Skip to content

x86_64 + HOL-Light: Replace poly_decompose AVX2 intrinsics with hand-written assembly and HOL-Light proofs#1181

Open
jakemas wants to merge 1 commit into
mainfrom
jakemas/poly-decompose-asm
Open

x86_64 + HOL-Light: Replace poly_decompose AVX2 intrinsics with hand-written assembly and HOL-Light proofs#1181
jakemas wants to merge 1 commit into
mainfrom
jakemas/poly-decompose-asm

Conversation

@jakemas

@jakemas jakemas commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Resolves #420
Resolves #914

Supersedes #1163, which could not be reopened after its branch was inadvertently force-pushed while closed. The branch content is unchanged and rebased on the latest main.

Performance

poly_decompose component benchmark, median cycles on AMD EPYC (c6a), OPT=1 CYCLES=PMU:

Variant AVX2 intrinsics (baseline, main) Hand-written AVX2 asm (this PR)
decompose_32 (ML-DSA-65/87) ~1606 ~1607
decompose_88 (ML-DSA-44) ~1869 ~1870

@jakemas jakemas requested a review from a team as a code owner June 15, 2026 19:05
@jakemas jakemas mentioned this pull request Jun 15, 2026
Closed
@oqs-bot

oqs-bot commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

CBMC Results (ML-DSA-65, REDUCE-RAM)

Full Results (206 proofs)
Proof Status Current Previous Change
**TOTAL** 1626s 1546s +5.2%
mld_invntt_layer 183s 170s +8%
poly_pointwise_montgomery_c 141s 131s +8%
rej_uniform_native 133s 122s +9%
polyvec_matrix_pointwise_montgomery_yvec 86s 79s +9%
mld_ct_memcmp 74s 68s +9%
mld_ntt_layer 45s 44s +2%
fqmul 44s 42s +5%
polyveck_chknorm 41s 39s +5%
mld_attempt_signature_generation 25s 24s +4%
keccakf1600x4_permute_native 24s 22s +9%
mld_ntt_butterfly_block 23s 24s -4%
poly_chknorm_c 21s 21s +0%
polyveck_decompose 18s 18s +0%
polyvecl_chknorm 17s 14s +21%
sign_verify_internal 17s 14s +21%
rej_uniform_c 16s 17s -6%
mld_check_pct 15s 16s -6%
polyt0_unpack 15s 16s -6%
poly_uniform_eta_4x 13s 12s +8%
poly_add 12s 10s +20%
mld_keccakf1600_permute_c 10s 7s +43%
sign 10s 6s +67%
keccak_absorb_once_x4 9s 12s -25%
poly_power2round 9s 6s +50%
polyvec_matrix_pointwise_montgomery_row 9s 8s +12%
pointwise_acc_native_x86_64 8s 6s +33%
polyeta_unpack 8s 6s +33%
polyveck_invntt_tomont 8s 6s +33%
polyvecl_ntt 8s 5s +60%
polyz_unpack_c 8s 5s +60%
rej_uniform 8s 8s +0%
sign_pk_from_sk 8s 4s +100%
poly_invntt_tomont_c 7s 9s -22%
sys_check_capability 7s 2s +250%
compute_pack_t0_t1 6s 7s -14%
intt_native_x86_64 6s 4s +50%
pointwise_acc_native_aarch64 6s 5s +20%
polyveck_caddq 6s 6s +0%
polyveck_reduce 6s 4s +50%
sign_signature_internal 6s 5s +20%
keccak_absorb 5s 6s -17%
keccakf1600x4_permute 5s 1s +400%
mld_compute_pack_z 5s 6s -17%
mld_keccakf1600x4_xor_bytes_c 5s 2s +150%
mld_sample_s1_s2_serial 5s 4s +25%
mld_value_barrier_i64 5s 2s +150%
ntt_native_x86_64 5s 4s +25%
pack_sig_h 5s 2s +150%
pack_sig_z 5s 2s +150%
poly_decompose_c 5s 5s +0%
poly_pointwise_montgomery_native 5s 3s +67%
poly_sub 5s 4s +25%
poly_uniform_gamma1 5s 2s +150%
sign_keypair_internal 5s 3s +67%
sign_signature 5s 5s +0%
sign_signature_pre_hash_internal 5s 4s +25%
sign_signature_pre_hash_shake256 5s 4s +25%
sign_verify 5s 6s -17%
sign_verify_pre_hash_internal 5s 3s +67%
sk_s2hat_get_poly 5s 5s +0%
unpack_sk_s2hat 5s 2s +150%
keccak_f1600_x1_native_aarch64_v84a 4s 2s +100%
keccakf1600x4_extract_bytes_native 4s 5s -20%
mld_ct_cmask_neg_i32 4s 1s +300%
mld_ct_get_optblocker_i64 4s 4s +0%
mld_h 4s 5s -20%
mld_polymat_expand_entry 4s 4s +0%
mld_sample_s1_s2 4s 5s -20%
ntt_native_aarch64 4s 4s +0%
nttunpack_native_x86_64 4s 3s +33%
pack_sk_rho_key_tr_s2 4s 4s +0%
poly_caddq 4s 3s +33%
poly_challenge 4s 4s +0%
poly_decompose_32_native_aarch64 4s 3s +33%
poly_decompose_native 4s 2s +100%
poly_invntt_tomont_native 4s 4s +0%
poly_ntt_native 4s 3s +33%
poly_permute_bitrev_to_custom_optional 4s 3s +33%
poly_reduce 4s 5s -20%
poly_uniform_gamma1_4x 4s 2s +100%
poly_use_hint_native 4s 3s +33%
