s 4s +0%
polyvecl_uniform_gamma1_serial 4s 3s +33%
polyz_unpack 4s 3s +33%
polyz_unpack_native 4s 2s +100%
power2round 4s 3s +33%
shake128_release 4s 2s +100%
sign_open 4s 3s +33%
sign_verify 4s 4s +0%
sign_verify_extmu 4s 4s +0%
sys_check_capability 4s 2s +100%
unpack_pk 4s 3s +33%
decompose 3s 2s +50%
keccak_finalize 3s 2s +50%
keccakf1600x4_permute 3s 3s +0%
mld_ct_cmask_nonzero_u32 3s 5s -40%
mld_ct_get_optblocker_u32 3s 1s +200%
mld_ct_get_optblocker_u8 3s 2s +50%
mld_sample_s1_s2_serial 3s 5s -40%
montgomery_reduce 3s 1s +200%
ntt_native_aarch64 3s - new
pack_sig_z 3s 3s +0%
poly_invntt_tomont_native 3s 4s -25%
poly_ntt 3s 3s +0%
poly_ntt_c 3s 3s +0%
poly_pointwise_montgomery 3s 5s -40%
poly_pointwise_montgomery_native 3s 3s +0%
poly_uniform_gamma1 3s 2s +50%
poly_use_hint 3s 6s -50%
polyeta_pack 3s 1s +200%
polyt0_pack 3s 3s +0%
polyt1_pack 3s 5s -40%
polyveck_pack_eta 3s 3s +0%
polyvecl_unpack_eta 3s 4s -25%
polyvecl_unpack_z 3s 4s -25%
polyz_pack 3s 4s -25%
rej_eta_c 3s 4s -25%
rej_eta_native 3s 4s -25%
shake128_absorb 3s 2s +50%
shake128_finalize 3s 2s +50%
shake128_init 3s 3s +0%
shake128x4_absorb_once 3s 2s +50%
shake256_finalize 3s 3s +0%
shake256x4_absorb_once 3s 3s +0%
shake256x4_squeezeblocks 3s 2s +50%
sign_signature 3s 4s -25%
sign_verify_pre_hash_internal 3s 5s -40%
unpack_sig 3s 2s +50%
keccakf1600_extract_bytes (big endian) 2s 2s +0%
keccakf1600_xor_bytes 2s 2s +0%
keccakf1600_xor_bytes (big endian) 2s 3s -33%
mld_ct_abs_i32 2s 2s +0%
mld_ct_cmask_nonzero_u8 2s 3s -33%
mld_ct_get_optblocker_i64 2s 2s +0%
mld_ct_sel_int32 2s 2s +0%
mld_keccakf1600_extract_bytes 2s 3s -33%
mld_prepare_domain_separation_prefix 2s 4s -50%
mld_value_barrier_i64 2s 3s -33%
mld_value_barrier_u32 2s 1s +100%
mld_value_barrier_u8 2s 3s -33%
ntt_native_x86_64 2s 3s -33%
pack_pk 2s 4s -50%
pack_sig_c_h 2s 4s -50%
poly_caddq_native 2s 2s +0%
poly_caddq_native_aarch64 2s 4s -50%
poly_chknorm_native 2s 5s -60%
poly_decompose 2s 2s +0%
poly_invntt_tomont 2s 3s -33%
poly_make_hint 2s 6s -67%
polyt1_unpack 2s 3s -33%
polyveck_pack_t0 2s 4s -50%
polyveck_unpack_eta 2s 4s -50%
polyvecl_pack_eta 2s 2s +0%
polyvecl_permute_bitrev_to_custom 2s 4s -50%
polyw1_pack 2s 3s -33%
reduce32 2s 2s +0%
shake128_squeeze 2s 2s +0%
shake128x4_squeezeblocks 2s 2s +0%
shake256 2s 2s +0%
shake256_absorb 2s 2s +0%
shake256_init 2s 5s -60%
shake256_release 2s 4s -50%
shake256_squeeze 2s 3s -33%
sign_keypair 2s 4s -50%
sign_signature_pre_hash_internal 2s 4s -50%
keccakf1600x4_extract_bytes 1s 4s -75%
poly_shiftl 1s 4s -75%
rej_eta 1s 2s -50%

