Skip to content

ML-DSA aarch64 rejection sampling proof#997

Draft
dkostic wants to merge 7 commits intomainfrom
aarch64-rej-sampl-hol
Draft

ML-DSA aarch64 rejection sampling proof#997
dkostic wants to merge 7 commits intomainfrom
aarch64-rej-sampl-hol

Conversation

@dkostic
Copy link

@dkostic dkostic commented Mar 18, 2026
edited by hanno-becker
Loading

ML-DSA aarch64 rejection sampling proof.

This proof was written entirely by Claude Opus 4.6.

The same proof in s2n-bignum: awslabs/s2n-bignum#378

The proof will fail in the CI because it relies on a few new Arm instructions that have to be added to s2n-bignum (see awslabs/s2n-bignum#378).

Also, this PR is on top of the NTT PR (#993), I'll rebase once the NTT PR is merged in.

dkostic and others added 7 commits March 9, 2026 21:12
@dkostic
Add AArch64 ML-DSA Forward NTT HOL Light proof
b437948 
Port the ML-DSA Forward NTT implementation and its HOL Light proof of
correctness from s2n-bignum to mldsa-native. The proof verifies the
AArch64 NEON NTT implementation at the object-code level, showing that
the output coefficients are congruent to the forward NTT of the input
modulo 8380417, with bounded output coefficients. A constant-time and
memory safety proof is also included.

New files:
- aarch64/mldsa/mldsa_ntt.S: Assembly derived from dev/aarch64_opt/src/ntt.S
- aarch64/proofs/mldsa_ntt.ml: HOL Light proof (MLDSA_NTT_CORRECT,
MLDSA_NTT_SUBROUTINE_CORRECT, and MLDSA_NTT_SUBROUTINE_SAFE theorems)
- aarch64/proofs/mldsa_specs.ml: Self-contained ML-DSA specifications and
congruence/bounds propagation infrastructure, ported from s2n-bignum's
common/mlkem_mldsa.ml with only ARM ML-DSA relevant definitions
- aarch64/proofs/subroutine_signatures.ml: ML-DSA subroutine signatures
for the safety proof infrastructure

Modified files:
- aarch64/proofs/aarch64_utils.ml: Add MEMORY_128_FROM_32_TAC
- aarch64/Makefile: Add mldsa_ntt to build targets

Signed-off-by: dkostic <dkostic@amazon.com>
@dkostic
Auto-generate bytecodes and zetas, add NTT proof to CI
a987b97 
- Add BYTECODE START/END markers to mldsa_ntt.ml for autogen
- Add mldsa_ntt.o to dump_bytecode.ml
- Extract zeta constants into auto-generated mldsa_zetas.ml
- Add gen_aarch64_hol_light_zeta_file() to scripts/autogen
- Add mldsa_ntt to the AArch64 HOL Light CI matrix

Signed-off-by: dkostic <dkostic@amazon.com>
@mkannwischer
CBMC: Add AArch64 NTT contract and proof
377d960 
Add CBMC contract for mld_ntt_asm matching the bounds from the
AArch64 NTT HOL Light proof (input: abs <= 8380416, output: abs <= 75423752).
Add corresponding CBMC proof for mld_ntt_native using the contract.

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
@mkannwischer
fixup! CBMC: Add AArch64 NTT contract and proof
d5b64f8 
Add contract to dev/ source files (arith_native_aarch64.h is auto-generated)

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
@dkostic
format
d813cc9 
Signed-off-by: dkostic <dkostic@amazon.com>
@dkostic
Merge AArch64 and x86_64 mldsa_specs.ml into common/mldsa_specs.ml
0b391cd 
Consolidate the shared ML-DSA specifications and congruence/bounds
propagation infrastructure into a single file at
proofs/hol_light/common/mldsa_specs.ml, used by both AArch64 and
x86_64 proofs.

