ACVP: Allow skipping pre-hash modes unsupported by Python's hashlib by mkannwischer · Pull Request #1140 · pq-code-package/mldsa-native

mkannwischer · 2026-06-01T09:11:26Z

Some Python/OpenSSL builds lack the truncated SHA-512 variants
(SHA2-512/224, SHA2-512/256) needed for pre-hash ACVP test cases. Add
--skip-unsupported to drop the affected cases from both prompt and
expected results; without it the client errors with guidance on the
flag. Expose it through make via ACVP_OPTIONS.

Resolves Python 3.7 on Amazon Linux 2 lacks sha512_224 in hashlib #719

oqs-bot · 2026-06-02T02:07:37Z

CBMC Results (ML-DSA-87, REDUCE-RAM)

Full Results (205 proofs)

Proof	Status	Current	Previous	Change
`TOTAL`	✅	1569s	1658s	-5.4%
`mld_invntt_layer`	✅	155s	175s	-11%
`polyvec_matrix_pointwise_montgomery_yvec`	✅	151s	163s	-7%
`poly_pointwise_montgomery_c`	✅	118s	145s	-19%
`rej_uniform_native`	✅	118s	129s	-9%
`mld_ct_memcmp`	✅	66s	74s	-11%
`fqmul`	✅	41s	43s	-5%
`mld_ntt_layer`	✅	41s	46s	-11%
`mld_attempt_signature_generation`	✅	31s	33s	-6%
`mld_ntt_butterfly_block`	✅	22s	25s	-12%
`keccakf1600x4_permute_native`	✅	21s	23s	-9%
`sign_verify_internal`	✅	21s	22s	-5%
`poly_chknorm_c`	✅	18s	20s	-10%
`polyt0_unpack`	✅	17s	17s	+0%
`polyveck_decompose`	✅	16s	18s	-11%
`poly_uniform_eta_4x`	✅	15s	15s	+0%
`rej_uniform_c`	✅	15s	19s	-21%
`polyeta_unpack`	✅	13s	14s	-7%
`mld_check_pct`	✅	12s	12s	+0%
`compute_pack_t0_t1`	✅	10s	10s	+0%
`polyvecl_ntt`	✅	10s	7s	+43%
`keccak_absorb_once_x4`	✅	9s	9s	+0%
`poly_add`	✅	9s	11s	-18%
`polyvecl_chknorm`	✅	9s	9s	+0%
`keccak_absorb`	✅	8s	7s	+14%
`poly_invntt_tomont_c`	✅	8s	9s	-11%
`polyvec_matrix_pointwise_montgomery_row`	✅	8s	6s	+33%
`sign`	✅	8s	7s	+14%
`mld_sample_s1_s2_serial`	✅	7s	7s	+0%
`pointwise_acc_native_x86_64`	✅	7s	8s	-12%
`poly_decompose_c`	✅	7s	4s	+75%
`polyveck_caddq`	✅	7s	5s	+40%
`polyveck_invntt_tomont`	✅	7s	7s	+0%
`polyveck_reduce`	✅	7s	5s	+40%
`rej_uniform`	✅	7s	8s	-12%
`keccak_squeezeblocks_x4`	✅	6s	5s	+20%
`mld_keccakf1600_permute_c`	✅	6s	8s	-25%
`mld_keccakf1600x4_extract_bytes_c`	✅	6s	1s	+500%
`pointwise_acc_native_aarch64`	✅	6s	6s	+0%
`pointwise_native_x86_64`	✅	6s	3s	+100%
`poly_power2round`	✅	6s	6s	+0%
`polyveck_unpack_eta`	✅	6s	3s	+100%
`polyvecl_uniform_gamma1`	✅	6s	1s	+500%
`polyvecl_unpack_z`	✅	6s	1s	+500%
`sign_signature_internal`	✅	6s	4s	+50%
`intt_native_aarch64`	✅	5s	1s	+400%
`intt_native_x86_64`	✅	5s	1s	+400%
`keccak_f1600_x1_native_aarch64_v84a`	✅	5s	2s	+150%
`keccakf1600x4_permute`	✅	5s	2s	+150%
`make_hint`	✅	5s	1s	+400%
`ntt_native_aarch64`	✅	5s	4s	+25%
`poly_caddq_c`	✅	5s	7s	-29%
`poly_caddq_native_aarch64`	✅	5s	5s	+0%
`poly_challenge`	✅	5s	3s	+67%
`poly_invntt_tomont_native`	✅	5s	4s	+25%
`poly_uniform`	✅	5s	4s	+25%
`polyvec_matrix_expand_serial`	✅	5s	4s	+25%
`polyz_unpack_19_native_aarch64`	✅	5s	2s	+150%
`polyz_unpack_c`	✅	5s	6s	-17%
`rej_eta_native`	✅	5s	5s	+0%
`shake128_init`	✅	5s	1s	+400%
`sign_keypair_internal`	✅	5s	4s	+25%
`sign_open`	✅	5s	2s	+150%
`sign_signature_extmu`	✅	5s	3s	+67%
`decompose`	✅	4s	2s	+100%
`keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid`	✅	4s	4s	+0%
`keccak_finalize`	✅	4s	1s	+300%
`keccakf1600_permute`	✅	4s	2s	+100%
`mld_compute_pack_z`	✅	4s	6s	-33%
`mld_h`	✅	4s	4s	+0%
`mld_polymat_expand_entry`	✅	4s	2s	+100%
`mld_prepare_domain_separation_prefix`	✅	4s	3s	+33%
`mld_sample_s1_s2`	✅	4s	6s	-33%
`ntt_native_x86_64`	✅	4s	5s	-20%
`pack_sig_h`	✅	4s	4s	+0%
`poly_chknorm`	✅	4s	4s	+0%
`poly_chknorm_native`	✅	4s	2s	+100%
`poly_chknorm_native_aarch64`	✅	4s	2s	+100%
`poly_decompose`	✅	4s	5s	-20%
`poly_decompose_native`	✅	4s	4s	+0%
`poly_invntt_tomont`	✅	4s	3s	+33%
`poly_pointwise_montgomery`	✅	4s	2s	+100%
`poly_shiftl`	✅	4s	7s	-43%
`poly_uniform_eta`	✅	4s	3s	+33%
`poly_use_hint_native`	✅	4s	5s	-20%
`polyt1_pack`	✅	4s	5s	-20%
`polyveck_pack_eta`	✅	4s	2s	+100%
`polyveck_pack_w1`	✅	4s	3s	+33%
`polyvecl_pointwise_acc_montgomery`	✅	4s	2s	+100%
`polyw1_pack`	✅	4s	2s	+100%
`polyw1_pack_32`	✅	4s	3s	+33%
`polyz_unpack_17_native_aarch64`	✅	4s	4s	+0%
`polyz_unpack_native`	✅	4s	3s	+33%