@oqs-bot
Copy link
Contributor

oqs-bot commented Mar 10, 2026
edited
Loading

CBMC Results (ML-DSA-65)

Full Results (176 proofs)
Proof Status Current Previous Change
**TOTAL** 2581s 2521s +2.4%
sign_verify_internal 353s 351s +1%
mld_attempt_signature_generation 287s 279s +3%
polyvecl_pointwise_acc_montgomery_c 206s 195s +6%
poly_pointwise_montgomery_c 168s 165s +2%
rej_uniform_native 155s 149s +4%
polyvec_matrix_expand 132s 128s +3%
mld_invntt_layer 101s 97s +4%
mld_ct_memcmp 81s 78s +4%
polyvec_matrix_expand_serial 70s 70s +0%
mld_ntt_layer 59s 57s +4%
keccak_squeezeblocks_x4 45s 43s +5%
sign_signature_internal 38s 39s -3%
polymat_permute_bitrev_to_custom 31s 32s -3%
mld_compute_t0_t1_tr_from_sk_components 27s 26s +4%
rej_uniform 21s 19s +11%
poly_chknorm_c 20s 20s +0%
fqmul 18s 20s -10%
poly_uniform_eta_4x 18s 15s +20%
poly_uniform_4x 17s 15s +13%
polyt0_unpack 17s 14s +21%
rej_uniform_c 16s 16s +0%
mld_ntt_butterfly_block 15s 13s +15%
polyveck_decompose 13s 14s -7%
polyvecl_chknorm 13s 11s +18%
keccakf1600x4_permute_native 12s 13s -8%
polyvec_matrix_pointwise_montgomery 12s 12s +0%
keccak_absorb_once_x4 11s 12s -8%
poly_add 11s 11s +0%
polyveck_invntt_tomont 11s 9s +22%
polyveck_sub 11s 12s -8%
polyveck_add 10s 11s -9%
polyveck_ntt 10s 10s +0%
polyveck_power2round 10s 11s -9%
keccakf1600_permute_native 9s 7s +29%
polyveck_use_hint 9s 8s +12%
keccak_absorb 8s 7s +14%
mld_polyvecl_permute_bitrev_to_custom_native 8s 9s -11%
polyt0_pack 8s 6s +33%
polyveck_caddq 8s 7s +14%
polyveck_pointwise_poly_montgomery 8s 8s +0%
polyveck_reduce 8s 6s +33%
polyveck_shiftl 8s 6s +33%
sign 8s 7s +14%
sign_pk_from_sk 8s 10s -20%
sign_verify_extmu 8s 3s +167%
keccakf1600_permute 7s 7s +0%
keccakf1600x4_permute 7s 5s +40%
polyvecl_ntt 7s 7s +0%
intt_native_x86_64 6s 2s +200%
mld_check_pct 6s 7s -14%
poly_caddq_c 6s 5s +20%
poly_decompose_c 6s 7s -14%
poly_invntt_tomont_c 6s 8s -25%
poly_ntt_c 6s 4s +50%
poly_power2round 6s 4s +50%
polyeta_unpack 6s 5s +20%
polyveck_make_hint 6s 6s +0%
rej_eta_native 6s 7s -14%
sign_verify_pre_hash_shake256 6s 5s +20%
unpack_hints 6s 4s +50%
mld_ct_get_optblocker_u8 5s 3s +67%
mld_h 5s 5s +0%
mld_prepare_domain_separation_prefix 5s 5s +0%
mld_sample_s1_s2 5s 6s -17%
mld_sample_s1_s2_serial 5s 5s +0%
poly_chknorm 5s 3s +67%
poly_uniform_gamma1 5s 2s +150%
poly_uniform_gamma1_4x 5s 4s +25%
polyveck_chknorm 5s 7s -29%
polyvecl_uniform_gamma1 5s 4s +25%
shake128_release 5s 2s +150%
shake256_finalize 5s 2s +150%
sign_keypair_internal 5s 4s +25%
sign_signature_pre_hash_shake256 5s 4s +25%
unpack_sig 5s 2s +150%
unpack_sk 5s 6s -17%
keccak_squeeze 4s 4s +0%
make_hint 4s 2s +100%
mld_compute_pack_z 4s 6s -33%
mld_ct_sel_int32 4s 1s +300%
ntt_native_x86_64 4s 5s -20%
pack_sig_z 4s 2s +100%