The merged file contains:
- Shared: bitreverse8, reorder, BITREVERSE8_CLAUSES, congruence/bounds
  infrastructure (CONGBOUND_WORD_*, ASM_CONGBOUND_RULE, etc.), SIMD
  simplification tactics
- x86_64-specific: AVX2 NTT ordering, mldsa_montred/barred/montmul
- AArch64-specific: arm_mldsa_forward_ntt, arm_mldsa_barmul

ASM_CONGBOUND_RULE now handles both arm_mldsa_barmul and
mldsa_montred/barred/montmul cases.

Signed-off-by: dkostic <dkostic@amazon.com>
@dkostic
aarch64 rejection sampling proof
724fe03 
Signed-off-by: Dusan Kostic <dkostic@amazon.com>
@dkostic dkostic requested a review from a team as a code owner March 18, 2026 23:20
@dkostic
Copy link
Author

dkostic commented Mar 18, 2026

addresses #923 but blocked on some changes in the s2n-bignum repo

@dkostic dkostic marked this pull request as draft March 18, 2026 23:31
@oqs-bot
Copy link
Contributor

oqs-bot commented Mar 18, 2026

CBMC Results (ML-DSA-44)

Full Results (176 proofs)
Proof Status Current Previous Change
**TOTAL** 1939s 2039s -4.9%
mld_attempt_signature_generation 227s 247s -8%
polyvecl_pointwise_acc_montgomery_c 194s 221s -12%
poly_pointwise_montgomery_c 145s 161s -10%
rej_uniform_native 136s 151s -10%
sign_verify_internal 120s 132s -9%
mld_invntt_layer 87s 88s -1%
mld_ct_memcmp 73s 76s -4%
mld_ntt_layer 55s 56s -2%
keccak_squeezeblocks_x4 43s 44s -2%
sign_signature_internal 33s 35s -6%
polyvec_matrix_expand 27s 27s +0%
rej_uniform 22s 22s +0%
poly_uniform_eta_4x 20s 18s +11%
fqmul 19s 19s +0%
poly_chknorm_c 19s 21s -10%
polyeta_unpack 17s 17s +0%
polymat_permute_bitrev_to_custom 16s 16s +0%
rej_uniform_c 15s 14s +7%
polyt0_unpack 14s 15s -7%
keccakf1600x4_permute_native 13s 14s -7%
mld_compute_t0_t1_tr_from_sk_components 13s 15s -13%
poly_uniform_4x 12s 16s -25%
polyvec_matrix_pointwise_montgomery 12s 11s +9%
polyz_unpack_c 12s 11s +9%
mld_ntt_butterfly_block 11s 12s -8%
polyvec_matrix_expand_serial 11s 11s +0%
keccak_absorb_once_x4 10s 10s +0%
keccakf1600_permute_native 10s 8s +25%
poly_add 10s 13s -23%
polyveck_power2round 10s 11s -9%
keccakf1600_permute 9s 8s +12%
polyveck_use_hint 8s 7s +14%