`polyz_unpack_native_x86_64`	✅	4s	2s	+100%
`shake256_finalize`	✅	4s	2s	+100%
`shake256_init`	✅	4s	3s	+33%
`sign_keypair`	✅	4s	4s	+0%
`sign_pk_from_sk`	✅	4s	7s	-43%
`sign_signature`	✅	4s	4s	+0%
`sign_verify_pre_hash_internal`	✅	4s	6s	-33%
`sk_t0hat_get_poly`	✅	4s	1s	+300%
`use_hint`	✅	4s	2s	+100%
`keccak_f1600_x1_native_aarch64`	✅	3s	3s	+0%
`keccak_init`	✅	3s	4s	-25%
`keccakf1600_xor_bytes (big endian)`	✅	3s	3s	+0%
`keccakf1600x4_extract_bytes`	✅	3s	2s	+50%
`mld_ct_abs_i32`	✅	3s	3s	+0%
`mld_ct_cmask_nonzero_u32`	✅	3s	3s	+0%
`mld_ct_cmask_nonzero_u8`	✅	3s	6s	-50%
`mld_ct_get_optblocker_i64`	✅	3s	2s	+50%
`mld_ct_get_optblocker_u32`	✅	3s	3s	+0%
`mld_keccakf1600x4_xor_bytes_c`	✅	3s	4s	-25%
`mld_value_barrier_u32`	✅	3s	5s	-40%
`montgomery_reduce`	✅	3s	2s	+50%
`pack_sk_rho_key_tr_s2`	✅	3s	3s	+0%
`pack_sk_s1`	✅	3s	2s	+50%
`poly_caddq_native`	✅	3s	2s	+50%
`poly_caddq_native_x86_64`	✅	3s	2s	+50%
`poly_chknorm_native_x86_64`	✅	3s	3s	+0%
`poly_decompose_32_native_aarch64`	✅	3s	2s	+50%
`poly_decompose_88_native_aarch64`	✅	3s	3s	+0%
`poly_ntt`	✅	3s	4s	-25%
`poly_permute_bitrev_to_custom_optional_native`	✅	3s	7s	-57%
`poly_pointwise_montgomery_native`	✅	3s	4s	-25%
`poly_reduce`	✅	3s	4s	-25%
`poly_uniform_gamma1_4x`	✅	3s	3s	+0%
`poly_use_hint_c`	✅	3s	2s	+50%
`poly_use_hint_native_aarch64`	✅	3s	2s	+50%
`polyt1_unpack`	✅	3s	2s	+50%
`polyveck_chknorm`	✅	3s	4s	-25%
`polyvecl_pointwise_acc_montgomery_c`	✅	3s	3s	+0%
`polyvecl_uniform_gamma1_serial`	✅	3s	3s	+0%
`polyz_pack`	✅	3s	3s	+0%
`power2round`	✅	3s	2s	+50%
`rej_eta_c`	✅	3s	4s	-25%
`rej_uniform_eta_native_aarch64`	✅	3s	5s	-40%
`rej_uniform_native_aarch64`	✅	3s	3s	+0%
`shake128_absorb`	✅	3s	1s	+200%
`shake128_finalize`	✅	3s	4s	-25%
`shake256_release`	✅	3s	3s	+0%
`shake256x4_squeezeblocks`	✅	3s	4s	-25%
`sig_unpack_hints`	✅	3s	3s	+0%
`sign_signature_pre_hash_internal`	✅	3s	4s	-25%
`sign_signature_pre_hash_shake256`	✅	3s	5s	-40%
`sign_verify_extmu`	✅	3s	4s	-25%
`unpack_pk_t1`	✅	3s	3s	+0%
`unpack_sk_s2hat`	✅	3s	2s	+50%
`unpack_sk_t0hat`	✅	3s	3s	+0%
`yvec_get_poly`	✅	3s	3s	+0%
`yvec_init`	✅	3s	3s	+0%
`caddq`	✅	2s	2s	+0%
`fqscale`	✅	2s	2s	+0%
`keccak_f1600_x4_native_aarch64_v84a`	✅	2s	3s	-33%
`keccak_squeeze`	✅	2s	3s	-33%
`keccakf1600_extract_bytes (big endian)`	✅	2s	3s	-33%
`keccakf1600_permute_native`	✅	2s	2s	+0%
`keccakf1600_xor_bytes`	✅	2s	4s	-50%
`keccakf1600x4_xor_bytes`	✅	2s	2s	+0%
`keccakf1600x4_xor_bytes_native`	✅	2s	3s	-33%
`mld_ct_get_optblocker_u8`	✅	2s	2s	+0%
`mld_ct_sel_int32`	✅	2s	2s	+0%
`mld_keccakf1600_extract_bytes`	✅	2s	1s	+100%
`mld_value_barrier_i64`	✅	2s	3s	-33%
`mld_value_barrier_u8`	✅	2s	1s	+100%
`pack_sig_c`	✅	2s	3s	-33%
`pack_sig_z`	✅	2s	2s	+0%
`poly_caddq`	✅	2s	4s	-50%
`poly_ntt_c`	✅	2s	5s	-60%
`poly_ntt_native`	✅	2s	2s	+0%
`poly_sub`	✅	2s	1s	+100%
`poly_uniform_4x`	✅	2s	6s	-67%
`poly_uniform_gamma1`	✅	2s	2s	+0%
`polyeta_pack`	✅	2s	3s	-33%
`polyt0_pack`	✅	2s	5s	-60%
`polyvec_matrix_expand`	✅	2s	3s	-33%
`polyveck_ntt`	✅	2s	2s	+0%
`polyvecl_pointwise_acc_montgomery_native`	✅	2s	3s	-33%
`polyvecl_unpack_eta`	✅	2s	5s	-60%
`polyw1_pack_88`	✅	2s	5s	-60%
`polyz_unpack`	✅	2s	2s	+0%
`reduce32`	✅	2s	2s	+0%
`rej_eta`	✅	2s	3s	-33%
`shake128_release`	✅	2s	5s	-60%
`shake128x4_absorb_once`	✅	2s	4s	-50%
`shake256_absorb`	✅	2s	2s	+0%
`shake256_squeeze`	✅	2s	3s	-33%
`sign_verify`	✅	2s	3s	-33%
`sign_verify_pre_hash_shake256`	✅	2s	4s	-50%
`sk_s1hat_get_poly`	✅	2s	3s	-33%
`sk_s2hat_get_poly`	✅	2s	2s	+0%
`sys_check_capability`	✅	2s	1s	+100%
`unpack_sk`	✅	2s	2s	+0%
`unpack_sk_s1hat`	✅	2s	3s	-33%
`keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid`	✅	1s	3s	-67%
`keccak_f1600_x4_native_avx2`	✅	1s	3s	-67%
`keccakf1600x4_extract_bytes_native`	✅	1s	2s	-50%
`mld_ct_cmask_neg_i32`	✅	1s	5s	-80%
`nttunpack_native_x86_64`	✅	1s	5s	-80%
`pointwise_native_aarch64`	✅	1s	2s	-50%
`poly_permute_bitrev_to_custom_optional`	✅	1s	2s	-50%
`poly_use_hint`	✅	1s	1s	+0%
`polyvecl_pack_eta`	✅	1s	2s	-50%
`shake128_squeeze`	✅	1s	4s	-75%
`shake128x4_squeezeblocks`	✅	1s	3s	-67%
`shake256`	✅	1s	3s	-67%
`shake256x4_absorb_once`	✅	1s	4s	-75%