poly_decompose 4s 5s -20%
poly_invntt_tomont_native 4s 4s +0%
poly_pointwise_montgomery_native 4s 5s -20%
poly_uniform 4s 6s -33%
poly_uniform_eta 4s 7s -43%
poly_use_hint 4s 4s +0%
poly_use_hint_c 4s 5s -20%
polyveck_pack_t0 4s 4s +0%
polyveck_pack_w1 4s 3s +33%
polyvecl_pointwise_acc_montgomery_native 4s 4s +0%
polyvecl_uniform_gamma1_serial 4s 3s +33%
polyvecl_unpack_z 4s 3s +33%
polyw1_pack 4s 2s +100%
polyz_unpack_c 4s 3s +33%
polyz_unpack_native 4s 4s +0%
rej_eta_c 4s 4s +0%
shake128x4_squeezeblocks 4s 1s +300%
shake256 4s 2s +100%
shake256_release 4s 1s +300%
shake256_squeeze 4s 2s +100%
sign_open 4s 8s -50%
sign_signature_extmu 4s 4s +0%
caddq 3s 4s -25%
decompose 3s 2s +50%
fqscale 3s 3s +0%
keccakf1600_xor_bytes 3s 3s +0%
keccakf1600_xor_bytes (big endian) 3s 2s +50%
keccakf1600x4_extract_bytes 3s 1s +200%
keccakf1600x4_xor_bytes 3s 2s +50%
mld_ct_abs_i32 3s 3s +0%
mld_ct_cmask_neg_i32 3s 2s +50%
mld_ct_cmask_nonzero_u8 3s 7s -57%
mld_keccakf1600_extract_bytes 3s 2s +50%
mld_value_barrier_u32 3s 3s +0%
pack_pk 3s 3s +0%
pack_sig_c_h 3s 5s -40%
pack_sk 3s 3s +0%
poly_caddq 3s 4s -25%
poly_caddq_native 3s 2s +50%
poly_caddq_native_aarch64 3s 4s -25%
poly_challenge 3s 3s +0%
poly_invntt_tomont 3s 3s +0%
poly_make_hint 3s 7s -57%
poly_ntt 3s 3s +0%
poly_pointwise_montgomery 3s 3s +0%
poly_use_hint_native 3s 4s -25%
polyt1_pack 3s 4s -25%
polyt1_unpack 3s 3s +0%
polyvecl_permute_bitrev_to_custom 3s 3s +0%
polyvecl_pointwise_acc_montgomery 3s 2s +50%
polyz_pack 3s 2s +50%
power2round 3s 2s +50%
reduce32 3s 1s +200%
rej_eta 3s 3s +0%
shake128x4_absorb_once 3s 2s +50%
shake256_absorb 3s 2s +50%
shake256_init 3s 2s +50%
sign_verify 3s 5s -40%
sign_verify_pre_hash_internal 3s 6s -50%
unpack_pk 3s 4s -25%
use_hint 3s 3s +0%
keccak_finalize 2s 2s +0%
keccak_init 2s 3s -33%
keccakf1600_extract_bytes (big endian) 2s 2s +0%
mld_ct_cmask_nonzero_u32 2s 3s -33%
mld_ct_get_optblocker_u32 2s 1s +100%
mld_value_barrier_i64 2s 2s +0%
mld_value_barrier_u8 2s 5s -60%
montgomery_reduce 2s 3s -33%
ntt_native_aarch64 2s - new
poly_chknorm_native 2s 2s +0%
poly_decompose_native 2s 3s -33%
poly_ntt_native 2s 4s -50%
poly_reduce 2s 4s -50%
poly_shiftl 2s 2s +0%
poly_sub 2s 4s -50%
polyeta_pack 2s 4s -50%
polyveck_unpack_eta 2s 5s -60%
polyveck_unpack_t0 2s 3s -33%
polyvecl_pack_eta 2s 4s -50%
polyvecl_unpack_eta 2s 3s -33%
polyz_unpack 2s 2s +0%
shake128_absorb 2s 3s -33%
shake128_finalize 2s 3s -33%
shake128_init 2s 1s +100%
shake128_squeeze 2s 3s -33%
shake256x4_squeezeblocks 2s 3s -33%
sign_keypair 2s 4s -50%
sign_signature 2s 4s -50%
sign_signature_pre_hash_internal 2s 4s -50%
mld_ct_get_optblocker_i64 1s 2s -50%
polyveck_pack_eta 1s 4s -75%
shake256x4_absorb_once 1s 1s +0%
sys_check_capability 1s 4s -75%