sign 8s 6s +33%
keccak_absorb 7s 8s -12%
mld_polyvecl_permute_bitrev_to_custom_native 7s 7s +0%
polyveck_add 7s 7s +0%
polyveck_caddq 7s 5s +40%
polyvecl_ntt 7s 3s +133%
sign_pk_from_sk 7s 5s +40%
mld_check_pct 6s 7s -14%
pack_pk 6s 4s +50%
poly_caddq_c 6s 6s +0%
poly_invntt_tomont_c 6s 6s +0%
polyveck_chknorm 6s 6s +0%
polyveck_make_hint 6s 6s +0%
polyveck_sub 6s 4s +50%
polyvecl_chknorm 6s 5s +20%
sign_keypair_internal 6s 4s +50%
unpack_sk 6s 3s +100%
fqscale 5s 3s +67%
mld_compute_pack_z 5s 10s -50%
pack_sig_z 5s 3s +67%
poly_decompose_native 5s 3s +67%
poly_invntt_tomont 5s 3s +67%
poly_shiftl 5s 4s +25%
poly_uniform 5s 3s +67%
poly_uniform_eta 5s 3s +67%
poly_uniform_gamma1 5s 2s +150%
polyveck_decompose 5s 5s +0%
polyveck_shiftl 5s 6s -17%
polyveck_unpack_t0 5s 2s +150%
polyvecl_permute_bitrev_to_custom 5s 4s +25%
polyvecl_pointwise_acc_montgomery 5s 4s +25%
shake128_release 5s 2s +150%
shake256x4_absorb_once 5s 3s +67%
keccakf1600x4_permute 4s 3s +33%
make_hint 4s 2s +100%
mld_ct_get_optblocker_u8 4s 2s +100%
mld_h 4s 3s +33%
mld_prepare_domain_separation_prefix 4s 4s +0%
mld_sample_s1_s2 4s 6s -33%
ntt_native_aarch64 4s - new
pack_sk 4s 2s +100%
poly_challenge 4s 5s -20%
poly_chknorm_native 4s 5s -20%
poly_decompose 4s 2s +100%
poly_make_hint 4s 6s -33%
poly_ntt 4s 3s +33%
poly_power2round 4s 4s +0%
poly_uniform_gamma1_4x 4s 2s +100%
poly_use_hint_c 4s 5s -20%
poly_use_hint_native 4s 3s +33%
polyt0_pack 4s 3s +33%
polyveck_ntt 4s 6s -33%
polyveck_reduce 4s 5s -20%
polyvecl_uniform_gamma1 4s 4s +0%
polyvecl_uniform_gamma1_serial 4s 3s +33%
polyz_unpack 4s 3s +33%
polyz_unpack_native 4s 2s +100%
rej_eta_native 4s 4s +0%
shake128_init 4s 3s +33%
shake256 4s 2s +100%
shake256_release 4s 4s +0%
sign_open 4s 3s +33%
unpack_hints 4s 5s -20%
decompose 3s 2s +50%
keccak_finalize 3s 2s +50%
keccakf1600_extract_bytes (big endian) 3s 2s +50%
keccakf1600x4_extract_bytes 3s 4s -25%
mld_ct_cmask_neg_i32 3s 2s +50%
mld_ct_cmask_nonzero_u32 3s 5s -40%
mld_ct_get_optblocker_u32 3s 1s +200%
mld_keccakf1600_extract_bytes 3s 3s +0%
mld_sample_s1_s2_serial 3s 5s -40%