polyvec_matrix_expand 4s 4s +0%
polyvecl_uniform_gamma1_serial 4s 3s +33%
polyw1_pack 4s 2s +100%
polyw1_pack_32 4s 3s +33%
polyz_pack 4s 5s -20%
polyz_unpack_17_native_aarch64 4s 2s +100%
power2round 4s 4s +0%
rej_eta 4s 2s +100%
rej_eta_native 4s 6s -33%
shake256x4_absorb_once 4s 2s +100%
sign_keypair 4s 6s -33%
sign_open 4s 6s -33%
unpack_sk_s1hat 4s 3s +33%
yvec_get_poly 4s 4s +0%
fqscale 3s 3s +0%
intt_native_aarch64 3s 3s +0%
keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid 3s 2s +50%
keccak_finalize 3s 5s -40%
keccak_squeezeblocks_x4 3s 3s +0%
keccakf1600_extract_bytes (big endian) 3s 2s +50%
keccakf1600x4_xor_bytes_native 3s 2s +50%
make_hint 3s 1s +200%
mld_prepare_domain_separation_prefix 3s 5s -40%
montgomery_reduce 3s 4s -25%
pointwise_native_aarch64 3s 4s -25%
pointwise_native_x86_64 3s 3s +0%
poly_caddq_c 3s 4s -25%
poly_caddq_native_aarch64 3s 2s +50%
poly_caddq_native_x86_64 3s 3s +0%
poly_chknorm 3s 3s +0%
poly_chknorm_native_aarch64 3s 2s +50%
poly_chknorm_native_x86_64 3s 3s +0%
poly_decompose 3s 2s +50%
poly_decompose_native_x86_64 3s - new
poly_invntt_tomont 3s 3s +0%
poly_ntt_c 3s 3s +0%
poly_permute_bitrev_to_custom_optional_native 3s 4s -25%
poly_pointwise_montgomery 3s 3s +0%
poly_uniform 3s 3s +0%
poly_uniform_4x 3s 3s +0%
poly_uniform_eta 3s 4s -25%
poly_use_hint_c 3s 4s -25%
poly_use_hint_native_aarch64 3s 3s +0%
polyeta_pack 3s 3s +0%
polyt0_pack 3s 3s +0%
polyt1_pack 3s 3s +0%
polyt1_unpack 3s 5s -40%
polyveck_unpack_eta 3s 4s -25%
polyvecl_pack_eta 3s 3s +0%
polyvecl_pointwise_acc_montgomery 3s 4s -25%
polyvecl_pointwise_acc_montgomery_c 3s 8s -62%
polyvecl_uniform_gamma1 3s 3s +0%
polyvecl_unpack_eta 3s 5s -40%
polyz_unpack_19_native_aarch64 3s 4s -25%
polyz_unpack_native 3s 3s +0%
polyz_unpack_native_x86_64 3s 2s +50%
shake128_absorb 3s 1s +200%
shake128_finalize 3s 3s +0%
shake256_absorb 3s 2s +50%
shake256_finalize 3s 2s +50%
shake256_squeeze 3s 3s +0%
sign_signature_extmu 3s 4s -25%
sign_verify_extmu 3s 2s +50%
sign_verify_pre_hash_shake256 3s 5s -40%
sk_s1hat_get_poly 3s 5s -40%
sk_t0hat_get_poly 3s 2s +50%
unpack_sk 3s 2s +50%
unpack_sk_t0hat 3s 3s +0%
yvec_init 3s 2s +50%
decompose 2s 3s -33%
keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid 2s 2s +0%
keccak_f1600_x4_native_avx2 2s 4s -50%
keccak_init 2s 3s -33%
keccak_squeeze 2s 2s +0%
keccakf1600_permute 2s 1s +100%
keccakf1600_permute_native 2s 4s -50%
keccakf1600x4_xor_bytes 2s 2s +0%
mld_ct_abs_i32 2s 4s -50%
mld_ct_cmask_nonzero_u32 2s 3s -33%
mld_ct_cmask_nonzero_u8 2s 6s -67%
mld_ct_get_optblocker_u32 2s 5s -60%
mld_ct_sel_int32 2s 2s +0%
mld_keccakf1600_extract_bytes 2s 2s +0%
mld_keccakf1600x4_extract_bytes_c 2s 3s -33%
mld_value_barrier_u32 2s 1s +100%
mld_value_barrier_u8 2s 2s +0%
pack_sig_c 2s 2s +0%
pack_sk_s1 2s 2s +0%
poly_caddq_native 2s 3s -33%
poly_chknorm_native 2s 2s +0%
poly_decompose_88_native_aarch64 2s 2s +0%
poly_ntt 2s 2s +0%
poly_shiftl 2s 4s -50%
polyvec_matrix_expand_serial 2s 3s -33%
polyveck_ntt 2s 4s -50%
polyveck_pack_eta 2s 3s -33%
polyveck_pack_w1 2s 2s +0%
polyvecl_pointwise_acc_montgomery_native 2s 3s -33%
polyvecl_unpack_z 2s 4s -50%
polyw1_pack_88 2s 1s +100%
polyz_unpack 2s 3s -33%
reduce32 2s 2s +0%
rej_eta_c 2s 4s -50%
rej_uniform_eta_native_aarch64 2s 4s -50%
rej_uniform_native_aarch64 2s 2s +0%
shake128_init 2s 2s +0%
shake128_release 2s 1s +100%
shake128_squeeze 2s 2s +0%
shake128x4_absorb_once 2s 2s +0%
shake128x4_squeezeblocks 2s 3s -33%
shake256 2s 2s +0%
shake256_init 2s 3s -33%
shake256_release 2s 2s +0%
shake256x4_squeezeblocks 2s 4s -50%
sig_unpack_hints 2s 3s -33%
unpack_pk_t1 2s 4s -50%
use_hint 2s 3s -33%
caddq 1s 4s -75%
keccak_f1600_x1_native_aarch64 1s 2s -50%
keccak_f1600_x4_native_aarch64_v84a 1s 1s +0%
keccakf1600_xor_bytes 1s 2s -50%
keccakf1600_xor_bytes (big endian) 1s 3s -67%
keccakf1600x4_extract_bytes 1s 2s -50%
mld_ct_get_optblocker_u8 1s 4s -75%
poly_use_hint 1s 4s -75%