@oqs-bot
Copy link
Contributor

oqs-bot commented Mar 10, 2026
edited
Loading

CBMC Results (ML-DSA-87)

Full Results (176 proofs)
Proof Status Current Previous Change
**TOTAL** 2659s 2658s +0.0%
sign_verify_internal 331s 337s -2%
polyvecl_pointwise_acc_montgomery_c 280s 270s +4%
mld_attempt_signature_generation 233s 233s +0%
polyvec_matrix_expand 174s 177s -2%
rej_uniform_native 148s 147s +1%
poly_pointwise_montgomery_c 147s 156s -6%
mld_invntt_layer 95s 91s +4%
polyvec_matrix_expand_serial 81s 81s +0%
mld_ct_memcmp 70s 79s -11%
polyveck_decompose 58s 55s +5%
sign_signature_internal 54s 51s +6%
mld_ntt_layer 53s 52s +2%
polymat_permute_bitrev_to_custom 47s 46s +2%
keccak_squeezeblocks_x4 41s 41s +0%
mld_compute_t0_t1_tr_from_sk_components 24s 26s -8%
rej_uniform 22s 23s -4%
fqmul 20s 19s +5%
poly_chknorm_c 18s 20s -10%
polyeta_unpack 17s 17s +0%
poly_uniform_4x 15s 18s -17%
poly_uniform_eta_4x 15s 15s +0%
polyt0_unpack 14s 13s +8%
rej_uniform_c 14s 16s -12%
keccak_absorb_once_x4 13s 10s +30%
mld_ntt_butterfly_block 13s 12s +8%
keccakf1600x4_permute_native 12s 12s +0%
mld_polyvecl_permute_bitrev_to_custom_native 12s 12s +0%
poly_add 11s 11s +0%
polyvec_matrix_pointwise_montgomery 11s 11s +0%
polyveck_use_hint 11s 11s +0%
poly_decompose_c 10s 9s +11%
polyveck_add 10s 11s -9%
keccakf1600_permute 9s 7s +29%
polyveck_ntt 9s 8s +12%
polyveck_pointwise_poly_montgomery 9s 9s +0%
polyveck_power2round 9s 8s +12%
polyveck_reduce 9s 10s -10%
polyvecl_ntt 9s 9s +0%
keccak_absorb 8s 9s -11%
keccakf1600_permute_native 8s 9s -11%
mld_sample_s1_s2_serial 8s 7s +14%
poly_invntt_tomont_c 8s 7s +14%
polyz_unpack_c 8s 10s -20%
mld_check_pct 7s 8s -12%
poly_uniform 7s 4s +75%
polyveck_invntt_tomont 7s 10s -30%
polyveck_shiftl 7s 7s +0%
polyveck_sub 7s 7s +0%
sign 7s 8s -12%
sign_pk_from_sk 7s 7s +0%
mld_prepare_domain_separation_prefix 6s 4s +50%
poly_challenge 6s 3s +100%
polyveck_caddq 6s 10s -40%
polyveck_chknorm 6s 4s +50%
sign_keypair_internal 6s 7s -14%
keccakf1600x4_permute 5s 2s +150%
mld_compute_pack_z 5s 9s -44%
mld_h 5s 5s +0%
mld_sample_s1_s2 5s 8s -38%
montgomery_reduce 5s 4s +25%
poly_caddq_c 5s 5s +0%
poly_chknorm_native 5s 3s +67%
poly_ntt_native 5s 4s +25%
poly_power2round 5s 6s -17%
poly_sub 5s 3s +67%
poly_uniform_eta 5s 7s -29%
poly_uniform_gamma1 5s 2s +150%
poly_use_hint_c 5s 3s +67%
polyveck_unpack_t0 5s 5s +0%
polyvecl_chknorm 5s 6s -17%
polyz_unpack_native 5s 3s +67%
rej_eta_native 5s 5s +0%
sign_signature_extmu 5s 6s -17%
sign_signature_pre_hash_internal 5s 4s +25%
sign_verify_extmu 5s 3s +67%
sys_check_capability 5s 3s +67%
unpack_hints 5s 6s -17%
unpack_pk 5s 2s +150%
decompose 4s 4s +0%
intt_native_x86_64 4s 3s +33%
keccak_finalize 4s 1s +300%
keccakf1600_extract_bytes (big endian) 4s 4s +0%