mld_value_barrier_u32 3s 1s +200%
mld_value_barrier_u8 3s 3s +0%
montgomery_reduce 3s 1s +200%
ntt_native_x86_64 3s 3s +0%
pack_sig_c_h 3s 4s -25%
poly_caddq 3s 4s -25%
poly_caddq_native 3s 2s +50%
poly_caddq_native_aarch64 3s 4s -25%
poly_ntt_c 3s 3s +0%
poly_pointwise_montgomery 3s 5s -40%
poly_reduce 3s 3s +0%
poly_sub 3s 3s +0%
poly_use_hint 3s 6s -50%
polyt1_pack 3s 5s -40%
polyt1_unpack 3s 3s +0%
polyveck_invntt_tomont 3s 5s -40%
polyveck_pack_eta 3s 3s +0%
polyveck_pointwise_poly_montgomery 3s 6s -50%
polyveck_unpack_eta 3s 4s -25%
polyvecl_pack_eta 3s 2s +50%
polyvecl_unpack_eta 3s 4s -25%
polyw1_pack 3s 3s +0%
power2round 3s 3s +0%
reduce32 3s 2s +50%
rej_eta_c 3s 4s -25%
shake128_absorb 3s 2s +50%
shake128_squeeze 3s 2s +50%
shake128x4_absorb_once 3s 2s +50%
shake256_absorb 3s 2s +50%
shake256_finalize 3s 3s +0%
shake256_init 3s 5s -40%
shake256x4_squeezeblocks 3s 2s +50%
sign_keypair 3s 4s -25%
sign_signature_extmu 3s 3s +0%
sign_signature_pre_hash_shake256 3s 7s -57%
sign_verify 3s 4s -25%
sign_verify_pre_hash_internal 3s 5s -40%
sign_verify_pre_hash_shake256 3s 4s -25%
unpack_pk 3s 3s +0%
use_hint 3s 4s -25%
caddq 2s 3s -33%
intt_native_x86_64 2s 4s -50%
keccak_init 2s 2s +0%
keccakf1600_xor_bytes (big endian) 2s 3s -33%
keccakf1600x4_xor_bytes 2s 2s +0%
mld_ct_abs_i32 2s 2s +0%
mld_ct_cmask_nonzero_u8 2s 3s -33%
mld_ct_get_optblocker_i64 2s 2s +0%
mld_value_barrier_i64 2s 3s -33%
poly_chknorm 2s 2s +0%
poly_decompose_c 2s 4s -50%
poly_ntt_native 2s 3s -33%
poly_pointwise_montgomery_native 2s 3s -33%
polyeta_pack 2s 1s +100%
polyveck_pack_t0 2s 4s -50%
polyveck_pack_w1 2s 4s -50%
polyvecl_pointwise_acc_montgomery_native 2s 3s -33%
polyvecl_unpack_z 2s 4s -50%
polyz_pack 2s 4s -50%
rej_eta 2s 2s +0%
shake128_finalize 2s 2s +0%
shake128x4_squeezeblocks 2s 2s +0%
sign_signature 2s 4s -50%
sign_signature_pre_hash_internal 2s 4s -50%
sign_verify_extmu 2s 4s -50%
sys_check_capability 2s 2s +0%
unpack_sig 2s 2s +0%
keccak_squeeze 1s 3s -67%
keccakf1600_xor_bytes 1s 2s -50%
mld_ct_sel_int32 1s 2s -50%
poly_invntt_tomont_native 1s 4s -75%
shake256_squeeze 1s 3s -67%