oqs-bot · 2026-06-02T02:07:39Z

CBMC Results (ML-DSA-65, REDUCE-RAM)

Full Results (205 proofs)

Proof	Status	Current	Previous	Change
`TOTAL`	✅	1553s	1552s	+0.1%
`mld_invntt_layer`	✅	168s	167s	+1%
`poly_pointwise_montgomery_c`	✅	134s	139s	-4%
`rej_uniform_native`	✅	125s	124s	+1%
`polyvec_matrix_pointwise_montgomery_yvec`	✅	82s	86s	-5%
`mld_ct_memcmp`	✅	67s	65s	+3%
`mld_ntt_layer`	✅	46s	45s	+2%
`fqmul`	✅	41s	41s	+0%
`polyveck_chknorm`	✅	37s	37s	+0%
`mld_attempt_signature_generation`	✅	24s	22s	+9%
`keccakf1600x4_permute_native`	✅	22s	21s	+5%
`mld_ntt_butterfly_block`	✅	22s	26s	-15%
`poly_chknorm_c`	✅	19s	19s	+0%
`polyt0_unpack`	✅	18s	17s	+6%
`polyveck_decompose`	✅	17s	19s	-11%
`mld_check_pct`	✅	16s	15s	+7%
`polyvecl_chknorm`	✅	16s	14s	+14%
`rej_uniform_c`	✅	16s	15s	+7%
`sign_verify_internal`	✅	16s	17s	-6%
`poly_add`	✅	12s	13s	-8%
`keccak_absorb_once_x4`	✅	11s	9s	+22%
`poly_uniform_eta_4x`	✅	11s	13s	-15%
`polyvec_matrix_pointwise_montgomery_row`	✅	10s	11s	-9%
`polyz_unpack_c`	✅	9s	6s	+50%
`mld_keccakf1600_permute_c`	✅	8s	7s	+14%
`pointwise_acc_native_x86_64`	✅	8s	6s	+33%
`compute_pack_t0_t1`	✅	7s	6s	+17%
`poly_invntt_tomont_c`	✅	7s	13s	-46%
`polyvecl_ntt`	✅	7s	8s	-12%
`rej_uniform`	✅	7s	8s	-12%
`sign`	✅	7s	7s	+0%
`sign_signature_internal`	✅	7s	5s	+40%
`keccak_absorb`	✅	6s	7s	-14%
`keccak_squeezeblocks_x4`	✅	6s	4s	+50%
`mld_h`	✅	6s	5s	+20%
`nttunpack_native_x86_64`	✅	6s	2s	+200%
`poly_uniform`	✅	6s	4s	+50%
`poly_use_hint_native`	✅	6s	6s	+0%
`polyveck_caddq`	✅	6s	6s	+0%
`polyveck_invntt_tomont`	✅	6s	5s	+20%
`polyz_unpack_native`	✅	6s	3s	+100%
`sign_signature_extmu`	✅	6s	4s	+50%
`sign_signature_pre_hash_internal`	✅	6s	5s	+20%
`mld_compute_pack_z`	✅	5s	5s	+0%
`mld_polymat_expand_entry`	✅	5s	2s	+150%
`poly_caddq_c`	✅	5s	4s	+25%
`poly_decompose_c`	✅	5s	4s	+25%
`poly_invntt_tomont`	✅	5s	3s	+67%
`poly_power2round`	✅	5s	4s	+25%
`polyeta_unpack`	✅	5s	5s	+0%
`polyvec_matrix_expand`	✅	5s	2s	+150%
`polyveck_reduce`	✅	5s	3s	+67%
`polyveck_unpack_eta`	✅	5s	2s	+150%
`polyvecl_uniform_gamma1`	✅	5s	3s	+67%
`shake128x4_absorb_once`	✅	5s	3s	+67%
`sign_keypair_internal`	✅	5s	5s	+0%
`sign_pk_from_sk`	✅	5s	5s	+0%
`caddq`	✅	4s	2s	+100%
`fqscale`	✅	4s	3s	+33%
`keccak_init`	✅	4s	3s	+33%
`keccakf1600x4_extract_bytes`	✅	4s	4s	+0%
`keccakf1600x4_xor_bytes`	✅	4s	3s	+33%
`mld_ct_cmask_nonzero_u32`	✅	4s	3s	+33%
`mld_ct_cmask_nonzero_u8`	✅	4s	6s	-33%
`mld_sample_s1_s2`	✅	4s	6s	-33%
`ntt_native_aarch64`	✅	4s	3s	+33%
`ntt_native_x86_64`	✅	4s	3s	+33%
`pack_sig_h`	✅	4s	2s	+100%
`pack_sig_z`	✅	4s	3s	+33%
`pointwise_acc_native_aarch64`	✅	4s	6s	-33%
`poly_caddq`	✅	4s	2s	+100%
`poly_caddq_native`	✅	4s	3s	+33%
`poly_caddq_native_x86_64`	✅	4s	2s	+100%
`poly_challenge`	✅	4s	3s	+33%
`poly_chknorm`	✅	4s	4s	+0%
`poly_chknorm_native`	✅	4s	5s	-20%
`poly_decompose`	✅	4s	1s	+300%
`poly_decompose_32_native_aarch64`	✅	4s	3s	+33%
`poly_invntt_tomont_native`	✅	4s	4s	+0%
`poly_pointwise_montgomery`	✅	4s	3s	+33%
`poly_pointwise_montgomery_native`	✅	4s	3s	+33%
`poly_reduce`	✅	4s	4s	+0%
`poly_sub`	✅	4s	2s	+100%
`poly_use_hint_native_aarch64`	✅	4s	3s	+33%
`polyvec_matrix_expand_serial`	✅	4s	3s	+33%
`polyvecl_pointwise_acc_montgomery_native`	✅	4s	3s	+33%
`polyz_unpack_17_native_aarch64`	✅	4s	3s	+33%
`polyz_unpack_native_x86_64`	✅	4s	5s	-20%
`shake256x4_squeezeblocks`	✅	4s	3s	+33%
`sig_unpack_hints`	✅	4s	3s	+33%
`sign_open`	✅	4s	4s	+0%
`sign_signature`	✅	4s	5s	-20%
`sign_signature_pre_hash_shake256`	✅	4s	3s	+33%
`sign_verify_extmu`	✅	4s	3s	+33%
`sign_verify_pre_hash_shake256`	✅	4s	3s	+33%
`sk_s2hat_get_poly`	✅	4s	4s	+0%
`decompose`	✅	3s	3s	+0%
`intt_native_aarch64`	✅	3s	5s	-40%
`intt_native_x86_64`	✅	3s	4s	-25%
`keccak_f1600_x4_native_aarch64_v84a`	✅	3s	2s	+50%
`keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid`	✅	3s	4s	-25%
`keccak_finalize`	✅	3s	3s	+0%
`keccakf1600_permute`	✅	3s	4s	-25%
`mld_ct_get_optblocker_u32`	✅	3s	3s	+0%
`mld_ct_sel_int32`	✅	3s	2s	+50%
`mld_keccakf1600x4_xor_bytes_c`	✅	3s	3s	+0%
`mld_prepare_domain_separation_prefix`	✅	3s	9s	-67%
`mld_sample_s1_s2_serial`	✅	3s	5s	-40%
`mld_value_barrier_i64`	✅	3s	1s	+200%
`pack_sig_c`	✅	3s	5s	-40%
`pack_sk_rho_key_tr_s2`	✅	3s	3s	+0%
`pointwise_native_aarch64`	✅	3s	2s	+50%
`poly_caddq_native_aarch64`	✅	3s	2s	+50%
`poly_ntt`	✅	3s	4s	-25%
`poly_permute_bitrev_to_custom_optional_native`	✅	3s	4s	-25%
`poly_shiftl`	✅	3s	6s	-50%
`poly_uniform_4x`	✅	3s	2s	+50%
`poly_uniform_eta`	✅	3s	4s	-25%
`poly_use_hint`	✅	3s	3s	+0%
`polyeta_pack`	✅	3s	1s	+200%
`polyt0_pack`	✅	3s	2s	+50%
`polyveck_ntt`	✅	3s	3s	+0%
`polyveck_pack_w1`	✅	3s	3s	+0%
`polyvecl_pointwise_acc_montgomery_c`	✅	3s	2s	+50%
`polyw1_pack_32`	✅	3s	2s	+50%
`polyz_pack`	✅	3s	2s	+50%
`polyz_unpack`	✅	3s	2s	+50%
`polyz_unpack_19_native_aarch64`	✅	3s	3s	+0%
`reduce32`	✅	3s	3s	+0%
`rej_eta_c`	✅	3s	2s	+50%
`rej_eta_native`	✅	3s	3s	+0%
`rej_uniform_eta_native_aarch64`	✅	3s	3s	+0%
`rej_uniform_native_aarch64`	✅	3s	3s	+0%
`shake128_absorb`	✅	3s	3s	+0%
`shake128_finalize`	✅	3s	2s	+50%
`shake128_init`	✅	3s	2s	+50%
`shake128_release`	✅	3s	3s	+0%
`shake128_squeeze`	✅	3s	2s	+50%
`shake256_squeeze`	✅	3s	1s	+200%
`sign_verify`	✅	3s	6s	-50%
`sign_verify_pre_hash_internal`	✅	3s	4s	-25%
`sk_t0hat_get_poly`	✅	3s	3s	+0%
`unpack_sk`	✅	3s	3s	+0%
`unpack_sk_s2hat`	✅	3s	5s	-40%
`unpack_sk_t0hat`	✅	3s	3s	+0%
`use_hint`	✅	3s	4s	-25%
`yvec_get_poly`	✅	3s	3s	+0%
`keccak_f1600_x1_native_aarch64`	✅	2s	3s	-33%
`keccak_f1600_x1_native_aarch64_v84a`	✅	2s	3s	-33%
`keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid`	✅	2s	1s	+100%
`keccak_f1600_x4_native_avx2`	✅	2s	2s	+0%
`keccak_squeeze`	✅	2s	2s	+0%
`keccakf1600_extract_bytes (big endian)`	✅	2s	3s	-33%
`keccakf1600_xor_bytes`	✅	2s	5s	-60%
`keccakf1600_xor_bytes (big endian)`	✅	2s	1s	+100%
`keccakf1600x4_permute`	✅	2s	4s	-50%
`keccakf1600x4_xor_bytes_native`	✅	2s	3s	-33%
`make_hint`	✅	2s	3s	-33%
`mld_ct_abs_i32`	✅	2s	2s	+0%
`mld_ct_get_optblocker_i64`	✅	2s	1s	+100%
`mld_ct_get_optblocker_u8`	✅	2s	3s	-33%
`mld_keccakf1600_extract_bytes`	✅	2s	2s	+0%
`mld_keccakf1600x4_extract_bytes_c`	✅	2s	4s	-50%
`mld_value_barrier_u8`	✅	2s	3s	-33%
`montgomery_reduce`	✅	2s	3s	-33%
`pack_sk_s1`	✅	2s	2s	+0%
`pointwise_native_x86_64`	✅	2s	2s	+0%
`poly_chknorm_native_aarch64`	✅	2s	3s	-33%
`poly_chknorm_native_x86_64`	✅	2s	3s	-33%
`poly_decompose_88_native_aarch64`	✅	2s	1s	+100%
`poly_decompose_native`	✅	2s	5s	-60%
`poly_ntt_c`	✅	2s	5s	-60%
`poly_ntt_native`	✅	2s	2s	+0%
`poly_permute_bitrev_to_custom_optional`	✅	2s	3s	-33%
`poly_uniform_gamma1`	✅	2s	5s	-60%
`poly_uniform_gamma1_4x`	✅	2s	3s	-33%
`poly_use_hint_c`	✅	2s	1s	+100%
`polyt1_pack`	✅	2s	2s	+0%
`polyt1_unpack`	✅	2s	5s	-60%
`polyveck_pack_eta`	✅	2s	4s	-50%
`polyvecl_pack_eta`	✅	2s	2s	+0%
`polyvecl_pointwise_acc_montgomery`	✅	2s	2s	+0%
`polyvecl_uniform_gamma1_serial`	✅	2s	3s	-33%
`polyvecl_unpack_eta`	✅	2s	2s	+0%
`polyvecl_unpack_z`	✅	2s	2s	+0%
`polyw1_pack`	✅	2s	1s	+100%
`polyw1_pack_88`	✅	2s	2s	+0%
`rej_eta`	✅	2s	3s	-33%
`shake128x4_squeezeblocks`	✅	2s	2s	+0%
`shake256`	✅	2s	3s	-33%
`shake256_absorb`	✅	2s	1s	+100%
`shake256_finalize`	✅	2s	5s	-60%
`shake256_init`	✅	2s	1s	+100%
`shake256x4_absorb_once`	✅	2s	2s	+0%
`sign_keypair`	✅	2s	3s	-33%
`sk_s1hat_get_poly`	✅	2s	2s	+0%
`unpack_pk_t1`	✅	2s	5s	-60%
`unpack_sk_s1hat`	✅	2s	2s	+0%
`yvec_init`	✅	2s	3s	-33%
`keccakf1600_permute_native`	✅	1s	2s	-50%
`keccakf1600x4_extract_bytes_native`	✅	1s	3s	-67%
`mld_ct_cmask_neg_i32`	✅	1s	4s	-75%
`mld_value_barrier_u32`	✅	1s	2s	-50%
`power2round`	✅	1s	3s	-67%
`shake256_release`	✅	1s	2s	-50%
`sys_check_capability`	✅	1s	2s	-50%