@oqs-bot

oqs-bot commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

CBMC Results (ML-DSA-44, REDUCE-RAM)

Full Results (206 proofs)
Proof Status Current Previous Change
**TOTAL** 1591s 1535s +3.6%
mld_invntt_layer 177s 165s +7%
poly_pointwise_montgomery_c 142s 129s +10%
rej_uniform_native 123s 123s +0%
polyvec_matrix_pointwise_montgomery_yvec 116s 116s +0%
mld_ct_memcmp 73s 68s +7%
mld_ntt_layer 44s 44s +0%
fqmul 41s 43s -5%
mld_attempt_signature_generation 25s 25s +0%
sign_verify_internal 24s 23s +4%
mld_ntt_butterfly_block 23s 24s -4%
keccakf1600x4_permute_native 22s 24s -8%
poly_chknorm_c 20s 18s +11%
polyeta_unpack 16s 17s -6%
polyt0_unpack 16s 17s -6%
rej_uniform_c 15s 15s +0%
mld_check_pct 14s 13s +8%
poly_uniform_eta_4x 13s 13s +0%
compute_pack_t0_t1 11s 11s +0%
poly_add 11s 11s +0%
polyz_unpack_c 11s 11s +0%
poly_invntt_tomont_c 9s 10s -10%
keccak_absorb 8s 6s +33%
keccak_absorb_once_x4 8s 12s -33%
polyveck_chknorm 8s 8s +0%
polyveck_decompose 8s 5s +60%
rej_uniform 8s 7s +14%
mld_compute_pack_z 7s 5s +40%
mld_sample_s1_s2_serial 7s 5s +40%
pointwise_acc_native_x86_64 7s 5s +40%
poly_sub 7s 3s +133%
polyvec_matrix_pointwise_montgomery_row 7s 9s -22%
pointwise_acc_native_aarch64 6s 6s +0%
poly_caddq_c 6s 4s +50%
poly_decompose_c 6s 7s -14%
polyveck_caddq 6s 3s +100%
polyvecl_chknorm 6s 6s +0%
sign 6s 7s -14%
sign_signature_internal 6s 7s -14%
sk_t0hat_get_poly 6s 3s +100%
intt_native_aarch64 5s 2s +150%
keccak_squeezeblocks_x4 5s 3s +67%
keccakf1600x4_xor_bytes 5s 4s +25%
mld_keccakf1600_permute_c 5s 5s +0%
poly_chknorm_native_aarch64 5s 2s +150%
poly_pointwise_montgomery 5s 3s +67%
poly_power2round 5s 5s +0%
poly_reduce 5s 5s +0%
poly_shiftl 5s 4s +25%
poly_uniform 5s 3s +67%
poly_uniform_gamma1_4x 5s 3s +67%
poly_use_hint_native_aarch64 5s 3s +67%
polyt1_unpack 5s 2s +150%
polyveck_invntt_tomont 5s 4s +25%
polyvecl_ntt 5s 7s -29%
polyvecl_uniform_gamma1 5s 4s +25%
polyz_unpack_native_x86_64 5s 4s +25%
rej_eta_c 5s 4s +25%
sign_pk_from_sk 5s 3s +67%
sign_verify 5s 3s +67%
sign_verify_pre_hash_internal 5s 6s -17%
yvec_get_poly 5s 2s +150%
caddq 4s 3s +33%
decompose 4s 3s +33%
fqscale 4s 4s +0%
keccak_f1600_x4_native_aarch64_v84a 4s 2s +100%
keccakf1600_permute_native 4s 3s +33%
mld_ct_cmask_neg_i32 4s 1s +300%
mld_ct_get_optblocker_u32 4s 1s +300%
mld_h 4s 3s +33%
mld_sample_s1_s2 4s 4s +0%
nttunpack_native_x86_64 4s 3s +33%
poly_caddq_native_aarch64 4s 2s +100%
poly_caddq_native_x86_64 4s 2s +100%
poly_chknorm 4s 3s +33%
poly_decompose_32_native_aarch64 4s 4s +0%
poly_decompose_88_native_aarch64 4s 4s +0%
poly_decompose_native 4s 4s +0%
poly_ntt 4s 3s +33%
poly_ntt_native 4s 4s +0%
poly_use_hint_c 4s 4s +0%
poly_use_hint_native 4s 4s +0%
polyt1_pack 4s 2s +100%
polyveck_pack_eta 4s 3s +33%
polyveck_reduce 4s 4s +0%
polyvecl_pointwise_acc_montgomery 4s 2s +100%
polyvecl_pointwise_acc_montgomery_c 4s 2s +100%
polyz_pack 4s 3s +33%
polyz_unpack_19_native_aarch64 4s 4s +0%
power2round 4s 2s +100%
rej_eta 4s 2s +100%
rej_eta_native 4s 3s +33%
rej_uniform_eta_native_aarch64 4s 4s +0%
shake128x4_absorb_once 4s 2s +100%
shake256_release 4s 4s +0%
sign_keypair_internal 4s 6s -33%
sign_open 4s 4s +0%
sign_verify_extmu 4s 3s +33%
unpack_sk_s1hat 4s 3s +33%
unpack_sk_t0hat 4s 3s +33%
intt_native_x86_64 3s 3s +0%
keccak_f1600_x1_native_aarch64 3s 1s +200%
keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid 3s 2s +50%
keccak_f1600_x4_native_avx2 3s 1s +200%
keccakf1600_extract_bytes (big endian) 3s 3s +0%
make_hint 3s 4s -25%
mld_ct_cmask_nonzero_u32 3s 5s -40%
mld_ct_cmask_nonzero_u8 3s 2s +50%
mld_ct_sel_int32 3s 1s +200%
mld_keccakf1600_extract_bytes 3s 2s +50%
mld_polymat_expand_entry 3s 5s -40%
mld_prepare_domain_separation_prefix 3s 4s -25%
mld_value_barrier_i64 3s 1s +200%
ntt_native_aarch64 3s 2s +50%
pack_sig_h 3s 4s -25%
pack_sig_z 3s 4s -25%
pack_sk_rho_key_tr_s2 3s 3s +0%
pack_sk_s1 3s 2s +50%
pointwise_native_aarch64 3s 7s -57%
poly_caddq 3s 1s +200%
poly_challenge 3s 5s -40%
poly_chknorm_native 3s 2s +50%
poly_chknorm_native_x86_64 3s 3s +0%
poly_decompose_native_x86_64 3s - new
poly_invntt_tomont_native 3s 2s +50%
poly_ntt_c 3s 5s -40%
poly_permute_bitrev_to_custom_optional 3s 3s +0%
poly_pointwise_montgomery_native 3s 6s -50%
poly_uniform_eta 3s 4s -25%
poly_uniform_gamma1 3s 4s -25%
poly_use_hint 3s 5s -40%
polyeta_pack 3s 2s +50%
polyvec_matrix_expand 3s 1s +200%
polyvecl_pack_eta 3s 1s +200%
polyvecl_pointwise_acc_montgomery_native 3s 5s -40%
polyvecl_unpack_z 3s 2s +50%
polyw1_pack_32 3s 4s -25%
polyz_unpack 3s 1s +200%
polyz_unpack_17_native_aarch64 3s 4s -25%
polyz_unpack_native 3s 3s +0%
shake128_absorb 3s 4s -25%
shake128_squeeze 3s 2s +50%
shake128x4_squeezeblocks 3s 1s +200%
shake256_absorb 3s 2s +50%
shake256_squeeze 3s 2s +50%
shake256x4_absorb_once 3s 1s +200%
sig_unpack_hints 3s 3s +0%
sign_keypair 3s 5s -40%
sign_signature 3s 2s +50%
sign_signature_pre_hash_internal 3s 3s +0%
sign_signature_pre_hash_shake256 3s 7s -57%
sk_s1hat_get_poly 3s 2s +50%
sys_check_capability 3s 5s -40%
unpack_pk_t1 3s 3s +0%
unpack_sk 3s 2s +50%
use_hint 3s 7s -57%
keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid 2s 4s -50%
keccak_finalize 2s 2s +0%
keccak_init 2s 3s -33%
keccak_squeeze 2s 2s +0%
keccakf1600_xor_bytes 2s 3s -33%
keccakf1600_xor_bytes (big endian) 2s 4s -50%
keccakf1600x4_extract_bytes 2s 2s +0%
keccakf1600x4_extract_bytes_native 2s 4s -50%
keccakf1600x4_permute 2s 2s +0%
keccakf1600x4_xor_bytes_native 2s 3s -33%
mld_ct_abs_i32 2s 4s -50%
mld_keccakf1600x4_extract_bytes_c 2s 1s +100%
mld_keccakf1600x4_xor_bytes_c 2s 2s +0%
mld_value_barrier_u8 2s 1s +100%
montgomery_reduce 2s 3s -33%
ntt_native_x86_64 2s 3s -33%
pack_sig_c 2s 2s +0%
pointwise_native_x86_64 2s 3s -33%
poly_caddq_native 2s 2s +0%
poly_decompose 2s 3s -33%
poly_invntt_tomont 2s 4s -50%
poly_permute_bitrev_to_custom_optional_native 2s 2s +0%
poly_uniform_4x 2s 2s +0%
polyt0_pack 2s 4s -50%
polyvec_matrix_expand_serial 2s 3s -33%
polyveck_pack_w1 2s 3s -33%
polyveck_unpack_eta 2s 2s +0%
polyvecl_uniform_gamma1_serial 2s 3s -33%
polyw1_pack 2s 2s +0%
polyw1_pack_88 2s 2s +0%
rej_uniform_native_aarch64 2s 4s -50%
shake128_finalize 2s 3s -33%
shake128_release 2s 1s +100%
shake256 2s 2s +0%
shake256_init 2s 2s +0%
shake256x4_squeezeblocks 2s 3s -33%
sign_signature_extmu 2s 5s -60%
sign_verify_pre_hash_shake256 2s 3s -33%
sk_s2hat_get_poly 2s 2s +0%
unpack_sk_s2hat 2s 3s -33%
yvec_init 2s 4s -50%
keccak_f1600_x1_native_aarch64_v84a 1s 3s -67%
keccakf1600_permute 1s 2s -50%
mld_ct_get_optblocker_i64 1s 2s -50%
mld_ct_get_optblocker_u8 1s 4s -75%
mld_value_barrier_u32 1s 3s -67%
polyveck_ntt 1s 1s +0%
polyvecl_unpack_eta 1s 2s -50%
reduce32 1s 6s -83%
shake128_init 1s 3s -67%
shake256_finalize 1s 1s +0%