@oqs-bot
Copy link
Contributor

oqs-bot commented Mar 18, 2026

CBMC Results (ML-DSA-65)

Full Results (176 proofs)
Proof Status Current Previous Change
**TOTAL** 2447s 2521s -2.9%
sign_verify_internal 331s 351s -6%
mld_attempt_signature_generation 266s 279s -5%
polyvecl_pointwise_acc_montgomery_c 196s 195s +1%
poly_pointwise_montgomery_c 149s 165s -10%
rej_uniform_native 144s 149s -3%
polyvec_matrix_expand 124s 128s -3%
mld_invntt_layer 95s 97s -2%
mld_ct_memcmp 77s 78s -1%
polyvec_matrix_expand_serial 68s 70s -3%
mld_ntt_layer 53s 57s -7%
keccak_squeezeblocks_x4 41s 43s -5%
sign_signature_internal 39s 39s +0%
polymat_permute_bitrev_to_custom 29s 32s -9%
mld_compute_t0_t1_tr_from_sk_components 25s 26s -4%
poly_chknorm_c 22s 20s +10%
rej_uniform 22s 19s +16%
fqmul 19s 20s -5%
poly_uniform_eta_4x 17s 15s +13%
rej_uniform_c 16s 16s +0%
polyveck_decompose 15s 14s +7%
keccakf1600x4_permute_native 14s 13s +8%
mld_ntt_butterfly_block 14s 13s +8%
poly_uniform_4x 14s 15s -7%
polyt0_unpack 14s 14s +0%
polyvec_matrix_pointwise_montgomery 14s 12s +17%
polyveck_sub 14s 12s +17%
poly_add 12s 11s +9%
polyveck_power2round 12s 11s +9%
polyvecl_chknorm 12s 11s +9%
keccak_absorb_once_x4 11s 12s -8%
keccak_absorb 9s 7s +29%
polyveck_add 9s 11s -18%
keccakf1600_permute_native 8s 7s +14%
poly_invntt_tomont_c 8s 8s +0%
polyveck_ntt 8s 10s -20%
polyveck_reduce 8s 6s +33%
polyveck_use_hint 8s 8s +0%
polyvecl_ntt 8s 7s +14%
sign_pk_from_sk 8s 10s -20%
keccakf1600_permute 7s 7s +0%
mld_sample_s1_s2_serial 7s 5s +40%
poly_decompose_c 7s 7s +0%
poly_power2round 7s 4s +75%
polyeta_unpack 7s 5s +40%
polyveck_invntt_tomont 7s 9s -22%
polyveck_pointwise_poly_montgomery 7s 8s -12%
decompose 6s 2s +200%
mld_check_pct 6s 7s -14%
mld_polyvecl_permute_bitrev_to_custom_native 6s 9s -33%
mld_sample_s1_s2 6s 6s +0%
polyveck_caddq 6s 7s -14%
polyveck_shiftl 6s 6s +0%
polyveck_unpack_eta 6s 5s +20%
polyvecl_pointwise_acc_montgomery_native 6s 4s +50%
shake128_absorb 6s 3s +100%
shake256_release 6s 1s +500%
sign 6s 7s -14%
sign_keypair_internal 6s 4s +50%
sign_open 6s 8s -25%
sign_signature_extmu 6s 4s +50%
intt_native_x86_64 5s 2s +150%
make_hint 5s 2s +150%
mld_compute_pack_z 5s 6s -17%
mld_ct_get_optblocker_i64 5s 2s +150%
pack_pk 5s 3s +67%
pack_sig_c_h 5s 5s +0%
poly_caddq_c 5s 5s +0%
poly_reduce 5s 4s +25%
poly_sub 5s 4s +25%
poly_uniform_eta 5s 7s -29%
poly_use_hint_c 5s 5s +0%
polyt0_pack 5s 6s -17%
polyt1_pack 5s 4s +25%
polyveck_pack_eta 5s 4s +25%
power2round 5s 2s +150%
rej_eta_native 5s 7s -29%
sign_verify 5s 5s +0%
unpack_hints 5s 4s +25%
unpack_sk 5s 6s -17%
caddq 4s 4s +0%
mld_h 4s 5s -20%
poly_caddq_native_aarch64 4s 4s +0%
poly_decompose_native 4s 3s +33%
poly_ntt_c 4s 4s +0%
poly_uniform 4s 6s -33%