oqs-bot · 2026-06-02T02:07:42Z

CBMC Results (ML-DSA-44, REDUCE-RAM)

Full Results (205 proofs)

Proof	Status	Current	Previous	Change
`TOTAL`	✅	1496s	1561s	-4.2%
`mld_invntt_layer`	✅	161s	170s	-5%
`poly_pointwise_montgomery_c`	✅	126s	137s	-8%
`rej_uniform_native`	✅	120s	125s	-4%
`polyvec_matrix_pointwise_montgomery_yvec`	✅	111s	113s	-2%
`mld_ct_memcmp`	✅	69s	67s	+3%
`mld_ntt_layer`	✅	42s	43s	-2%
`fqmul`	✅	38s	40s	-5%
`keccakf1600x4_permute_native`	✅	23s	22s	+5%
`mld_attempt_signature_generation`	✅	23s	22s	+5%
`mld_ntt_butterfly_block`	✅	21s	24s	-12%
`sign_verify_internal`	✅	21s	25s	-16%
`polyt0_unpack`	✅	17s	16s	+6%
`rej_uniform_c`	✅	17s	15s	+13%
`poly_chknorm_c`	✅	16s	20s	-20%
`mld_check_pct`	✅	14s	14s	+0%
`poly_uniform_eta_4x`	✅	14s	14s	+0%
`polyeta_unpack`	✅	13s	14s	-7%
`poly_add`	✅	12s	13s	-8%
`polyz_unpack_c`	✅	11s	10s	+10%
`keccak_absorb_once_x4`	✅	9s	8s	+12%
`polyvec_matrix_pointwise_montgomery_row`	✅	9s	10s	-10%
`polyveck_chknorm`	✅	9s	9s	+0%
`compute_pack_t0_t1`	✅	8s	7s	+14%
`rej_uniform`	✅	8s	7s	+14%
`mld_keccakf1600_permute_c`	✅	7s	9s	-22%
`poly_decompose_c`	✅	7s	8s	-12%
`poly_invntt_tomont_c`	✅	7s	8s	-12%
`sign`	✅	7s	7s	+0%
`sign_pk_from_sk`	✅	7s	6s	+17%
`keccak_absorb`	✅	6s	6s	+0%
`mld_sample_s1_s2_serial`	✅	6s	4s	+50%
`pack_sk_s1`	✅	6s	4s	+50%
`pointwise_acc_native_aarch64`	✅	6s	7s	-14%
`pointwise_acc_native_x86_64`	✅	6s	8s	-25%
`poly_use_hint`	✅	6s	4s	+50%
`polyveck_decompose`	✅	6s	6s	+0%
`polyvecl_chknorm`	✅	6s	8s	-25%
`shake128_finalize`	✅	6s	4s	+50%
`make_hint`	✅	5s	4s	+25%
`mld_compute_pack_z`	✅	5s	5s	+0%
`pack_sk_rho_key_tr_s2`	✅	5s	2s	+150%
`poly_challenge`	✅	5s	4s	+25%
`poly_decompose_native`	✅	5s	3s	+67%
`poly_permute_bitrev_to_custom_optional_native`	✅	5s	3s	+67%
`poly_pointwise_montgomery_native`	✅	5s	4s	+25%
`poly_sub`	✅	5s	3s	+67%
`poly_uniform_eta`	✅	5s	6s	-17%
`poly_uniform_gamma1_4x`	✅	5s	3s	+67%
`polyt1_pack`	✅	5s	1s	+400%
`polyw1_pack`	✅	5s	4s	+25%
`polyz_pack`	✅	5s	4s	+25%
`rej_eta_c`	✅	5s	3s	+67%
`sign_keypair`	✅	5s	5s	+0%
`sign_signature_internal`	✅	5s	7s	-29%
`use_hint`	✅	5s	3s	+67%
`caddq`	✅	4s	1s	+300%
`decompose`	✅	4s	3s	+33%
`intt_native_aarch64`	✅	4s	6s	-33%
`keccak_f1600_x1_native_aarch64_v84a`	✅	4s	3s	+33%
`keccak_init`	✅	4s	1s	+300%
`keccak_squeezeblocks_x4`	✅	4s	3s	+33%
`keccakf1600_xor_bytes`	✅	4s	2s	+100%
`mld_ct_cmask_nonzero_u32`	✅	4s	3s	+33%
`mld_h`	✅	4s	4s	+0%
`mld_prepare_domain_separation_prefix`	✅	4s	4s	+0%
`mld_sample_s1_s2`	✅	4s	4s	+0%
`ntt_native_x86_64`	✅	4s	4s	+0%
`poly_chknorm_native`	✅	4s	1s	+300%
`poly_decompose`	✅	4s	3s	+33%
`poly_ntt_native`	✅	4s	2s	+100%
`poly_permute_bitrev_to_custom_optional`	✅	4s	4s	+0%
`poly_shiftl`	✅	4s	5s	-20%
`polyeta_pack`	✅	4s	1s	+300%
`polyt0_pack`	✅	4s	4s	+0%
`polyvec_matrix_expand`	✅	4s	4s	+0%
`polyveck_caddq`	✅	4s	4s	+0%
`polyveck_invntt_tomont`	✅	4s	5s	-20%
`polyveck_unpack_eta`	✅	4s	4s	+0%
`polyvecl_ntt`	✅	4s	6s	-33%
`polyvecl_pointwise_acc_montgomery`	✅	4s	3s	+33%
`polyvecl_pointwise_acc_montgomery_native`	✅	4s	4s	+0%
`polyvecl_unpack_eta`	✅	4s	3s	+33%
`polyz_unpack`	✅	4s	3s	+33%
`polyz_unpack_native_x86_64`	✅	4s	3s	+33%
`reduce32`	✅	4s	1s	+300%
`shake128_init`	✅	4s	2s	+100%
`shake128x4_absorb_once`	✅	4s	4s	+0%
`sign_signature`	✅	4s	4s	+0%
`sign_signature_pre_hash_internal`	✅	4s	3s	+33%
`sign_signature_pre_hash_shake256`	✅	4s	8s	-50%
`sign_verify_extmu`	✅	4s	4s	+0%
`sign_verify_pre_hash_shake256`	✅	4s	3s	+33%
`intt_native_x86_64`	✅	3s	2s	+50%
`keccak_f1600_x1_native_aarch64`	✅	3s	2s	+50%
`keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid`	✅	3s	4s	-25%
`keccak_finalize`	✅	3s	2s	+50%
`keccakf1600_permute`	✅	3s	4s	-25%
`keccakf1600x4_extract_bytes`	✅	3s	2s	+50%
`keccakf1600x4_xor_bytes`	✅	3s	3s	+0%
`mld_ct_abs_i32`	✅	3s	2s	+50%
`mld_ct_cmask_neg_i32`	✅	3s	2s	+50%
`mld_ct_cmask_nonzero_u8`	✅	3s	1s	+200%
`mld_ct_sel_int32`	✅	3s	2s	+50%
`mld_keccakf1600x4_extract_bytes_c`	✅	3s	5s	-40%
`mld_polymat_expand_entry`	✅	3s	2s	+50%
`nttunpack_native_x86_64`	✅	3s	3s	+0%
`pack_sig_c`	✅	3s	2s	+50%
`pack_sig_z`	✅	3s	5s	-40%
`poly_caddq_c`	✅	3s	5s	-40%
`poly_caddq_native`	✅	3s	3s	+0%
`poly_caddq_native_aarch64`	✅	3s	4s	-25%
`poly_chknorm_native_aarch64`	✅	3s	2s	+50%
`poly_decompose_88_native_aarch64`	✅	3s	3s	+0%
`poly_invntt_tomont`	✅	3s	2s	+50%
`poly_invntt_tomont_native`	✅	3s	5s	-40%
`poly_ntt_c`	✅	3s	2s	+50%
`poly_pointwise_montgomery`	✅	3s	2s	+50%
`poly_power2round`	✅	3s	7s	-57%
`poly_reduce`	✅	3s	5s	-40%
`poly_uniform`	✅	3s	3s	+0%
`poly_uniform_4x`	✅	3s	5s	-40%
`poly_use_hint_native_aarch64`	✅	3s	3s	+0%
`polyveck_pack_eta`	✅	3s	2s	+50%
`polyveck_reduce`	✅	3s	5s	-40%
`polyvecl_pack_eta`	✅	3s	4s	-25%
`polyvecl_unpack_z`	✅	3s	5s	-40%
`power2round`	✅	3s	1s	+200%
`rej_eta`	✅	3s	4s	-25%
`rej_eta_native`	✅	3s	4s	-25%
`rej_uniform_eta_native_aarch64`	✅	3s	2s	+50%
`shake128_release`	✅	3s	2s	+50%
`shake256_squeeze`	✅	3s	4s	-25%
`sig_unpack_hints`	✅	3s	4s	-25%
`sign_keypair_internal`	✅	3s	5s	-40%
`sign_open`	✅	3s	5s	-40%
`sign_signature_extmu`	✅	3s	5s	-40%
`sign_verify`	✅	3s	5s	-40%
`sign_verify_pre_hash_internal`	✅	3s	3s	+0%
`sk_s1hat_get_poly`	✅	3s	2s	+50%
`sk_s2hat_get_poly`	✅	3s	4s	-25%
`sk_t0hat_get_poly`	✅	3s	3s	+0%
`sys_check_capability`	✅	3s	3s	+0%
`unpack_pk_t1`	✅	3s	6s	-50%
`unpack_sk`	✅	3s	2s	+50%
`unpack_sk_s2hat`	✅	3s	3s	+0%
`yvec_get_poly`	✅	3s	3s	+0%
`keccak_squeeze`	✅	2s	2s	+0%
`keccakf1600_extract_bytes (big endian)`	✅	2s	4s	-50%
`keccakf1600_permute_native`	✅	2s	2s	+0%
`keccakf1600x4_extract_bytes_native`	✅	2s	4s	-50%
`keccakf1600x4_permute`	✅	2s	3s	-33%
`mld_ct_get_optblocker_u32`	✅	2s	3s	-33%
`mld_ct_get_optblocker_u8`	✅	2s	2s	+0%
`mld_keccakf1600_extract_bytes`	✅	2s	2s	+0%
`mld_keccakf1600x4_xor_bytes_c`	✅	2s	1s	+100%
`mld_value_barrier_i64`	✅	2s	1s	+100%
`mld_value_barrier_u32`	✅	2s	3s	-33%
`mld_value_barrier_u8`	✅	2s	3s	-33%
`montgomery_reduce`	✅	2s	6s	-67%
`ntt_native_aarch64`	✅	2s	3s	-33%
`pack_sig_h`	✅	2s	2s	+0%
`pointwise_native_aarch64`	✅	2s	3s	-33%
`pointwise_native_x86_64`	✅	2s	1s	+100%
`poly_caddq`	✅	2s	3s	-33%
`poly_chknorm`	✅	2s	1s	+100%
`poly_decompose_32_native_aarch64`	✅	2s	2s	+0%
`poly_ntt`	✅	2s	3s	-33%
`poly_uniform_gamma1`	✅	2s	2s	+0%
`poly_use_hint_c`	✅	2s	5s	-60%
`poly_use_hint_native`	✅	2s	3s	-33%
`polyt1_unpack`	✅	2s	3s	-33%
`polyveck_pack_w1`	✅	2s	4s	-50%
`polyvecl_pointwise_acc_montgomery_c`	✅	2s	3s	-33%
`polyvecl_uniform_gamma1`	✅	2s	3s	-33%
`polyw1_pack_32`	✅	2s	2s	+0%
`polyw1_pack_88`	✅	2s	4s	-50%
`polyz_unpack_17_native_aarch64`	✅	2s	3s	-33%
`polyz_unpack_native`	✅	2s	5s	-60%
`rej_uniform_native_aarch64`	✅	2s	4s	-50%
`shake128x4_squeezeblocks`	✅	2s	3s	-33%
`shake256`	✅	2s	3s	-33%
`shake256_finalize`	✅	2s	1s	+100%
`shake256_init`	✅	2s	3s	-33%
`shake256_release`	✅	2s	2s	+0%
`shake256x4_absorb_once`	✅	2s	3s	-33%
`shake256x4_squeezeblocks`	✅	2s	2s	+0%
`yvec_init`	✅	2s	1s	+100%
`fqscale`	✅	1s	3s	-67%
`keccak_f1600_x4_native_aarch64_v84a`	✅	1s	2s	-50%
`keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid`	✅	1s	1s	+0%
`keccak_f1600_x4_native_avx2`	✅	1s	3s	-67%
`keccakf1600_xor_bytes (big endian)`	✅	1s	2s	-50%
`keccakf1600x4_xor_bytes_native`	✅	1s	3s	-67%
`mld_ct_get_optblocker_i64`	✅	1s	2s	-50%
`poly_caddq_native_x86_64`	✅	1s	2s	-50%
`poly_chknorm_native_x86_64`	✅	1s	1s	+0%
`polyvec_matrix_expand_serial`	✅	1s	2s	-50%
`polyveck_ntt`	✅	1s	2s	-50%
`polyvecl_uniform_gamma1_serial`	✅	1s	2s	-50%
`polyz_unpack_19_native_aarch64`	✅	1s	4s	-75%
`shake128_absorb`	✅	1s	1s	+0%
`shake128_squeeze`	✅	1s	2s	-50%
`shake256_absorb`	✅	1s	3s	-67%
`unpack_sk_s1hat`	✅	1s	4s	-75%
`unpack_sk_t0hat`	✅	1s	5s	-80%

oqs-bot · 2026-06-02T02:09:00Z

CBMC Results (ML-DSA-87)

Full Results (205 proofs)