@oqs-bot

oqs-bot commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

CBMC Results (ML-DSA-87, REDUCE-RAM)

Full Results (206 proofs)
Proof Status Current Previous Change
**TOTAL** 1692s 1573s +7.6%
mld_invntt_layer 178s 161s +11%
polyvec_matrix_pointwise_montgomery_yvec 163s 146s +12%
poly_pointwise_montgomery_c 144s 130s +11%
rej_uniform_native 130s 121s +7%
mld_ct_memcmp 71s 62s +15%
fqmul 43s 38s +13%
mld_ntt_layer 42s 41s +2%
mld_attempt_signature_generation 36s 32s +12%
mld_ntt_butterfly_block 24s 18s +33%
keccakf1600x4_permute_native 23s 23s +0%
sign_verify_internal 21s 23s -9%
poly_chknorm_c 20s 17s +18%
polyt0_unpack 19s 16s +19%
polyveck_decompose 16s 19s -16%
rej_uniform_c 16s 14s +14%
poly_uniform_eta_4x 14s 12s +17%
polyeta_unpack 13s 14s -7%
compute_pack_t0_t1 12s 10s +20%
mld_check_pct 11s 10s +10%
poly_add 11s 11s +0%
polyvecl_chknorm 11s 11s +0%
keccak_absorb_once_x4 10s 10s +0%
poly_invntt_tomont_c 9s 10s -10%
polyvec_matrix_pointwise_montgomery_row 9s 7s +29%
polyveck_invntt_tomont 9s 7s +29%
rej_uniform 9s 7s +29%
sign 9s 7s +29%
mld_compute_pack_z 8s 3s +167%
mld_sample_s1_s2 8s 5s +60%
pointwise_acc_native_x86_64 8s 7s +14%
poly_power2round 8s 5s +60%
polyvecl_ntt 8s 7s +14%
keccak_absorb 7s 7s +0%
keccak_squeezeblocks_x4 7s 4s +75%
pointwise_acc_native_aarch64 7s 5s +40%
rej_eta_native 7s 3s +133%
sign_signature 7s 7s +0%
keccak_f1600_x1_native_aarch64 6s 3s +100%
mld_keccakf1600_permute_c 6s 7s -14%
mld_prepare_domain_separation_prefix 6s 5s +20%
nttunpack_native_x86_64 6s 2s +200%
poly_caddq_c 6s 4s +50%
poly_ntt_c 6s 1s +500%
polyz_unpack_c 6s 5s +20%
sign_keypair_internal 6s 3s +100%
sign_pk_from_sk 6s 8s -25%
unpack_sk_s2hat 6s 4s +50%
yvec_get_poly 6s 3s +100%
keccak_f1600_x4_native_aarch64_v84a 5s 1s +400%
pack_sig_c 5s 3s +67%
pointwise_native_x86_64 5s 3s +67%
poly_caddq 5s 3s +67%
poly_chknorm_native_x86_64 5s 3s +67%
poly_reduce 5s 3s +67%
poly_uniform_gamma1_4x 5s 2s +150%
polyveck_caddq 5s 5s +0%
polyveck_reduce 5s 5s +0%
polyvecl_pointwise_acc_montgomery_c 5s 3s +67%
polyz_pack 5s 4s +25%
rej_eta 5s 3s +67%
rej_uniform_native_aarch64 5s 3s +67%
shake128_finalize 5s 3s +67%
shake256_squeeze 5s 3s +67%
sign_keypair 5s 6s -17%
sign_signature_extmu 5s 3s +67%
sign_signature_internal 5s 5s +0%
sign_verify_pre_hash_internal 5s 5s +0%
caddq 4s 2s +100%
decompose 4s 3s +33%
intt_native_x86_64 4s 3s +33%
keccak_squeeze 4s 3s +33%
keccakf1600x4_extract_bytes_native 4s 1s +300%
mld_ct_abs_i32 4s 3s +33%
mld_h 4s 3s +33%
mld_sample_s1_s2_serial 4s 6s -33%
montgomery_reduce 4s 3s +33%
ntt_native_aarch64 4s 4s +0%
ntt_native_x86_64 4s 3s +33%
poly_caddq_native 4s 4s +0%
poly_challenge 4s 5s -20%
poly_chknorm_native 4s 2s +100%
poly_chknorm_native_aarch64 4s 4s +0%
poly_decompose_c 4s 4s +0%
poly_permute_bitrev_to_custom_optional 4s 5s -20%
poly_shiftl 4s 5s -20%
poly_sub 4s 5s -20%
poly_uniform 4s 5s -20%
polyveck_pack_w1 4s 2s +100%
polyw1_pack_32 4s 3s +33%
rej_eta_c 4s 4s +0%
sig_unpack_hints 4s 2s +100%
sign_open 4s 6s -33%
sign_signature_pre_hash_internal 4s 3s +33%
sign_signature_pre_hash_shake256 4s 3s +33%
sign_verify 4s 4s +0%
sign_verify_pre_hash_shake256 4s 4s +0%
unpack_pk_t1 4s 3s +33%
unpack_sk_t0hat 4s 4s +0%
fqscale 3s 4s -25%
intt_native_aarch64 3s 4s -25%
keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid 3s 3s +0%
keccak_f1600_x4_native_avx2 3s 3s +0%
keccak_finalize 3s 3s +0%
keccak_init 3s 2s +50%
keccakf1600x4_extract_bytes 3s 2s +50%
keccakf1600x4_permute 3s 1s +200%
keccakf1600x4_xor_bytes_native 3s 4s -25%
mld_ct_cmask_neg_i32 3s 2s +50%
mld_ct_cmask_nonzero_u32 3s 4s -25%
mld_keccakf1600x4_xor_bytes_c 3s 1s +200%
pack_sig_h 3s 6s -50%
pack_sig_z 3s 2s +50%
pack_sk_rho_key_tr_s2 3s 2s +50%
pack_sk_s1 3s 4s -25%
poly_caddq_native_aarch64 3s 2s +50%
poly_caddq_native_x86_64 3s 3s +0%
poly_decompose 3s 2s +50%
poly_decompose_32_native_aarch64 3s 3s +0%
poly_decompose_88_native_aarch64 3s 5s -40%
poly_decompose_native 3s 3s +0%
poly_decompose_native_x86_64 3s - new
poly_ntt 3s 3s +0%
poly_permute_bitrev_to_custom_optional_native 3s 2s +50%
poly_pointwise_montgomery_native 3s 3s +0%
poly_uniform_eta 3s 4s -25%
poly_uniform_gamma1 3s 3s +0%
poly_use_hint_c 3s 3s +0%
polyeta_pack 3s 5s -40%
polyt0_pack 3s 4s -25%
polyt1_pack 3s 6s -50%
polyt1_unpack 3s 2s +50%
polyvec_matrix_expand 3s 2s +50%
polyveck_unpack_eta 3s 2s +50%
polyvecl_pack_eta 3s 2s +50%
polyvecl_pointwise_acc_montgomery 3s 6s -50%
polyvecl_uniform_gamma1 3s 2s +50%
polyvecl_unpack_eta 3s 3s +0%
polyvecl_unpack_z 3s 5s -40%
polyw1_pack_88 3s 4s -25%
polyz_unpack 3s 3s +0%
polyz_unpack_19_native_aarch64 3s 2s +50%
polyz_unpack_native_x86_64 3s 3s +0%
power2round 3s 3s +0%
reduce32 3s 3s +0%
shake128_absorb 3s 3s +0%
shake128_init 3s 4s -25%
shake128_squeeze 3s 2s +50%
shake128x4_absorb_once 3s 4s -25%
shake256_finalize 3s 4s -25%
shake256_init 3s 2s +50%
shake256_release 3s 1s +200%
unpack_sk_s1hat 3s 1s +200%
yvec_init 3s 2s +50%
keccak_f1600_x1_native_aarch64_v84a 2s 3s -33%
keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid 2s 3s -33%
keccakf1600_extract_bytes (big endian) 2s 2s +0%
keccakf1600_permute 2s 2s +0%
keccakf1600_xor_bytes 2s 1s +100%
keccakf1600_xor_bytes (big endian) 2s 2s +0%
keccakf1600x4_xor_bytes 2s 3s -33%
make_hint 2s 2s +0%
mld_ct_cmask_nonzero_u8 2s 2s +0%
mld_ct_sel_int32 2s 2s +0%
mld_keccakf1600_extract_bytes 2s 1s +100%
mld_polymat_expand_entry 2s 3s -33%
mld_value_barrier_i64 2s 2s +0%
mld_value_barrier_u32 2s 6s -67%
pointwise_native_aarch64 2s 3s -33%
poly_invntt_tomont 2s 3s -33%
poly_ntt_native 2s 6s -67%
poly_pointwise_montgomery 2s 4s -50%
poly_uniform_4x 2s 2s +0%
poly_use_hint 2s 3s -33%
poly_use_hint_native 2s 3s -33%
polyvec_matrix_expand_serial 2s 2s +0%
polyveck_chknorm 2s 5s -60%
polyveck_pack_eta 2s 1s +100%
polyvecl_pointwise_acc_montgomery_native 2s 4s -50%
polyvecl_uniform_gamma1_serial 2s 3s -33%
polyw1_pack 2s 3s -33%
polyz_unpack_17_native_aarch64 2s 3s -33%
polyz_unpack_native 2s 5s -60%
rej_uniform_eta_native_aarch64 2s 4s -50%
shake128_release 2s 3s -33%
shake256_absorb 2s 5s -60%
shake256x4_absorb_once 2s 4s -50%
shake256x4_squeezeblocks 2s 2s +0%
sign_verify_extmu 2s 6s -67%
sk_s1hat_get_poly 2s 3s -33%
sk_s2hat_get_poly 2s 1s +100%
sk_t0hat_get_poly 2s 3s -33%
sys_check_capability 2s 4s -50%
unpack_sk 2s 4s -50%
use_hint 2s 2s +0%
keccakf1600_permute_native 1s 3s -67%
mld_ct_get_optblocker_i64 1s 2s -50%
mld_ct_get_optblocker_u32 1s 1s +0%
mld_ct_get_optblocker_u8 1s 3s -67%
mld_keccakf1600x4_extract_bytes_c 1s 3s -67%
mld_value_barrier_u8 1s 2s -50%
poly_chknorm 1s 2s -50%
poly_invntt_tomont_native 1s 2s -50%
poly_use_hint_native_aarch64 1s 5s -80%
polyveck_ntt 1s 5s -80%
shake128x4_squeezeblocks 1s 2s -50%
shake256 1s 3s -67%