keccakf1600_xor_bytes 4s 1s +300%
keccakf1600_xor_bytes (big endian) 4s 2s +100%
mld_ct_abs_i32 4s 1s +300%
mld_ct_cmask_nonzero_u32 4s 3s +33%
mld_ct_sel_int32 4s 3s +33%
mld_value_barrier_u8 4s 3s +33%
ntt_native_aarch64 4s - new
pack_pk 4s 2s +100%
pack_sig_z 4s 3s +33%
pack_sk 4s 2s +100%
poly_caddq_native 4s 4s +0%
poly_chknorm 4s 4s +0%
poly_decompose_native 4s 4s +0%
poly_invntt_tomont 4s 3s +33%
poly_invntt_tomont_native 4s 2s +100%
poly_ntt 4s 3s +33%
poly_pointwise_montgomery 4s 2s +100%
poly_shiftl 4s 4s +0%
poly_uniform_gamma1_4x 4s 3s +33%
poly_use_hint 4s 3s +33%
poly_use_hint_native 4s 3s +33%
polyeta_pack 4s 3s +33%
polyveck_make_hint 4s 8s -50%
polyvecl_uniform_gamma1 4s 5s -20%
polyvecl_unpack_eta 4s 4s +0%
polyvecl_unpack_z 4s 4s +0%
polyw1_pack 4s 2s +100%
power2round 4s 3s +33%
reduce32 4s 3s +33%
shake128_finalize 4s 3s +33%
sign_keypair 4s 6s -33%
sign_open 4s 4s +0%
sign_verify_pre_hash_internal 4s 3s +33%
sign_verify_pre_hash_shake256 4s 4s +0%
unpack_sk 4s 5s -20%
caddq 3s 5s -40%
fqscale 3s 2s +50%
keccak_init 3s 4s -25%
mld_ct_cmask_neg_i32 3s 3s +0%
mld_ct_cmask_nonzero_u8 3s 3s +0%
mld_ct_get_optblocker_u32 3s 2s +50%
ntt_native_x86_64 3s 3s +0%
poly_decompose 3s 2s +50%
poly_make_hint 3s 2s +50%
poly_reduce 3s 4s -25%
polyt1_unpack 3s 2s +50%
polyveck_pack_w1 3s 3s +0%
polyveck_unpack_eta 3s 4s -25%
polyvecl_permute_bitrev_to_custom 3s 3s +0%
polyvecl_uniform_gamma1_serial 3s 6s -50%
polyz_pack 3s 2s +50%
rej_eta 3s 2s +50%
rej_eta_c 3s 4s -25%
shake128_squeeze 3s 3s +0%
shake128x4_absorb_once 3s 3s +0%
shake256_release 3s 2s +50%
shake256_squeeze 3s 1s +200%
sign_signature_pre_hash_shake256 3s 4s -25%
sign_verify 3s 4s -25%
unpack_sig 3s 2s +50%
use_hint 3s 5s -40%
keccak_squeeze 2s 3s -33%
keccakf1600x4_extract_bytes 2s 2s +0%
make_hint 2s 5s -60%
mld_ct_get_optblocker_u8 2s 2s +0%
mld_value_barrier_i64 2s 2s +0%
mld_value_barrier_u32 2s 2s +0%
pack_sig_c_h 2s 3s -33%
poly_caddq 2s 4s -50%
poly_caddq_native_aarch64 2s 2s +0%
poly_ntt_c 2s 3s -33%
poly_pointwise_montgomery_native 2s 3s -33%
polyt0_pack 2s 4s -50%
polyt1_pack 2s 2s +0%
polyveck_pack_eta 2s 3s -33%
polyveck_pack_t0 2s 4s -50%
polyvecl_pack_eta 2s 4s -50%
polyvecl_pointwise_acc_montgomery 2s 2s +0%
polyvecl_pointwise_acc_montgomery_native 2s 4s -50%
polyz_unpack 2s 3s -33%
shake128_absorb 2s 3s -33%
shake128_init 2s 3s -33%
shake128_release 2s 2s +0%
shake128x4_squeezeblocks 2s 2s +0%
shake256 2s 3s -33%
shake256_absorb 2s 3s -33%
shake256_finalize 2s 3s -33%
shake256_init 2s 3s -33%
shake256x4_absorb_once 2s 2s +0%
shake256x4_squeezeblocks 2s 2s +0%
sign_signature 2s 4s -50%
keccakf1600x4_xor_bytes 1s 4s -75%
mld_ct_get_optblocker_i64 1s 3s -67%
mld_keccakf1600_extract_bytes 1s 2s -50%