poly_use_hint 4s 4s +0%
poly_use_hint_native 4s 4s +0%
polyveck_make_hint 4s 6s -33%
polyvecl_pointwise_acc_montgomery 4s 2s +100%
polyvecl_unpack_eta 4s 3s +33%
polyvecl_unpack_z 4s 3s +33%
polyw1_pack 4s 2s +100%
polyz_pack 4s 2s +100%
polyz_unpack_c 4s 3s +33%
shake128x4_squeezeblocks 4s 1s +300%
sign_keypair 4s 4s +0%
sign_signature 4s 4s +0%
sign_signature_pre_hash_shake256 4s 4s +0%
sign_verify_pre_hash_internal 4s 6s -33%
unpack_pk 4s 4s +0%
mld_ct_cmask_neg_i32 3s 2s +50%
mld_ct_cmask_nonzero_u8 3s 7s -57%
mld_ct_get_optblocker_u8 3s 3s +0%
mld_value_barrier_i64 3s 2s +50%
mld_value_barrier_u32 3s 3s +0%
ntt_native_aarch64 3s - new
ntt_native_x86_64 3s 5s -40%
poly_caddq_native 3s 2s +50%
poly_challenge 3s 3s +0%
poly_chknorm 3s 3s +0%
poly_chknorm_native 3s 2s +50%
poly_invntt_tomont 3s 3s +0%
poly_make_hint 3s 7s -57%
poly_ntt 3s 3s +0%
poly_ntt_native 3s 4s -25%
poly_pointwise_montgomery 3s 3s +0%
poly_pointwise_montgomery_native 3s 5s -40%
poly_uniform_gamma1 3s 2s +50%
poly_uniform_gamma1_4x 3s 4s -25%
polyeta_pack 3s 4s -25%
polyt1_unpack 3s 3s +0%
polyveck_chknorm 3s 7s -57%
polyveck_pack_t0 3s 4s -25%
polyveck_pack_w1 3s 3s +0%
polyveck_unpack_t0 3s 3s +0%
polyvecl_pack_eta 3s 4s -25%
polyvecl_uniform_gamma1 3s 4s -25%
polyvecl_uniform_gamma1_serial 3s 3s +0%
polyz_unpack 3s 2s +50%
polyz_unpack_native 3s 4s -25%
rej_eta 3s 3s +0%
rej_eta_c 3s 4s -25%
shake128_init 3s 1s +200%
shake128_squeeze 3s 3s +0%
shake256_finalize 3s 2s +50%
shake256_init 3s 2s +50%
shake256x4_absorb_once 3s 1s +200%
sign_signature_pre_hash_internal 3s 4s -25%
sign_verify_extmu 3s 3s +0%
sign_verify_pre_hash_shake256 3s 5s -40%
use_hint 3s 3s +0%
keccak_finalize 2s 2s +0%
keccak_squeeze 2s 4s -50%
keccakf1600_extract_bytes (big endian) 2s 2s +0%
keccakf1600_xor_bytes 2s 3s -33%
keccakf1600_xor_bytes (big endian) 2s 2s +0%
keccakf1600x4_extract_bytes 2s 1s +100%
keccakf1600x4_permute 2s 5s -60%
keccakf1600x4_xor_bytes 2s 2s +0%
mld_ct_cmask_nonzero_u32 2s 3s -33%
mld_ct_get_optblocker_u32 2s 1s +100%
mld_ct_sel_int32 2s 1s +100%
mld_prepare_domain_separation_prefix 2s 5s -60%
mld_value_barrier_u8 2s 5s -60%
pack_sig_z 2s 2s +0%
poly_caddq 2s 4s -50%
poly_invntt_tomont_native 2s 4s -50%
poly_shiftl 2s 2s +0%
polyvecl_permute_bitrev_to_custom 2s 3s -33%
reduce32 2s 1s +100%
shake128x4_absorb_once 2s 2s +0%
shake256 2s 2s +0%
shake256_absorb 2s 2s +0%
shake256x4_squeezeblocks 2s 3s -33%
unpack_sig 2s 2s +0%
fqscale 1s 3s -67%
keccak_init 1s 3s -67%
mld_ct_abs_i32 1s 3s -67%
mld_keccakf1600_extract_bytes 1s 2s -50%
montgomery_reduce 1s 3s -67%
pack_sk 1s 3s -67%
poly_decompose 1s 5s -80%
shake128_finalize 1s 3s -67%
shake128_release 1s 2s -50%
shake256_squeeze 1s 2s -50%
sys_check_capability 1s 4s -75%