@oqs-bot

oqs-bot commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

CBMC Results (ML-DSA-65)

Full Results (206 proofs)
Proof Status Current Previous Change
**TOTAL** 2202s 2103s +4.7%
mld_invntt_layer 321s 302s +6%
polyvecl_pointwise_acc_montgomery_c 234s 204s +15%
rej_uniform_native 160s 145s +10%
polyvec_matrix_expand 141s 132s +7%
poly_pointwise_montgomery_c 111s 97s +14%
mld_ct_memcmp 71s 64s +11%
mld_attempt_signature_generation 69s 67s +3%
sign_verify_internal 66s 68s -3%
mld_ntt_layer 48s 44s +9%
sign_signature_internal 47s 47s +0%
fqmul 45s 42s +7%
polyvec_matrix_expand_serial 24s 25s -4%
keccakf1600x4_permute_native 23s 22s +5%
mld_ntt_butterfly_block 23s 23s +0%
rej_uniform 21s 22s -5%
polyvecl_chknorm 20s 19s +5%
compute_pack_t0_t1 19s 16s +19%
poly_chknorm_c 18s 20s -10%
mld_check_pct 16s 16s +0%
polyt0_unpack 16s 15s +7%
poly_uniform_4x 14s 13s +8%
polyveck_decompose 14s 16s -12%
rej_uniform_c 14s 13s +8%
poly_uniform_eta_4x 13s 14s -7%
poly_add 12s 12s +0%
polyveck_chknorm 12s 10s +20%
mld_compute_pack_z 11s 8s +38%
keccak_absorb_once_x4 9s 8s +12%
poly_invntt_tomont_c 9s 9s +0%
polyvec_matrix_pointwise_montgomery_yvec 9s 10s -10%
pointwise_acc_native_aarch64 8s 4s +100%
polyveck_ntt 8s 9s -11%
polyvecl_ntt 8s 8s +0%
polyveck_invntt_tomont 7s 8s -12%
polyz_unpack_c 7s 7s +0%
unpack_sk_t0hat 7s 8s -12%
keccak_absorb 6s 7s -14%
mld_keccakf1600_permute_c 6s 8s -25%
pointwise_acc_native_x86_64 6s 5s +20%
poly_power2round 6s 6s +0%
polyt1_pack 6s 3s +100%
sign 6s 7s -14%
sign_verify_pre_hash_shake256 6s 3s +100%
caddq 5s 4s +25%
fqscale 5s 7s -29%
mld_sample_s1_s2_serial 5s 3s +67%
ntt_native_x86_64 5s 2s +150%
nttunpack_native_x86_64 5s 2s +150%
pack_sk_rho_key_tr_s2 5s 4s +25%
poly_caddq 5s 3s +67%
poly_caddq_c 5s 4s +25%
poly_challenge 5s 3s +67%
poly_ntt 5s 6s -17%
poly_uniform 5s 5s +0%
poly_use_hint_native 5s 4s +25%
polyeta_pack 5s 2s +150%
polyveck_caddq 5s 8s -38%
polyw1_pack_32 5s 5s +0%
power2round 5s 4s +25%
reduce32 5s 3s +67%
shake256_init 5s 3s +67%
shake256x4_absorb_once 5s 2s +150%
sign_keypair_internal 5s 3s +67%
unpack_pk_t1 5s 2s +150%
keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid 4s 4s +0%
keccak_squeezeblocks_x4 4s 6s -33%
keccakf1600_extract_bytes (big endian) 4s 3s +33%
keccakf1600x4_extract_bytes_native 4s 2s +100%
mld_ct_cmask_neg_i32 4s 4s +0%
mld_ct_cmask_nonzero_u8 4s 3s +33%
mld_prepare_domain_separation_prefix 4s 5s -20%
mld_sample_s1_s2 4s 4s +0%
pack_sk_s1 4s 3s +33%
poly_caddq_native_x86_64 4s 3s +33%
poly_chknorm_native 4s 2s +100%
poly_chknorm_native_aarch64 4s 2s +100%
poly_decompose_32_native_aarch64 4s 2s +100%
poly_decompose_c 4s 2s +100%
poly_pointwise_montgomery_native 4s 3s +33%
poly_shiftl 4s 2s +100%
poly_sub 4s 4s +0%
poly_uniform_eta 4s 3s +33%
poly_uniform_gamma1_4x 4s 3s +33%
polyveck_unpack_eta 4s 3s +33%
polyvecl_pointwise_acc_montgomery 4s 5s -20%
polyvecl_pointwise_acc_montgomery_native 4s 2s +100%
polyz_unpack 4s 4s +0%
rej_eta_c 4s 3s +33%
rej_eta_native 4s 3s +33%
rej_uniform_native_aarch64 4s 4s +0%
shake128x4_absorb_once 4s 1s +300%
sign_pk_from_sk 4s 6s -33%
sign_signature 4s 3s +33%
sign_signature_pre_hash_internal 4s 3s +33%
sign_verify_extmu 4s 4s +0%
sign_verify_pre_hash_internal 4s 4s +0%
unpack_sk 4s 3s +33%
intt_native_aarch64 3s 4s -25%
intt_native_x86_64 3s 3s +0%
keccak_f1600_x1_native_aarch64_v84a 3s 4s -25%
keccak_init 3s 2s +50%