Proof	Status	Current	Previous	Change
`TOTAL`	✅	2492s	2349s	+6.1%
`polyvecl_pointwise_acc_montgomery_c`	✅	346s	308s	+12%
`mld_invntt_layer`	✅	308s	287s	+7%
`polyvec_matrix_expand`	✅	230s	224s	+3%
`rej_uniform_native`	✅	154s	144s	+7%
`mld_attempt_signature_generation`	✅	103s	106s	-3%
`poly_pointwise_montgomery_c`	✅	100s	92s	+9%
`mld_ct_memcmp`	✅	70s	66s	+6%
`sign_signature_internal`	✅	68s	67s	+1%
`sign_verify_internal`	✅	60s	60s	+0%
`polyvec_matrix_expand_serial`	✅	48s	47s	+2%
`mld_ntt_layer`	✅	47s	41s	+15%
`fqmul`	✅	42s	42s	+0%
`compute_pack_t0_t1`	✅	32s	32s	+0%
`polyvec_matrix_pointwise_montgomery_yvec`	✅	31s	29s	+7%
`keccakf1600x4_permute_native`	✅	23s	24s	-4%
`mld_ntt_butterfly_block`	✅	22s	21s	+5%
`poly_chknorm_c`	✅	21s	20s	+5%
`rej_uniform`	✅	21s	20s	+5%
`mld_check_pct`	✅	16s	16s	+0%
`polyt0_unpack`	✅	16s	16s	+0%
`polyeta_unpack`	✅	15s	16s	-6%
`poly_uniform_eta_4x`	✅	14s	12s	+17%
`poly_add`	✅	13s	11s	+18%
`poly_uniform_4x`	✅	13s	10s	+30%
`rej_uniform_c`	✅	13s	13s	+0%
`keccak_absorb_once_x4`	✅	11s	10s	+10%
`sign`	✅	10s	8s	+25%
`poly_invntt_tomont_c`	✅	9s	7s	+29%
`polyveck_decompose`	✅	9s	11s	-18%
`polyvecl_ntt`	✅	9s	9s	+0%
`pointwise_acc_native_x86_64`	✅	8s	8s	+0%
`polyveck_invntt_tomont`	✅	8s	7s	+14%
`polyveck_ntt`	✅	8s	8s	+0%
`keccak_absorb`	✅	7s	4s	+75%
`mld_compute_pack_z`	✅	7s	6s	+17%
`mld_keccakf1600_permute_c`	✅	7s	6s	+17%
`mld_sample_s1_s2`	✅	7s	6s	+17%
`poly_decompose_c`	✅	7s	7s	+0%
`poly_ntt`	✅	7s	1s	+600%
`nttunpack_native_x86_64`	✅	6s	3s	+100%
`pointwise_acc_native_aarch64`	✅	6s	7s	-14%
`poly_caddq_c`	✅	6s	6s	+0%
`poly_use_hint_native`	✅	6s	2s	+200%
`polyveck_caddq`	✅	6s	7s	-14%
`polyvecl_unpack_z`	✅	6s	3s	+100%
`sign_keypair_internal`	✅	6s	4s	+50%
`keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid`	✅	5s	1s	+400%
`keccakf1600x4_permute`	✅	5s	2s	+150%
`mld_sample_s1_s2_serial`	✅	5s	5s	+0%
`ntt_native_x86_64`	✅	5s	4s	+25%
`poly_decompose`	✅	5s	3s	+67%
`poly_power2round`	✅	5s	5s	+0%
`poly_uniform_eta`	✅	5s	4s	+25%
`poly_uniform_gamma1`	✅	5s	2s	+150%
`poly_uniform_gamma1_4x`	✅	5s	5s	+0%
`poly_use_hint_c`	✅	5s	4s	+25%
`polyvec_matrix_pointwise_montgomery_row`	✅	5s	5s	+0%
`polyvecl_pointwise_acc_montgomery_native`	✅	5s	4s	+25%
`polyw1_pack`	✅	5s	3s	+67%
`polyz_unpack_17_native_aarch64`	✅	5s	3s	+67%
`polyz_unpack_c`	✅	5s	7s	-29%
`rej_eta_native`	✅	5s	6s	-17%
`rej_uniform_native_aarch64`	✅	5s	4s	+25%
`shake128x4_absorb_once`	✅	5s	1s	+400%
`shake256_squeeze`	✅	5s	2s	+150%
`sign_keypair`	✅	5s	6s	-17%
`sign_open`	✅	5s	6s	-17%
`sign_pk_from_sk`	✅	5s	7s	-29%
`sign_signature_pre_hash_internal`	✅	5s	3s	+67%
`sign_signature_pre_hash_shake256`	✅	5s	5s	+0%
`sign_verify`	✅	5s	3s	+67%
`sk_t0hat_get_poly`	✅	5s	4s	+25%
`caddq`	✅	4s	4s	+0%
`decompose`	✅	4s	5s	-20%
`keccak_squeeze`	✅	4s	1s	+300%
`keccakf1600x4_extract_bytes`	✅	4s	1s	+300%
`keccakf1600x4_extract_bytes_native`	✅	4s	2s	+100%
`keccakf1600x4_xor_bytes_native`	✅	4s	1s	+300%
`mld_ct_sel_int32`	✅	4s	2s	+100%
`mld_h`	✅	4s	3s	+33%
`mld_keccakf1600x4_xor_bytes_c`	✅	4s	3s	+33%
`mld_prepare_domain_separation_prefix`	✅	4s	3s	+33%
`pack_sk_s1`	✅	4s	1s	+300%
`poly_caddq`	✅	4s	5s	-20%
`poly_caddq_native_aarch64`	✅	4s	2s	+100%
`poly_challenge`	✅	4s	4s	+0%
`poly_chknorm`	✅	4s	1s	+300%
`poly_invntt_tomont_native`	✅	4s	5s	-20%
`poly_reduce`	✅	4s	2s	+100%
`poly_shiftl`	✅	4s	5s	-20%
`poly_sub`	✅	4s	4s	+0%
`poly_use_hint_native_aarch64`	✅	4s	4s	+0%
`polyeta_pack`	✅	4s	3s	+33%
`polyt1_unpack`	✅	4s	3s	+33%
`polyveck_chknorm`	✅	4s	6s	-33%
`polyveck_pack_w1`	✅	4s	3s	+33%
`polyveck_unpack_eta`	✅	4s	1s	+300%
`polyvecl_chknorm`	✅	4s	4s	+0%
`polyz_unpack_native`	✅	4s	3s	+33%
`reduce32`	✅	4s	5s	-20%
`rej_eta_c`	✅	4s	3s	+33%
`shake256_absorb`	✅	4s	1s	+300%
`shake256_init`	✅	4s	2s	+100%
`shake256x4_absorb_once`	✅	4s	3s	+33%
`sig_unpack_hints`	✅	4s	2s	+100%
`sign_signature`	✅	4s	5s	-20%
`sign_verify_pre_hash_shake256`	✅	4s	4s	+0%
`unpack_pk_t1`	✅	4s	5s	-20%
`unpack_sk_t0hat`	✅	4s	5s	-20%
`yvec_init`	✅	4s	1s	+300%
`fqscale`	✅	3s	4s	-25%
`intt_native_aarch64`	✅	3s	4s	-25%
`intt_native_x86_64`	✅	3s	2s	+50%
`keccak_f1600_x1_native_aarch64_v84a`	✅	3s	2s	+50%
`keccak_finalize`	✅	3s	3s	+0%
`keccak_squeezeblocks_x4`	✅	3s	5s	-40%
`keccakf1600_permute`	✅	3s	3s	+0%
`keccakf1600x4_xor_bytes`	✅	3s	4s	-25%
`mld_ct_cmask_neg_i32`	✅	3s	2s	+50%
`mld_ct_cmask_nonzero_u32`	✅	3s	2s	+50%
`mld_ct_cmask_nonzero_u8`	✅	3s	1s	+200%
`mld_keccakf1600_extract_bytes`	✅	3s	2s	+50%
`mld_value_barrier_u8`	✅	3s	2s	+50%
`montgomery_reduce`	✅	3s	3s	+0%
`ntt_native_aarch64`	✅	3s	5s	-40%
`pack_sig_c`	✅	3s	3s	+0%
`pack_sig_h`	✅	3s	5s	-40%
`pointwise_native_aarch64`	✅	3s	3s	+0%
`pointwise_native_x86_64`	✅	3s	3s	+0%
`poly_caddq_native`	✅	3s	5s	-40%
`poly_chknorm_native`	✅	3s	4s	-25%
`poly_chknorm_native_x86_64`	✅	3s	1s	+200%
`poly_decompose_88_native_aarch64`	✅	3s	3s	+0%
`poly_decompose_native`	✅	3s	2s	+50%
`poly_ntt_c`	✅	3s	4s	-25%
`poly_ntt_native`	✅	3s	4s	-25%
`poly_permute_bitrev_to_custom_optional_native`	✅	3s	2s	+50%
`poly_pointwise_montgomery`	✅	3s	1s	+200%
`poly_pointwise_montgomery_native`	✅	3s	3s	+0%
`poly_uniform`	✅	3s	4s	-25%
`poly_use_hint`	✅	3s	4s	-25%
`polyt0_pack`	✅	3s	3s	+0%
`polyveck_pack_eta`	✅	3s	2s	+50%
`polyvecl_pack_eta`	✅	3s	3s	+0%
`polyvecl_pointwise_acc_montgomery`	✅	3s	3s	+0%
`polyvecl_uniform_gamma1`	✅	3s	5s	-40%
`polyz_pack`	✅	3s	1s	+200%
`polyz_unpack`	✅	3s	3s	+0%
`polyz_unpack_19_native_aarch64`	✅	3s	3s	+0%
`rej_eta`	✅	3s	4s	-25%
`rej_uniform_eta_native_aarch64`	✅	3s	4s	-25%
`shake128_release`	✅	3s	3s	+0%
`shake128_squeeze`	✅	3s	2s	+50%
`shake256`	✅	3s	3s	+0%
`shake256_finalize`	✅	3s	4s	-25%
`shake256x4_squeezeblocks`	✅	3s	2s	+50%
`sign_signature_extmu`	✅	3s	5s	-40%
`sign_verify_extmu`	✅	3s	5s	-40%
`sk_s2hat_get_poly`	✅	3s	2s	+50%
`unpack_sk_s1hat`	✅	3s	2s	+50%
`keccak_f1600_x1_native_aarch64`	✅	2s	4s	-50%
`keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid`	✅	2s	1s	+100%
`keccak_f1600_x4_native_avx2`	✅	2s	2s	+0%
`keccak_init`	✅	2s	1s	+100%
`keccakf1600_extract_bytes (big endian)`	✅	2s	2s	+0%
`keccakf1600_permute_native`	✅	2s	3s	-33%
`keccakf1600_xor_bytes`	✅	2s	3s	-33%
`keccakf1600_xor_bytes (big endian)`	✅	2s	2s	+0%
`make_hint`	✅	2s	1s	+100%
`mld_ct_get_optblocker_i64`	✅	2s	3s	-33%
`mld_ct_get_optblocker_u32`	✅	2s	1s	+100%
`mld_ct_get_optblocker_u8`	✅	2s	3s	-33%
`mld_polymat_expand_entry`	✅	2s	3s	-33%
`mld_value_barrier_i64`	✅	2s	2s	+0%
`pack_sig_z`	✅	2s	3s	-33%
`pack_sk_rho_key_tr_s2`	✅	2s	3s	-33%
`poly_decompose_32_native_aarch64`	✅	2s	3s	-33%
`poly_invntt_tomont`	✅	2s	3s	-33%
`poly_permute_bitrev_to_custom_optional`	✅	2s	3s	-33%
`polyt1_pack`	✅	2s	4s	-50%
`polyveck_reduce`	✅	2s	4s	-50%
`polyvecl_uniform_gamma1_serial`	✅	2s	1s	+100%
`polyw1_pack_88`	✅	2s	2s	+0%
`polyz_unpack_native_x86_64`	✅	2s	2s	+0%
`power2round`	✅	2s	3s	-33%
`shake128x4_squeezeblocks`	✅	2s	2s	+0%
`shake256_release`	✅	2s	2s	+0%
`sign_verify_pre_hash_internal`	✅	2s	4s	-50%
`sk_s1hat_get_poly`	✅	2s	3s	-33%
`unpack_sk`	✅	2s	4s	-50%
`unpack_sk_s2hat`	✅	2s	4s	-50%
`use_hint`	✅	2s	2s	+0%
`yvec_get_poly`	✅	2s	3s	-33%
`keccak_f1600_x4_native_aarch64_v84a`	✅	1s	3s	-67%
`mld_ct_abs_i32`	✅	1s	2s	-50%
`mld_keccakf1600x4_extract_bytes_c`	✅	1s	3s	-67%
`mld_value_barrier_u32`	✅	1s	3s	-67%
`poly_caddq_native_x86_64`	✅	1s	4s	-75%
`poly_chknorm_native_aarch64`	✅	1s	6s	-83%
`polyvecl_unpack_eta`	✅	1s	4s	-75%
`polyw1_pack_32`	✅	1s	1s	+0%
`shake128_absorb`	✅	1s	1s	+0%
`shake128_finalize`	✅	1s	2s	-50%
`shake128_init`	✅	1s	3s	-67%
`sys_check_capability`	✅	1s	2s	-50%

oqs-bot · 2026-06-02T02:09:18Z

CBMC Results (ML-DSA-44)

Full Results (205 proofs)