mkannwischer
mkannwischer requested changes Mar 10, 2026
View reviewed changes
Copy link
Contributor

@mkannwischer mkannwischer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @dkostic! I took the liberty to add the corresponding CBMC contract and proof.

The specs should still be moved into common/ to be shared with the x86 proofs. Rest looks very good to me.

mkannwischer
mkannwischer requested changes Mar 15, 2026
View reviewed changes
@mkannwischer mkannwischer force-pushed the aarch64-ntt-hol branch 2 times, most recently from 6285a26 to 581acd0 Compare March 15, 2026 07:59
mkannwischer
mkannwischer approved these changes Mar 15, 2026
View reviewed changes
Copy link
Contributor

@mkannwischer mkannwischer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @dkostic for the changes! I took the liberty to revert some of the changes you made to the hol_light workflow as they are not needed.
Rest looks good to me now.

@hanno-becker, could you take another look, please?

hanno-becker
hanno-becker reviewed Mar 16, 2026
View reviewed changes
hanno-becker
hanno-becker reviewed Mar 16, 2026
View reviewed changes
hanno-becker
hanno-becker reviewed Mar 16, 2026
View reviewed changes
hanno-becker
hanno-becker requested changes Mar 16, 2026
View reviewed changes
Copy link
Contributor

@hanno-becker hanno-becker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall this looks excellent, thank you @dkostic!