keccakf1600_xor_bytes 3s 3s +0%
keccakf1600x4_extract_bytes 3s 2s +50%
keccakf1600x4_xor_bytes 3s 3s +0%
mld_ct_abs_i32 3s 2s +50%
mld_ct_get_optblocker_i64 3s 3s +0%
mld_keccakf1600_extract_bytes 3s 3s +0%
mld_keccakf1600x4_extract_bytes_c 3s 3s +0%
mld_value_barrier_i64 3s 2s +50%
mld_value_barrier_u8 3s 2s +50%
montgomery_reduce 3s 3s +0%
ntt_native_aarch64 3s 3s +0%
pack_sig_c 3s 2s +50%
pack_sig_h 3s 4s -25%
pointwise_native_aarch64 3s 2s +50%
pointwise_native_x86_64 3s 5s -40%
poly_caddq_native 3s 3s +0%
poly_caddq_native_aarch64 3s 2s +50%
poly_decompose_88_native_aarch64 3s 3s +0%
poly_decompose_native 3s 3s +0%
poly_invntt_tomont_native 3s 4s -25%
poly_ntt_c 3s 1s +200%
poly_ntt_native 3s 3s +0%
poly_permute_bitrev_to_custom_optional_native 3s 2s +50%
poly_pointwise_montgomery 3s 4s -25%
poly_reduce 3s 7s -57%
poly_uniform_gamma1 3s 2s +50%
poly_use_hint_native_aarch64 3s 4s -25%
polyeta_unpack 3s 3s +0%
polyt1_unpack 3s 5s -40%
polyveck_pack_eta 3s 4s -25%
polyveck_pack_w1 3s 2s +50%
polyveck_reduce 3s 2s +50%
polyvecl_pack_eta 3s 4s -25%
polyvecl_uniform_gamma1_serial 3s 3s +0%
polyw1_pack_88 3s 3s +0%
polyz_unpack_17_native_aarch64 3s 5s -40%
polyz_unpack_19_native_aarch64 3s 4s -25%
polyz_unpack_native 3s 3s +0%
rej_uniform_eta_native_aarch64 3s 5s -40%
shake128_absorb 3s 2s +50%
shake128_finalize 3s 3s +0%
shake128x4_squeezeblocks 3s 3s +0%
shake256_finalize 3s 3s +0%
shake256_squeeze 3s 3s +0%
sig_unpack_hints 3s 3s +0%
sign_keypair 3s 3s +0%
sign_signature_extmu 3s 7s -57%
sign_signature_pre_hash_shake256 3s 2s +50%
sign_verify 3s 5s -40%
sk_s1hat_get_poly 3s 3s +0%
sk_t0hat_get_poly 3s 2s +50%
sys_check_capability 3s 4s -25%
unpack_sk_s1hat 3s 3s +0%
use_hint 3s 4s -25%
yvec_get_poly 3s 2s +50%
yvec_init 3s 4s -25%
decompose 2s 2s +0%
keccak_f1600_x4_native_aarch64_v84a 2s 5s -60%
keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid 2s 3s -33%
keccak_f1600_x4_native_avx2 2s 1s +100%
keccakf1600_permute 2s 3s -33%
keccakf1600_permute_native 2s 6s -67%
keccakf1600_xor_bytes (big endian) 2s 3s -33%
keccakf1600x4_xor_bytes_native 2s 3s -33%
make_hint 2s 4s -50%
mld_ct_cmask_nonzero_u32 2s 1s +100%
mld_ct_get_optblocker_u32 2s 2s +0%
mld_ct_get_optblocker_u8 2s 2s +0%
mld_ct_sel_int32 2s 3s -33%
mld_h 2s 3s -33%
mld_keccakf1600x4_xor_bytes_c 2s 3s -33%
mld_polymat_expand_entry 2s 2s +0%
poly_chknorm 2s 2s +0%
poly_decompose 2s 4s -50%
poly_decompose_native_x86_64 2s - new
poly_permute_bitrev_to_custom_optional 2s 3s -33%
poly_use_hint 2s 3s -33%
poly_use_hint_c 2s 2s +0%
polyt0_pack 2s 6s -67%
polyvec_matrix_pointwise_montgomery_row 2s 3s -33%
polyvecl_uniform_gamma1 2s 4s -50%
polyvecl_unpack_eta 2s 2s +0%
polyvecl_unpack_z 2s 2s +0%
polyw1_pack 2s 4s -50%
polyz_pack 2s 4s -50%
polyz_unpack_native_x86_64 2s 2s +0%
shake128_init 2s 3s -33%
shake128_squeeze 2s 2s +0%
shake256 2s 2s +0%
shake256_absorb 2s 3s -33%
shake256_release 2s 3s -33%
shake256x4_squeezeblocks 2s 3s -33%
sign_open 2s 5s -60%
sk_s2hat_get_poly 2s 3s -33%
unpack_sk_s2hat 2s 4s -50%
keccak_f1600_x1_native_aarch64 1s 3s -67%
keccak_finalize 1s 1s +0%
keccak_squeeze 1s 4s -75%
keccakf1600x4_permute 1s 2s -50%
mld_value_barrier_u32 1s 1s +0%
pack_sig_z 1s 4s -75%
poly_chknorm_native_x86_64 1s 3s -67%
poly_invntt_tomont 1s 1s +0%
rej_eta 1s 1s +0%
shake128_release 1s 3s -67%

@oqs-bot

oqs-bot commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

CBMC Results (ML-DSA-87)