Proof	Status	Current	Previous	Change
`TOTAL`	✅	1805s	1772s	+1.9%
`mld_invntt_layer`	✅	281s	294s	-4%
`rej_uniform_native`	✅	145s	143s	+1%
`polyvecl_pointwise_acc_montgomery_c`	✅	127s	113s	+12%
`poly_pointwise_montgomery_c`	✅	101s	96s	+5%
`mld_ct_memcmp`	✅	68s	65s	+5%
`mld_attempt_signature_generation`	✅	62s	61s	+2%
`mld_ntt_layer`	✅	43s	45s	-4%
`fqmul`	✅	42s	42s	+0%
`sign_verify_internal`	✅	27s	26s	+4%
`polyvec_matrix_expand`	✅	25s	27s	-7%
`keccakf1600x4_permute_native`	✅	22s	22s	+0%
`mld_ntt_butterfly_block`	✅	22s	22s	+0%
`poly_chknorm_c`	✅	21s	20s	+5%
`rej_uniform`	✅	20s	21s	-5%
`sign_signature_internal`	✅	20s	21s	-5%
`polyeta_unpack`	✅	17s	15s	+13%
`mld_check_pct`	✅	16s	14s	+14%
`polyt0_unpack`	✅	16s	18s	-11%
`compute_pack_t0_t1`	✅	14s	15s	-7%
`poly_uniform_4x`	✅	13s	10s	+30%
`rej_uniform_c`	✅	13s	14s	-7%
`poly_uniform_eta_4x`	✅	12s	11s	+9%
`polyz_unpack_c`	✅	12s	11s	+9%
`poly_add`	✅	11s	10s	+10%
`mld_compute_pack_z`	✅	10s	9s	+11%
`polyveck_chknorm`	✅	10s	11s	-9%
`keccak_absorb_once_x4`	✅	9s	12s	-25%
`pointwise_acc_native_x86_64`	✅	9s	8s	+12%
`polyvec_matrix_pointwise_montgomery_yvec`	✅	9s	10s	-10%
`mld_keccakf1600_permute_c`	✅	8s	7s	+14%
`poly_invntt_tomont_c`	✅	8s	8s	+0%
`keccak_absorb`	✅	7s	5s	+40%
`pointwise_native_aarch64`	✅	7s	2s	+250%
`poly_uniform`	✅	7s	3s	+133%
`sign_pk_from_sk`	✅	7s	6s	+17%
`mld_sample_s1_s2`	✅	6s	2s	+200%
`pointwise_acc_native_aarch64`	✅	6s	5s	+20%
`poly_pointwise_montgomery`	✅	6s	3s	+100%
`poly_power2round`	✅	6s	4s	+50%
`poly_use_hint_c`	✅	6s	8s	-25%
`polyvec_matrix_expand_serial`	✅	6s	8s	-25%
`polyveck_caddq`	✅	6s	4s	+50%
`polyveck_decompose`	✅	6s	10s	-40%
`polyveck_reduce`	✅	6s	3s	+100%
`polyvecl_ntt`	✅	6s	3s	+100%
`sign`	✅	6s	7s	-14%
`sign_signature_pre_hash_internal`	✅	6s	4s	+50%
`sign_signature_pre_hash_shake256`	✅	6s	4s	+50%
`keccakf1600x4_extract_bytes_native`	✅	5s	3s	+67%
`mld_polymat_expand_entry`	✅	5s	2s	+150%
`mld_prepare_domain_separation_prefix`	✅	5s	2s	+150%
`pack_sig_h`	✅	5s	3s	+67%
`pack_sig_z`	✅	5s	2s	+150%
`poly_caddq_c`	✅	5s	5s	+0%
`poly_decompose_c`	✅	5s	3s	+67%
`poly_ntt_native`	✅	5s	2s	+150%
`poly_shiftl`	✅	5s	3s	+67%
`poly_sub`	✅	5s	2s	+150%
`poly_uniform_gamma1_4x`	✅	5s	3s	+67%
`polyveck_invntt_tomont`	✅	5s	3s	+67%
`polyveck_ntt`	✅	5s	3s	+67%
`power2round`	✅	5s	3s	+67%
`reduce32`	✅	5s	4s	+25%
`shake256_release`	✅	5s	4s	+25%
`sign_keypair_internal`	✅	5s	5s	+0%
`sign_signature_extmu`	✅	5s	5s	+0%
`sk_t0hat_get_poly`	✅	5s	3s	+67%
`use_hint`	✅	5s	3s	+67%
`intt_native_aarch64`	✅	4s	4s	+0%
`intt_native_x86_64`	✅	4s	4s	+0%
`keccakf1600x4_permute`	✅	4s	2s	+100%
`make_hint`	✅	4s	2s	+100%
`mld_ct_cmask_nonzero_u32`	✅	4s	3s	+33%
`mld_ct_sel_int32`	✅	4s	3s	+33%
`mld_h`	✅	4s	4s	+0%
`mld_keccakf1600x4_xor_bytes_c`	✅	4s	1s	+300%
`ntt_native_aarch64`	✅	4s	4s	+0%
`pointwise_native_x86_64`	✅	4s	4s	+0%
`poly_caddq`	✅	4s	4s	+0%
`poly_caddq_native`	✅	4s	4s	+0%
`poly_caddq_native_x86_64`	✅	4s	4s	+0%
`poly_decompose_32_native_aarch64`	✅	4s	5s	-20%
`poly_decompose_88_native_aarch64`	✅	4s	2s	+100%
`poly_decompose_native`	✅	4s	4s	+0%
`poly_ntt`	✅	4s	2s	+100%
`poly_permute_bitrev_to_custom_optional`	✅	4s	2s	+100%
`poly_use_hint_native`	✅	4s	3s	+33%
`polyt0_pack`	✅	4s	4s	+0%
`polyvec_matrix_pointwise_montgomery_row`	✅	4s	2s	+100%
`polyveck_pack_eta`	✅	4s	3s	+33%
`polyvecl_chknorm`	✅	4s	6s	-33%
`polyvecl_pack_eta`	✅	4s	4s	+0%
`polyvecl_pointwise_acc_montgomery`	✅	4s	3s	+33%
`polyvecl_pointwise_acc_montgomery_native`	✅	4s	2s	+100%
`polyw1_pack_32`	✅	4s	2s	+100%
`polyz_pack`	✅	4s	2s	+100%
`polyz_unpack_native_x86_64`	✅	4s	1s	+300%
`rej_eta_native`	✅	4s	6s	-33%
`rej_uniform_eta_native_aarch64`	✅	4s	7s	-43%
`shake128_absorb`	✅	4s	5s	-20%
`shake128_init`	✅	4s	2s	+100%
`shake256_init`	✅	4s	3s	+33%
`sign_keypair`	✅	4s	5s	-20%
`sign_open`	✅	4s	4s	+0%
`sign_signature`	✅	4s	3s	+33%
`sign_verify_extmu`	✅	4s	4s	+0%
`sign_verify_pre_hash_shake256`	✅	4s	6s	-33%
`unpack_sk`	✅	4s	4s	+0%
`caddq`	✅	3s	1s	+200%
`decompose`	✅	3s	5s	-40%
`fqscale`	✅	3s	3s	+0%
`keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid`	✅	3s	4s	-25%
`keccakf1600_permute_native`	✅	3s	1s	+200%
`keccakf1600_xor_bytes (big endian)`	✅	3s	5s	-40%
`keccakf1600x4_extract_bytes`	✅	3s	4s	-25%
`mld_ct_cmask_nonzero_u8`	✅	3s	2s	+50%
`mld_keccakf1600x4_extract_bytes_c`	✅	3s	2s	+50%
`mld_value_barrier_u8`	✅	3s	2s	+50%
`nttunpack_native_x86_64`	✅	3s	3s	+0%
`pack_sk_rho_key_tr_s2`	✅	3s	4s	-25%
`pack_sk_s1`	✅	3s	4s	-25%
`poly_caddq_native_aarch64`	✅	3s	1s	+200%
`poly_challenge`	✅	3s	5s	-40%
`poly_chknorm`	✅	3s	3s	+0%
`poly_chknorm_native`	✅	3s	4s	-25%
`poly_chknorm_native_x86_64`	✅	3s	3s	+0%
`poly_decompose`	✅	3s	2s	+50%
`poly_invntt_tomont`	✅	3s	3s	+0%
`poly_invntt_tomont_native`	✅	3s	3s	+0%
`poly_permute_bitrev_to_custom_optional_native`	✅	3s	5s	-40%
`poly_uniform_eta`	✅	3s	4s	-25%
`poly_uniform_gamma1`	✅	3s	3s	+0%
`poly_use_hint`	✅	3s	2s	+50%
`poly_use_hint_native_aarch64`	✅	3s	4s	-25%
`polyeta_pack`	✅	3s	3s	+0%
`polyt1_pack`	✅	3s	4s	-25%
`polyt1_unpack`	✅	3s	3s	+0%
`polyvecl_uniform_gamma1`	✅	3s	4s	-25%
`polyvecl_unpack_z`	✅	3s	4s	-25%
`polyz_unpack`	✅	3s	4s	-25%
`polyz_unpack_17_native_aarch64`	✅	3s	4s	-25%
`polyz_unpack_19_native_aarch64`	✅	3s	3s	+0%
`polyz_unpack_native`	✅	3s	5s	-40%
`rej_eta_c`	✅	3s	2s	+50%
`rej_uniform_native_aarch64`	✅	3s	2s	+50%
`shake128_release`	✅	3s	4s	-25%
`shake128x4_squeezeblocks`	✅	3s	3s	+0%
`shake256`	✅	3s	1s	+200%
`shake256_squeeze`	✅	3s	2s	+50%
`shake256x4_absorb_once`	✅	3s	2s	+50%
`sign_verify_pre_hash_internal`	✅	3s	4s	-25%
`unpack_pk_t1`	✅	3s	2s	+50%
`keccak_f1600_x1_native_aarch64`	✅	2s	2s	+0%
`keccak_f1600_x1_native_aarch64_v84a`	✅	2s	1s	+100%
`keccak_f1600_x4_native_aarch64_v84a`	✅	2s	2s	+0%
`keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid`	✅	2s	3s	-33%
`keccak_finalize`	✅	2s	2s	+0%
`keccak_squeeze`	✅	2s	3s	-33%
`keccak_squeezeblocks_x4`	✅	2s	5s	-60%
`keccakf1600x4_xor_bytes_native`	✅	2s	2s	+0%
`mld_ct_abs_i32`	✅	2s	4s	-50%
`mld_ct_get_optblocker_i64`	✅	2s	2s	+0%
`mld_ct_get_optblocker_u32`	✅	2s	1s	+100%
`mld_ct_get_optblocker_u8`	✅	2s	3s	-33%
`mld_keccakf1600_extract_bytes`	✅	2s	1s	+100%
`mld_sample_s1_s2_serial`	✅	2s	3s	-33%
`mld_value_barrier_u32`	✅	2s	6s	-67%
`ntt_native_x86_64`	✅	2s	3s	-33%
`pack_sig_c`	✅	2s	3s	-33%
`poly_chknorm_native_aarch64`	✅	2s	2s	+0%
`poly_ntt_c`	✅	2s	3s	-33%
`poly_pointwise_montgomery_native`	✅	2s	3s	-33%
`poly_reduce`	✅	2s	4s	-50%
`polyveck_pack_w1`	✅	2s	3s	-33%
`polyveck_unpack_eta`	✅	2s	3s	-33%
`polyvecl_uniform_gamma1_serial`	✅	2s	4s	-50%
`polyvecl_unpack_eta`	✅	2s	5s	-60%
`polyw1_pack`	✅	2s	3s	-33%
`polyw1_pack_88`	✅	2s	5s	-60%
`rej_eta`	✅	2s	3s	-33%
`shake128_finalize`	✅	2s	3s	-33%
`shake128_squeeze`	✅	2s	5s	-60%
`shake128x4_absorb_once`	✅	2s	1s	+100%
`shake256_absorb`	✅	2s	2s	+0%
`shake256_finalize`	✅	2s	2s	+0%
`shake256x4_squeezeblocks`	✅	2s	2s	+0%
`sig_unpack_hints`	✅	2s	5s	-60%
`sign_verify`	✅	2s	3s	-33%
`sk_s1hat_get_poly`	✅	2s	4s	-50%
`unpack_sk_s1hat`	✅	2s	5s	-60%
`unpack_sk_s2hat`	✅	2s	1s	+100%
`yvec_get_poly`	✅	2s	3s	-33%
`yvec_init`	✅	2s	3s	-33%
`keccak_f1600_x4_native_avx2`	✅	1s	4s	-75%
`keccak_init`	✅	1s	2s	-50%
`keccakf1600_extract_bytes (big endian)`	✅	1s	2s	-50%
`keccakf1600_permute`	✅	1s	2s	-50%
`keccakf1600_xor_bytes`	✅	1s	2s	-50%
`keccakf1600x4_xor_bytes`	✅	1s	2s	-50%
`mld_ct_cmask_neg_i32`	✅	1s	2s	-50%
`mld_value_barrier_i64`	✅	1s	2s	-50%
`montgomery_reduce`	✅	1s	2s	-50%
`sk_s2hat_get_poly`	✅	1s	3s	-67%
`sys_check_capability`	✅	1s	1s	+0%
`unpack_sk_t0hat`	✅	1s	3s	-67%