@oqs-bot
Copy link
Contributor

oqs-bot commented Mar 18, 2026

CBMC Results (ML-DSA-87)

Full Results (176 proofs)
Proof Status Current Previous Change
**TOTAL** 2756s 2658s +3.7%
sign_verify_internal 342s 337s +1%
polyvecl_pointwise_acc_montgomery_c 288s 270s +7%
mld_attempt_signature_generation 251s 233s +8%
polyvec_matrix_expand 180s 177s +2%
poly_pointwise_montgomery_c 163s 156s +4%
rej_uniform_native 150s 147s +2%
mld_invntt_layer 98s 91s +8%
polyvec_matrix_expand_serial 84s 81s +4%
mld_ct_memcmp 76s 79s -4%
polyveck_decompose 60s 55s +9%
mld_ntt_layer 57s 52s +10%
sign_signature_internal 54s 51s +6%
polymat_permute_bitrev_to_custom 46s 46s +0%
keccak_squeezeblocks_x4 42s 41s +2%
mld_compute_t0_t1_tr_from_sk_components 25s 26s -4%
poly_chknorm_c 21s 20s +5%
rej_uniform 21s 23s -9%
fqmul 19s 19s +0%
polyeta_unpack 18s 17s +6%
mld_ntt_butterfly_block 16s 12s +33%
poly_uniform_4x 16s 18s -11%
poly_uniform_eta_4x 16s 15s +7%
rej_uniform_c 16s 16s +0%
polyt0_unpack 15s 13s +15%
keccakf1600x4_permute_native 14s 12s +17%
polyvec_matrix_pointwise_montgomery 14s 11s +27%
polyveck_use_hint 14s 11s +27%
mld_polyvecl_permute_bitrev_to_custom_native 12s 12s +0%
poly_add 12s 11s +9%
polyveck_caddq 12s 10s +20%
keccak_absorb_once_x4 11s 10s +10%
polyz_unpack_c 11s 10s +10%
polyveck_reduce 10s 10s +0%
sign_keypair_internal 10s 7s +43%
keccakf1600_permute 9s 7s +29%
polyveck_ntt 9s 8s +12%
polyveck_pointwise_poly_montgomery 9s 9s +0%
polyvecl_ntt 9s 9s +0%
sign_pk_from_sk 9s 7s +29%
keccak_absorb 8s 9s -11%
poly_challenge 8s 3s +167%
poly_decompose_c 8s 9s -11%
poly_uniform_eta 8s 7s +14%
polyveck_add 8s 11s -27%
polyveck_invntt_tomont 8s 10s -20%
polyveck_make_hint 8s 8s +0%
keccakf1600_permute_native 7s 9s -22%
mld_check_pct 7s 8s -12%
mld_compute_pack_z 7s 9s -22%
mld_sample_s1_s2 7s 8s -12%
poly_invntt_tomont_c 7s 7s +0%
polyveck_chknorm 7s 4s +75%
polyveck_power2round 7s 8s -12%
polyveck_sub 7s 7s +0%
mld_sample_s1_s2_serial 6s 7s -14%
poly_uniform_gamma1 6s 2s +200%
polyveck_shiftl 6s 7s -14%
polyvecl_permute_bitrev_to_custom 6s 3s +100%
polyvecl_uniform_gamma1 6s 5s +20%
sign 6s 8s -25%
sign_keypair 6s 6s +0%
sign_open 6s 4s +50%
sign_signature_extmu 6s 6s +0%
sign_signature_pre_hash_internal 6s 4s +50%
keccak_squeeze 5s 3s +67%
montgomery_reduce 5s 4s +25%
poly_caddq_c 5s 5s +0%
poly_chknorm_native 5s 3s +67%
poly_uniform_gamma1_4x 5s 3s +67%
polyveck_unpack_eta 5s 4s +25%
polyvecl_pack_eta 5s 4s +25%
polyvecl_pointwise_acc_montgomery_native 5s 4s +25%
rej_eta_c 5s 4s +25%
rej_eta_native 5s 5s +0%
shake256_release 5s 2s +150%
sign_signature 5s 4s +25%
sign_verify_pre_hash_shake256 5s 4s +25%
mld_h 4s 5s -20%
poly_decompose 4s 2s +100%
poly_invntt_tomont_native 4s 2s +100%
poly_make_hint 4s 2s +100%
poly_ntt_native 4s 4s +0%
poly_pointwise_montgomery_native 4s 3s +33%