Full Results (206 proofs)
Proof Status Current Previous Change
**TOTAL** 2517s 2450s +2.7%
polyvecl_pointwise_acc_montgomery_c 352s 323s +9%
mld_invntt_layer 311s 307s +1%
polyvec_matrix_expand 238s 228s +4%
rej_uniform_native 159s 151s +5%
poly_pointwise_montgomery_c 111s 104s +7%
mld_attempt_signature_generation 108s 105s +3%
mld_ct_memcmp 69s 71s -3%
sign_signature_internal 69s 66s +5%
sign_verify_internal 63s 60s +5%
polyvec_matrix_expand_serial 50s 48s +4%
fqmul 44s 43s +2%
mld_ntt_layer 44s 45s -2%
compute_pack_t0_t1 35s 37s -5%
polyvec_matrix_pointwise_montgomery_yvec 33s 30s +10%
mld_ntt_butterfly_block 25s 24s +4%
rej_uniform 25s 22s +14%
keccakf1600x4_permute_native 22s 21s +5%
poly_chknorm_c 19s 23s -17%
polyt0_unpack 17s 18s -6%
polyeta_unpack 15s 16s -6%
mld_check_pct 14s 14s +0%
poly_uniform_4x 13s 11s +18%
poly_uniform_eta_4x 13s 15s -13%
rej_uniform_c 12s 14s -14%
poly_add 11s 11s +0%
poly_invntt_tomont_c 10s 11s -9%
poly_decompose_c 9s 5s +80%
polyveck_caddq 9s 6s +50%
polyvecl_ntt 9s 9s +0%
keccak_absorb 8s 8s +0%
keccak_absorb_once_x4 8s 9s -11%
mld_keccakf1600_permute_c 8s 6s +33%
polyveck_decompose 8s 10s -20%
polyveck_invntt_tomont 8s 6s +33%
mld_compute_pack_z 7s 8s -12%
mld_sample_s1_s2_serial 7s 8s -12%
polyz_unpack_c 7s 7s +0%
sign 7s 10s -30%
use_hint 7s 5s +40%
pointwise_acc_native_x86_64 6s 8s -25%
poly_caddq_c 6s 7s -14%
poly_challenge 6s 5s +20%
poly_uniform_eta 6s 3s +100%
polyt0_pack 6s 4s +50%
polyveck_ntt 6s 6s +0%
polyvecl_pointwise_acc_montgomery_native 6s 3s +100%
polyvecl_uniform_gamma1_serial 6s 4s +50%
unpack_sk_t0hat 6s 7s -14%
keccakf1600x4_xor_bytes 5s 3s +67%
keccakf1600x4_xor_bytes_native 5s 2s +150%
make_hint 5s 4s +25%
mld_sample_s1_s2 5s 7s -29%
pack_sig_h 5s 3s +67%
pointwise_acc_native_aarch64 5s 6s -17%
pointwise_native_x86_64 5s 5s +0%
poly_caddq_native 5s 2s +150%
poly_chknorm_native 5s 3s +67%
poly_invntt_tomont_native 5s 3s +67%
poly_reduce 5s 3s +67%
poly_use_hint_c 5s 2s +150%
polyveck_chknorm 5s 6s -17%
rej_eta_native 5s 4s +25%
sign_keypair 5s 6s -17%
sign_open 5s 2s +150%
sign_pk_from_sk 5s 7s -29%
sign_signature 5s 3s +67%
sign_signature_extmu 5s 2s +150%
sign_signature_pre_hash_internal 5s 2s +150%
sk_t0hat_get_poly 5s 5s +0%
keccak_f1600_x4_native_avx2 4s 2s +100%
mld_keccakf1600_extract_bytes 4s 3s +33%
mld_keccakf1600x4_extract_bytes_c 4s 2s +100%
mld_prepare_domain_separation_prefix 4s 3s +33%
pack_sig_z 4s 4s +0%
poly_caddq_native_x86_64 4s 5s -20%
poly_chknorm_native_aarch64 4s 3s +33%
poly_chknorm_native_x86_64 4s 2s +100%
poly_permute_bitrev_to_custom_optional_native 4s 4s +0%
poly_pointwise_montgomery 4s 5s -20%
poly_pointwise_montgomery_native 4s 4s +0%
poly_power2round 4s 3s +33%
polyt1_unpack 4s 4s +0%
polyveck_pack_w1 4s 2s +100%
polyvecl_chknorm 4s 6s -33%
polyvecl_pack_eta 4s 2s +100%
polyvecl_unpack_z 4s 2s +100%
polyz_unpack_native_x86_64 4s 3s +33%
power2round 4s 4s +0%
rej_eta 4s 1s +300%
shake128_release 4s 2s +100%
sign_keypair_internal 4s 5s -20%
sign_signature_pre_hash_shake256 4s 6s -33%
sign_verify 4s 4s +0%
sign_verify_extmu 4s 4s +0%
sign_verify_pre_hash_internal 4s 2s +100%
sk_s1hat_get_poly 4s 3s +33%
unpack_sk 4s 6s -33%
unpack_sk_s1hat 4s 2s +100%
caddq 3s 4s -25%
intt_native_aarch64 3s 2s +50%
intt_native_x86_64 3s 4s -25%
keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid 3s 3s +0%
keccak_squeeze 3s 2s +50%
keccakf1600_extract_bytes (big endian) 3s 4s -25%
keccakf1600_xor_bytes 3s 1s +200%
mld_ct_get_optblocker_i64 3s 3s +0%
mld_h 3s 3s +0%
mld_keccakf1600x4_xor_bytes_c 3s 2s +50%
mld_value_barrier_u8 3s 3s +0%
ntt_native_aarch64 3s 4s -25%
nttunpack_native_x86_64 3s 5s -40%
pack_sk_rho_key_tr_s2 3s 2s +50%
pointwise_native_aarch64 3s 3s +0%
poly_caddq_native_aarch64 3s 4s -25%
poly_chknorm 3s 2s +50%
poly_decompose_native_x86_64 3s - new
poly_invntt_tomont 3s 3s +0%
poly_ntt 3s 3s +0%
poly_ntt_native 3s 3s +0%
poly_permute_bitrev_to_custom_optional 3s 3s +0%
poly_uniform 3s 3s +0%
poly_uniform_gamma1 3s 2s +50%
poly_use_hint 3s 3s +0%
poly_use_hint_native 3s 4s -25%
poly_use_hint_native_aarch64 3s 3s +0%
polyt1_pack 3s 2s +50%
polyvec_matrix_pointwise_montgomery_row 3s 6s -50%
polyveck_pack_eta 3s 4s -25%
polyveck_unpack_eta 3s 2s +50%
polyvecl_uniform_gamma1 3s 4s -25%
polyvecl_unpack_eta 3s 2s +50%
polyw1_pack_32 3s 4s -25%
polyw1_pack_88 3s 3s +0%
polyz_pack 3s 4s -25%
polyz_unpack 3s 4s -25%
polyz_unpack_native 3s 3s +0%
rej_uniform_eta_native_aarch64 3s 3s +0%
rej_uniform_native_aarch64 3s 3s +0%
shake128_init 3s 2s +50%
shake128_squeeze 3s 1s +200%
shake128x4_absorb_once 3s 4s -25%
shake128x4_squeezeblocks 3s 2s +50%
shake256_absorb 3s 5s -40%
shake256_release 3s 3s +0%
shake256_squeeze 3s 1s +200%
shake256x4_absorb_once 3s 4s -25%
sig_unpack_hints 3s 3s +0%
sign_verify_pre_hash_shake256 3s 3s +0%
sk_s2hat_get_poly 3s 2s +50%
unpack_pk_t1 3s 3s +0%
yvec_init 3s 3s +0%
fqscale 2s 1s +100%
keccak_f1600_x1_native_aarch64 2s 3s -33%
keccak_f1600_x1_native_aarch64_v84a 2s 1s +100%
keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid 2s 3s -33%
keccak_squeezeblocks_x4 2s 5s -60%
keccakf1600_permute 2s 3s -33%
keccakf1600_permute_native 2s 3s -33%
keccakf1600_xor_bytes (big endian) 2s 2s +0%
keccakf1600x4_extract_bytes 2s 2s +0%
keccakf1600x4_extract_bytes_native 2s 2s +0%
keccakf1600x4_permute 2s 4s -50%
mld_ct_abs_i32 2s 3s -33%
mld_ct_cmask_nonzero_u32 2s 5s -60%
mld_ct_cmask_nonzero_u8 2s 3s -33%
mld_ct_get_optblocker_u32 2s 2s +0%
mld_ct_sel_int32 2s 1s +100%
mld_value_barrier_i64 2s 4s -50%
mld_value_barrier_u32 2s 3s -33%
montgomery_reduce 2s 2s +0%
ntt_native_x86_64 2s 4s -50%
pack_sig_c 2s 2s +0%
pack_sk_s1 2s 2s +0%
poly_caddq 2s 2s +0%
poly_decompose 2s 4s -50%
poly_decompose_32_native_aarch64 2s 3s -33%
poly_decompose_88_native_aarch64 2s 2s +0%
poly_decompose_native 2s 5s -60%
poly_ntt_c 2s 2s +0%
poly_shiftl 2s 3s -33%
poly_sub 2s 3s -33%
poly_uniform_gamma1_4x 2s 2s +0%
polyeta_pack 2s 3s -33%
polyvecl_pointwise_acc_montgomery 2s 3s -33%
polyw1_pack 2s 3s -33%
polyz_unpack_17_native_aarch64 2s 3s -33%
polyz_unpack_19_native_aarch64 2s 4s -50%
reduce32 2s 1s +100%
rej_eta_c 2s 4s -50%
shake256 2s 3s -33%
shake256_finalize 2s 1s +100%
shake256_init 2s 2s +0%
sys_check_capability 2s 3s -33%
unpack_sk_s2hat 2s 4s -50%
yvec_get_poly 2s 3s -33%
decompose 1s 4s -75%
keccak_f1600_x4_native_aarch64_v84a 1s 5s -80%
keccak_finalize 1s 2s -50%
keccak_init 1s 3s -67%
mld_ct_cmask_neg_i32 1s 2s -50%
mld_ct_get_optblocker_u8 1s 2s -50%
mld_polymat_expand_entry 1s 2s -50%
polyveck_reduce 1s 4s -75%
shake128_absorb 1s 1s +0%
shake128_finalize 1s 2s -50%
shake256x4_squeezeblocks 1s 2s -50%