oqs-bot · 2026-06-02T02:10:19Z

CBMC Results (ML-DSA-65)

Full Results (205 proofs)

Proof	Status	Current	Previous	Change
`TOTAL`	✅	2035s	1985s	+2.5%
`mld_invntt_layer`	✅	276s	260s	+6%
`polyvecl_pointwise_acc_montgomery_c`	✅	205s	193s	+6%
`rej_uniform_native`	✅	150s	144s	+4%
`polyvec_matrix_expand`	✅	130s	128s	+2%
`poly_pointwise_montgomery_c`	✅	95s	94s	+1%
`mld_attempt_signature_generation`	✅	64s	65s	-2%
`mld_ct_memcmp`	✅	64s	64s	+0%
`sign_verify_internal`	✅	63s	63s	+0%
`sign_signature_internal`	✅	47s	46s	+2%
`mld_ntt_layer`	✅	44s	39s	+13%
`fqmul`	✅	39s	40s	-3%
`polyvec_matrix_expand_serial`	✅	24s	27s	-11%
`keccakf1600x4_permute_native`	✅	22s	21s	+5%
`rej_uniform`	✅	22s	21s	+5%
`mld_ntt_butterfly_block`	✅	20s	21s	-5%
`poly_chknorm_c`	✅	19s	20s	-5%
`compute_pack_t0_t1`	✅	16s	15s	+7%
`polyt0_unpack`	✅	16s	16s	+0%
`mld_check_pct`	✅	15s	16s	-6%
`polyvecl_chknorm`	✅	15s	17s	-12%
`rej_uniform_c`	✅	14s	13s	+8%
`polyveck_decompose`	✅	13s	14s	-7%
`keccak_absorb_once_x4`	✅	11s	9s	+22%
`poly_uniform_4x`	✅	11s	12s	-8%
`poly_add`	✅	10s	10s	+0%
`poly_uniform_eta_4x`	✅	9s	12s	-25%
`polyvec_matrix_pointwise_montgomery_yvec`	✅	9s	10s	-10%
`polyveck_chknorm`	✅	9s	10s	-10%
`polyveck_invntt_tomont`	✅	9s	8s	+12%
`polyz_unpack_c`	✅	9s	5s	+80%
`mld_compute_pack_z`	✅	8s	10s	-20%
`poly_invntt_tomont_c`	✅	8s	9s	-11%
`polyveck_ntt`	✅	8s	9s	-11%
`sign_pk_from_sk`	✅	8s	5s	+60%
`keccak_absorb`	✅	7s	5s	+40%
`mld_keccakf1600_permute_c`	✅	7s	8s	-12%
`poly_caddq_c`	✅	7s	5s	+40%
`polyvecl_ntt`	✅	7s	8s	-12%
`mld_sample_s1_s2`	✅	6s	5s	+20%
`pointwise_acc_native_aarch64`	✅	6s	5s	+20%
`pointwise_acc_native_x86_64`	✅	6s	7s	-14%
`poly_pointwise_montgomery`	✅	6s	3s	+100%
`poly_power2round`	✅	6s	5s	+20%
`shake256_finalize`	✅	6s	2s	+200%
`sign`	✅	6s	6s	+0%
`sign_keypair`	✅	6s	5s	+20%
`unpack_pk_t1`	✅	6s	3s	+100%
`keccak_f1600_x1_native_aarch64`	✅	5s	1s	+400%
`keccak_squeezeblocks_x4`	✅	5s	4s	+25%
`mld_ct_cmask_nonzero_u8`	✅	5s	4s	+25%
`ntt_native_x86_64`	✅	5s	3s	+67%
`pointwise_native_aarch64`	✅	5s	3s	+67%
`pointwise_native_x86_64`	✅	5s	2s	+150%
`poly_caddq_native_x86_64`	✅	5s	3s	+67%
`poly_uniform_eta`	✅	5s	3s	+67%
`poly_use_hint_native`	✅	5s	5s	+0%
`polyveck_unpack_eta`	✅	5s	5s	+0%
`sign_keypair_internal`	✅	5s	3s	+67%
`sign_open`	✅	5s	4s	+25%
`sign_signature_extmu`	✅	5s	5s	+0%
`sign_verify_pre_hash_internal`	✅	5s	6s	-17%
`unpack_sk_t0hat`	✅	5s	8s	-38%
`decompose`	✅	4s	4s	+0%
`intt_native_aarch64`	✅	4s	3s	+33%
`keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid`	✅	4s	5s	-20%
`keccak_f1600_x4_native_avx2`	✅	4s	3s	+33%
`keccakf1600_xor_bytes`	✅	4s	2s	+100%
`keccakf1600x4_xor_bytes_native`	✅	4s	2s	+100%
`mld_h`	✅	4s	4s	+0%
`mld_keccakf1600x4_extract_bytes_c`	✅	4s	2s	+100%
`mld_keccakf1600x4_xor_bytes_c`	✅	4s	3s	+33%
`mld_prepare_domain_separation_prefix`	✅	4s	4s	+0%
`mld_sample_s1_s2_serial`	✅	4s	5s	-20%
`ntt_native_aarch64`	✅	4s	2s	+100%
`poly_caddq_native_aarch64`	✅	4s	4s	+0%
`poly_challenge`	✅	4s	4s	+0%
`poly_permute_bitrev_to_custom_optional_native`	✅	4s	3s	+33%
`poly_uniform`	✅	4s	2s	+100%
`poly_use_hint_c`	✅	4s	4s	+0%
`polyt0_pack`	✅	4s	4s	+0%
`polyt1_pack`	✅	4s	2s	+100%
`polyveck_caddq`	✅	4s	5s	-20%
`polyveck_pack_w1`	✅	4s	5s	-20%
`polyvecl_unpack_z`	✅	4s	3s	+33%
`polyw1_pack`	✅	4s	2s	+100%
`polyz_unpack_native`	✅	4s	3s	+33%
`rej_eta_native`	✅	4s	5s	-20%
`rej_uniform_eta_native_aarch64`	✅	4s	3s	+33%
`shake256_init`	✅	4s	2s	+100%
`shake256x4_absorb_once`	✅	4s	3s	+33%
`sign_signature_pre_hash_internal`	✅	4s	4s	+0%
`sign_signature_pre_hash_shake256`	✅	4s	4s	+0%
`sign_verify_extmu`	✅	4s	5s	-20%
`unpack_sk`	✅	4s	7s	-43%
`unpack_sk_s1hat`	✅	4s	3s	+33%
`yvec_get_poly`	✅	4s	2s	+100%
`yvec_init`	✅	4s	4s	+0%
`intt_native_x86_64`	✅	3s	3s	+0%
`keccak_f1600_x1_native_aarch64_v84a`	✅	3s	1s	+200%
`keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid`	✅	3s	2s	+50%
`keccak_finalize`	✅	3s	3s	+0%
`keccak_init`	✅	3s	2s	+50%
`keccak_squeeze`	✅	3s	1s	+200%
`keccakf1600_permute_native`	✅	3s	2s	+50%
`keccakf1600_xor_bytes (big endian)`	✅	3s	2s	+50%
`keccakf1600x4_extract_bytes_native`	✅	3s	4s	-25%
`mld_ct_get_optblocker_i64`	✅	3s	3s	+0%
`mld_ct_sel_int32`	✅	3s	4s	-25%
`mld_polymat_expand_entry`	✅	3s	3s	+0%
`mld_value_barrier_u32`	✅	3s	2s	+50%
`nttunpack_native_x86_64`	✅	3s	3s	+0%
`pack_sig_c`	✅	3s	3s	+0%
`pack_sig_h`	✅	3s	2s	+50%
`pack_sk_rho_key_tr_s2`	✅	3s	4s	-25%
`pack_sk_s1`	✅	3s	2s	+50%
`poly_caddq`	✅	3s	2s	+50%
`poly_chknorm`	✅	3s	2s	+50%
`poly_chknorm_native`	✅	3s	4s	-25%
`poly_decompose_32_native_aarch64`	✅	3s	1s	+200%
`poly_decompose_c`	✅	3s	5s	-40%
`poly_ntt`	✅	3s	2s	+50%
`poly_ntt_c`	✅	3s	5s	-40%
`poly_ntt_native`	✅	3s	3s	+0%
`poly_permute_bitrev_to_custom_optional`	✅	3s	3s	+0%
`poly_sub`	✅	3s	2s	+50%
`poly_uniform_gamma1`	✅	3s	4s	-25%
`poly_uniform_gamma1_4x`	✅	3s	4s	-25%
`poly_use_hint`	✅	3s	2s	+50%
`polyeta_pack`	✅	3s	1s	+200%
`polyeta_unpack`	✅	3s	4s	-25%
`polyt1_unpack`	✅	3s	4s	-25%
`polyvec_matrix_pointwise_montgomery_row`	✅	3s	1s	+200%
`polyveck_pack_eta`	✅	3s	3s	+0%
`polyveck_reduce`	✅	3s	5s	-40%
`polyvecl_pointwise_acc_montgomery`	✅	3s	3s	+0%
`polyvecl_pointwise_acc_montgomery_native`	✅	3s	1s	+200%
`polyvecl_unpack_eta`	✅	3s	3s	+0%
`polyz_unpack_19_native_aarch64`	✅	3s	5s	-40%
`reduce32`	✅	3s	1s	+200%
`rej_eta_c`	✅	3s	4s	-25%
`rej_uniform_native_aarch64`	✅	3s	3s	+0%
`shake128_release`	✅	3s	4s	-25%
`shake128_squeeze`	✅	3s	3s	+0%
`shake128x4_absorb_once`	✅	3s	3s	+0%
`shake128x4_squeezeblocks`	✅	3s	2s	+50%
`sign_verify`	✅	3s	3s	+0%
`sign_verify_pre_hash_shake256`	✅	3s	3s	+0%
`sk_s1hat_get_poly`	✅	3s	4s	-25%
`sk_s2hat_get_poly`	✅	3s	3s	+0%
`sk_t0hat_get_poly`	✅	3s	2s	+50%
`sys_check_capability`	✅	3s	3s	+0%
`use_hint`	✅	3s	1s	+200%
`fqscale`	✅	2s	3s	-33%
`keccak_f1600_x4_native_aarch64_v84a`	✅	2s	3s	-33%
`keccakf1600_extract_bytes (big endian)`	✅	2s	2s	+0%
`keccakf1600_permute`	✅	2s	4s	-50%
`keccakf1600x4_extract_bytes`	✅	2s	2s	+0%
`keccakf1600x4_xor_bytes`	✅	2s	3s	-33%
`make_hint`	✅	2s	1s	+100%
`mld_ct_cmask_neg_i32`	✅	2s	2s	+0%
`mld_ct_get_optblocker_u8`	✅	2s	1s	+100%
`mld_keccakf1600_extract_bytes`	✅	2s	4s	-50%
`montgomery_reduce`	✅	2s	2s	+0%
`pack_sig_z`	✅	2s	2s	+0%
`poly_decompose`	✅	2s	3s	-33%
`poly_decompose_88_native_aarch64`	✅	2s	2s	+0%
`poly_decompose_native`	✅	2s	2s	+0%
`poly_invntt_tomont_native`	✅	2s	2s	+0%
`poly_pointwise_montgomery_native`	✅	2s	4s	-50%
`poly_reduce`	✅	2s	2s	+0%
`poly_shiftl`	✅	2s	3s	-33%
`poly_use_hint_native_aarch64`	✅	2s	3s	-33%
`polyvecl_pack_eta`	✅	2s	3s	-33%
`polyvecl_uniform_gamma1`	✅	2s	2s	+0%
`polyvecl_uniform_gamma1_serial`	✅	2s	3s	-33%
`polyw1_pack_32`	✅	2s	4s	-50%
`polyw1_pack_88`	✅	2s	3s	-33%
`polyz_pack`	✅	2s	2s	+0%
`polyz_unpack`	✅	2s	3s	-33%
`polyz_unpack_native_x86_64`	✅	2s	2s	+0%
`power2round`	✅	2s	4s	-50%
`rej_eta`	✅	2s	2s	+0%
`shake128_finalize`	✅	2s	3s	-33%
`shake256_absorb`	✅	2s	2s	+0%
`shake256_release`	✅	2s	3s	-33%
`shake256_squeeze`	✅	2s	3s	-33%
`shake256x4_squeezeblocks`	✅	2s	2s	+0%
`sig_unpack_hints`	✅	2s	2s	+0%
`sign_signature`	✅	2s	4s	-50%
`unpack_sk_s2hat`	✅	2s	2s	+0%
`caddq`	✅	1s	3s	-67%
`keccakf1600x4_permute`	✅	1s	2s	-50%
`mld_ct_abs_i32`	✅	1s	4s	-75%
`mld_ct_cmask_nonzero_u32`	✅	1s	3s	-67%
`mld_ct_get_optblocker_u32`	✅	1s	3s	-67%
`mld_value_barrier_i64`	✅	1s	2s	-50%
`mld_value_barrier_u8`	✅	1s	2s	-50%
`poly_caddq_native`	✅	1s	2s	-50%
`poly_chknorm_native_aarch64`	✅	1s	3s	-67%
`poly_chknorm_native_x86_64`	✅	1s	2s	-50%
`poly_invntt_tomont`	✅	1s	4s	-75%
`polyz_unpack_17_native_aarch64`	✅	1s	2s	-50%
`shake128_absorb`	✅	1s	2s	-50%
`shake128_init`	✅	1s	2s	-50%
`shake256`	✅	1s	2s	-50%