The only minor point is the avoidance of hardcoded lengths constants in the scripts. Could you follow the pattern in mlkem-native to avoid hardcoded lengths and thereby make the proof scripts agnostic to re-running SLOTHY?

dkostic and others added 4 commits March 18, 2026 04:22
@dkostic @hanno-becker
Add AArch64 ML-DSA Forward NTT HOL Light proof
c369948 
Port the ML-DSA Forward NTT implementation and its HOL Light proof of
correctness from s2n-bignum to mldsa-native. The proof verifies the
AArch64 NEON NTT implementation at the object-code level, showing that
the output coefficients are congruent to the forward NTT of the input
modulo 8380417, with bounded output coefficients. A constant-time and
memory safety proof is also included.

New files:
- aarch64/mldsa/mldsa_ntt.S: Assembly derived from dev/aarch64_opt/src/ntt.S
- aarch64/proofs/mldsa_ntt.ml: HOL Light proof (MLDSA_NTT_CORRECT,
MLDSA_NTT_SUBROUTINE_CORRECT, and MLDSA_NTT_SUBROUTINE_SAFE theorems)
- aarch64/proofs/mldsa_specs.ml: Self-contained ML-DSA specifications and
congruence/bounds propagation infrastructure, ported from s2n-bignum's
common/mlkem_mldsa.ml with only ARM ML-DSA relevant definitions
- aarch64/proofs/subroutine_signatures.ml: ML-DSA subroutine signatures
for the safety proof infrastructure

Modified files:
- aarch64/proofs/aarch64_utils.ml: Add MEMORY_128_FROM_32_TAC
- aarch64/Makefile: Add mldsa_ntt to build targets

Signed-off-by: dkostic <dkostic@amazon.com>
@mkannwischer @hanno-becker
CBMC: Add AArch64 NTT contract and proof
3d5fa4e 
Add CBMC contract for mld_ntt_asm matching the bounds from the
AArch64 NTT HOL Light proof (input: abs <= 8380416, output: abs <= 75423752).
Add corresponding CBMC proof for mld_ntt_native using the contract.

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
@dkostic @hanno-becker
Merge AArch64 and x86_64 mldsa_specs.ml into common/mldsa_specs.ml
b7747cf 
Consolidate the shared ML-DSA specifications and congruence/bounds
propagation infrastructure into a single file at
proofs/hol_light/common/mldsa_specs.ml, used by both AArch64 and
x86_64 proofs.

The merged file contains:
- Shared: bitreverse8, reorder, BITREVERSE8_CLAUSES, congruence/bounds
  infrastructure (CONGBOUND_WORD_*, ASM_CONGBOUND_RULE, etc.), SIMD
  simplification tactics
- x86_64-specific: AVX2 NTT ordering, mldsa_montred/barred/montmul
- AArch64-specific: arm_mldsa_forward_ntt, arm_mldsa_barmul

ASM_CONGBOUND_RULE now handles both arm_mldsa_barmul and
mldsa_montred/barred/montmul cases.

Signed-off-by: dkostic <dkostic@amazon.com>
@dkostic @hanno-becker
Avoid hard-coded lengths in the proof
f7b4f98 
Signed-off-by: dkostic <dkostic@amazon.com>
hanno-becker
hanno-becker approved these changes Mar 18, 2026
View reviewed changes
Copy link
Contributor

@hanno-becker hanno-becker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks a lot @dkostic!

@dkostic dkostic mentioned this pull request Mar 18, 2026
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mkannwischer mkannwischer mkannwischer approved these changes

@hanno-becker hanno-becker hanno-becker approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

HOL-Light: Prove AArch64 NTT

4 participants

@dkostic @oqs-bot @mkannwischer @hanno-becker