poly_power2round 4s 6s -33%
poly_shiftl 4s 4s +0%
poly_use_hint_c 4s 3s +33%
polyt1_pack 4s 2s +100%
polyveck_pack_eta 4s 3s +33%
polyveck_unpack_t0 4s 5s -20%
polyvecl_uniform_gamma1_serial 4s 6s -33%
reduce32 4s 3s +33%
rej_eta 4s 2s +100%
shake256_finalize 4s 3s +33%
shake256_init 4s 3s +33%
sign_signature_pre_hash_shake256 4s 4s +0%
sign_verify_extmu 4s 3s +33%
sign_verify_pre_hash_internal 4s 3s +33%
unpack_hints 4s 6s -33%
unpack_pk 4s 2s +100%
unpack_sk 4s 5s -20%
caddq 3s 5s -40%
fqscale 3s 2s +50%
intt_native_x86_64 3s 3s +0%
keccak_init 3s 4s -25%
keccakf1600_extract_bytes (big endian) 3s 4s -25%
keccakf1600_xor_bytes 3s 1s +200%
keccakf1600x4_xor_bytes 3s 4s -25%
make_hint 3s 5s -40%
mld_ct_abs_i32 3s 1s +200%
mld_ct_get_optblocker_u32 3s 2s +50%
pack_pk 3s 2s +50%
pack_sig_c_h 3s 3s +0%
pack_sig_z 3s 3s +0%
pack_sk 3s 2s +50%
poly_caddq 3s 4s -25%
poly_caddq_native 3s 4s -25%
poly_caddq_native_aarch64 3s 2s +50%
poly_chknorm 3s 4s -25%
poly_decompose_native 3s 4s -25%
poly_invntt_tomont 3s 3s +0%
poly_ntt_c 3s 3s +0%
poly_reduce 3s 4s -25%
poly_uniform 3s 4s -25%
polyt0_pack 3s 4s -25%
polyt1_unpack 3s 2s +50%
polyveck_pack_w1 3s 3s +0%
polyvecl_chknorm 3s 6s -50%
polyvecl_unpack_eta 3s 4s -25%
polyvecl_unpack_z 3s 4s -25%
polyw1_pack 3s 2s +50%
polyz_unpack 3s 3s +0%
polyz_unpack_native 3s 3s +0%
shake128_finalize 3s 3s +0%
shake128_squeeze 3s 3s +0%
shake128x4_absorb_once 3s 3s +0%
shake256 3s 3s +0%
shake256_absorb 3s 3s +0%
shake256x4_squeezeblocks 3s 2s +50%
sign_verify 3s 4s -25%
use_hint 3s 5s -40%
decompose 2s 4s -50%
keccakf1600_xor_bytes (big endian) 2s 2s +0%
keccakf1600x4_extract_bytes 2s 2s +0%
mld_ct_cmask_neg_i32 2s 3s -33%
mld_ct_cmask_nonzero_u32 2s 3s -33%
mld_ct_cmask_nonzero_u8 2s 3s -33%
mld_ct_get_optblocker_i64 2s 3s -33%
mld_ct_get_optblocker_u8 2s 2s +0%
mld_ct_sel_int32 2s 3s -33%
mld_keccakf1600_extract_bytes 2s 2s +0%
mld_prepare_domain_separation_prefix 2s 4s -50%
mld_value_barrier_i64 2s 2s +0%
mld_value_barrier_u32 2s 2s +0%
mld_value_barrier_u8 2s 3s -33%
ntt_native_aarch64 2s - new
ntt_native_x86_64 2s 3s -33%
poly_ntt 2s 3s -33%
poly_sub 2s 3s -33%
poly_use_hint 2s 3s -33%
poly_use_hint_native 2s 3s -33%
polyeta_pack 2s 3s -33%
polyveck_pack_t0 2s 4s -50%
polyvecl_pointwise_acc_montgomery 2s 2s +0%
polyz_pack 2s 2s +0%
power2round 2s 3s -33%
shake128_absorb 2s 3s -33%
shake128_release 2s 2s +0%
shake128x4_squeezeblocks 2s 2s +0%
shake256_squeeze 2s 1s +100%
shake256x4_absorb_once 2s 2s +0%
sys_check_capability 2s 3s -33%
unpack_sig 2s 2s +0%
keccak_finalize 1s 1s +0%
keccakf1600x4_permute 1s 2s -50%
poly_pointwise_montgomery 1s 2s -50%
shake128_init 1s 3s -67%

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

HOL-Light: Prove AArch64 rej_uniform

3 participants

@dkostic @oqs-bot @mkannwischer