jakemas

Looks good to me! Shall we squash the PR into a single commit?

hanno-becker

I think this could be a bit simpler and more generic.

Can we have a single function which takes a filter on tc,tg and trims down promptData and expectedData in one go, based on the filter?

The filter should be configurable and either pass or return a string explaining why the test is dropped. That string is then simply printed out by the overall filter.

This makes it easier to add other sources of unsupported tests in the future (or to deliberately trim down the ACVP test set for other reasons).

WDYT

Some Python/OpenSSL builds lack the truncated SHA-512 variants (SHA2-512/224, SHA2-512/256) needed for pre-hash ACVP test cases. Add --skip-unsupported to drop the affected cases from both prompt and expected results; without it the client errors with guidance on the flag. Expose it through make via ACVP_OPTIONS. Resolves #719 Signed-off-by: Matthias J. Kannwischer <matthias@zerorisc.com>

Their Python 3.7 hashlib lacks sha512_224/256, so run them with ACVP_OPTIONS=--skip-unsupported instead of disabling quickcheck and acvp entirely. See #719. Signed-off-by: Matthias J. Kannwischer <matthias@zerorisc.com>

mkannwischer · 2026-06-20T04:43:08Z

I think this could be a bit simpler and more generic.

Can we have a single function which takes a filter on tc,tg and trims down promptData and expectedData in one go, based on the filter?

The filter should be configurable and either pass or return a string explaining why the test is dropped. That string is then simply printed out by the overall filter.

This makes it easier to add other sources of unsupported tests in the future (or to deliberately trim down the ACVP test set for other reasons).

WDYT

I have pushed a new version. I don't think this qualifies as "simpler", but it should be easier to extend.

hanno-becker · 2026-06-20T04:57:48Z

+        for tg in unwrap_acvts(promptData).get("testGroups", []):
+            for tc in tg["tests"]:
+                reason = should_drop(tg, tc)
+                if reason is not None:
+                    drop[tg["tgId"], tc["tcId"]] = reason
+        for data in (promptData, expectedData):
+            if data is None:
+                continue
+            for tg in unwrap_acvts(data).get("testGroups", []):
+                tg["tests"] = [
+                    tc for tc in tg["tests"] if (tg["tgId"], tc["tcId"]) not in drop
+                ]


Why do we need those loops separately? Why can we not just filter directly in the second loop?

hanno-becker · 2026-06-20T04:58:48Z

+    return h.hexdigest() if xof_len is None else h.hexdigest(xof_len)
+
+
+def hashlib_can_compute(hashAlg):


Nit: Why don't we filter this just once in the beginning rather than with every test?

mkannwischer marked this pull request as ready for review June 2, 2026 03:03

mkannwischer requested a review from a team as a code owner June 2, 2026 03:03

jakemas approved these changes Jun 8, 2026

View reviewed changes

hanno-becker requested changes Jun 20, 2026

View reviewed changes

mkannwischer added 2 commits June 20, 2026 12:41

CI: Re-enable Amazon Linux 2 compatibility tests

482527d

Their Python 3.7 hashlib lacks sha512_224/256, so run them with ACVP_OPTIONS=--skip-unsupported instead of disabling quickcheck and acvp entirely. See #719. Signed-off-by: Matthias J. Kannwischer <matthias@zerorisc.com>

mkannwischer force-pushed the acvp-skip-unsupported branch from 269563e to 482527d Compare June 20, 2026 04:41

hanno-becker reviewed Jun 20, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ACVP: Allow skipping pre-hash modes unsupported by Python's hashlib#1140

ACVP: Allow skipping pre-hash modes unsupported by Python's hashlib#1140
mkannwischer wants to merge 2 commits into
mainfrom
acvp-skip-unsupported

mkannwischer commented Jun 1, 2026

Uh oh!

oqs-bot commented Jun 2, 2026 •

edited

Loading

Uh oh!

oqs-bot commented Jun 2, 2026 •

edited

Loading

Uh oh!

oqs-bot commented Jun 2, 2026 •

edited

Loading

Uh oh!

oqs-bot commented Jun 2, 2026 •

edited

Loading

Uh oh!

oqs-bot commented Jun 2, 2026 •

edited

Loading

Uh oh!

oqs-bot commented Jun 2, 2026 •

edited

Loading

Uh oh!

jakemas left a comment

Uh oh!

hanno-becker left a comment •

edited

Loading

Uh oh!

mkannwischer commented Jun 20, 2026

Uh oh!

hanno-becker Jun 20, 2026

Uh oh!

hanno-becker Jun 20, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

		return h.hexdigest() if xof_len is None else h.hexdigest(xof_len)


		def hashlib_can_compute(hashAlg):

Conversation

mkannwischer commented Jun 1, 2026

Uh oh!

oqs-bot commented Jun 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

CBMC Results (ML-DSA-87, REDUCE-RAM)

Uh oh!

oqs-bot commented Jun 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

CBMC Results (ML-DSA-65, REDUCE-RAM)

Uh oh!

oqs-bot commented Jun 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

CBMC Results (ML-DSA-44, REDUCE-RAM)

Uh oh!

oqs-bot commented Jun 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

CBMC Results (ML-DSA-87)

Uh oh!

oqs-bot commented Jun 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

CBMC Results (ML-DSA-44)

Uh oh!

oqs-bot commented Jun 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

CBMC Results (ML-DSA-65)

Uh oh!

jakemas left a comment

Choose a reason for hiding this comment

Uh oh!

hanno-becker left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

mkannwischer commented Jun 20, 2026

Uh oh!

hanno-becker Jun 20, 2026

Choose a reason for hiding this comment

Uh oh!

hanno-becker Jun 20, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

oqs-bot commented Jun 2, 2026 •

edited

Loading

oqs-bot commented Jun 2, 2026 •

edited

Loading

oqs-bot commented Jun 2, 2026 •

edited

Loading

oqs-bot commented Jun 2, 2026 •

edited

Loading

oqs-bot commented Jun 2, 2026 •

edited

Loading

oqs-bot commented Jun 2, 2026 •

edited

Loading

hanno-becker left a comment •

edited

Loading