@oqs-bot

oqs-bot commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

CBMC Results (ML-DSA-44)

Full Results (206 proofs)
Proof Status Current Previous Change
**TOTAL** 1957s 1754s +11.6%
mld_invntt_layer 328s 287s +14%
rej_uniform_native 159s 144s +10%
polyvecl_pointwise_acc_montgomery_c 144s 111s +30%
poly_pointwise_montgomery_c 116s 94s +23%
mld_ct_memcmp 84s 67s +25%
mld_attempt_signature_generation 70s 62s +13%
mld_ntt_layer 51s 42s +21%
fqmul 47s 42s +12%
polyvec_matrix_expand 29s 27s +7%
sign_verify_internal 29s 28s +4%
mld_ntt_butterfly_block 25s 21s +19%
poly_chknorm_c 24s 20s +20%
keccakf1600x4_permute_native 23s 23s +0%
rej_uniform 22s 20s +10%
sign_signature_internal 21s 21s +0%
polyeta_unpack 18s 15s +20%
polyt0_unpack 18s 17s +6%
mld_check_pct 17s 15s +13%
compute_pack_t0_t1 15s 15s +0%
rej_uniform_c 15s 13s +15%
poly_uniform_eta_4x 13s 11s +18%
polyveck_chknorm 13s 10s +30%
poly_uniform_4x 12s 13s -8%
polyvec_matrix_pointwise_montgomery_yvec 12s 11s +9%
polyz_unpack_c 12s 12s +0%
keccak_absorb_once_x4 10s 8s +25%
polyvec_matrix_expand_serial 10s 7s +43%
keccak_absorb 9s 8s +12%
poly_add 9s 10s -10%
mld_compute_pack_z 8s 8s +0%
poly_invntt_tomont_c 7s 10s -30%
polyveck_decompose 7s 8s -12%
sign 7s 7s +0%
keccakf1600_permute_native 6s 2s +200%
mld_keccakf1600_permute_c 6s 7s -14%
poly_caddq_c 6s 8s -25%
poly_invntt_tomont 6s 2s +200%
poly_use_hint_c 6s 5s +20%
polyt0_pack 6s 4s +50%
polyvecl_ntt 6s 7s -14%
polyz_unpack_native 6s 3s +100%
sign_pk_from_sk 6s 6s +0%
sign_verify_pre_hash_internal 6s 3s +100%
caddq 5s 2s +150%
keccak_init 5s 2s +150%
mld_prepare_domain_separation_prefix 5s 4s +25%
montgomery_reduce 5s 3s +67%
pointwise_acc_native_aarch64 5s 7s -29%
poly_chknorm_native_x86_64 5s 1s +400%
poly_ntt 5s 3s +67%
poly_power2round 5s 4s +25%
poly_use_hint_native 5s 3s +67%
polyveck_invntt_tomont 5s 6s -17%
polyveck_ntt 5s 4s +25%
polyveck_pack_w1 5s 3s +67%
polyveck_reduce 5s 4s +25%
polyvecl_chknorm 5s 2s +150%
polyw1_pack_32 5s 2s +150%
rej_eta_native 5s 4s +25%
rej_uniform_eta_native_aarch64 5s 5s +0%
sign_keypair_internal 5s 5s +0%
sign_verify 5s 4s +25%
decompose 4s 6s -33%
intt_native_aarch64 4s 4s +0%
keccak_squeezeblocks_x4 4s 2s +100%
keccakf1600_permute 4s 1s +300%
mld_ct_get_optblocker_u32 4s 2s +100%
mld_keccakf1600x4_extract_bytes_c 4s 2s +100%
mld_polymat_expand_entry 4s 3s +33%
mld_sample_s1_s2 4s 4s +0%
mld_value_barrier_i64 4s 2s +100%
ntt_native_x86_64 4s 3s +33%
pointwise_acc_native_x86_64 4s 6s -33%
poly_caddq_native 4s 3s +33%
poly_caddq_native_aarch64 4s 3s +33%
poly_challenge 4s 5s -20%
poly_chknorm_native 4s 4s +0%
poly_decompose_c 4s 2s +100%
poly_invntt_tomont_native 4s 3s +33%
poly_ntt_c 4s 2s +100%
poly_ntt_native 4s 2s +100%
poly_permute_bitrev_to_custom_optional_native 4s 4s +0%
poly_sub 4s 4s +0%
poly_uniform 4s 4s +0%
poly_uniform_gamma1 4s 4s +0%
poly_uniform_gamma1_4x 4s 3s +33%
polyt1_pack 4s 4s +0%
polyvecl_pointwise_acc_montgomery_native 4s 2s +100%
polyvecl_unpack_z 4s 2s +100%
polyz_pack 4s 2s +100%
rej_eta_c 4s 1s +300%
shake256_init 4s 5s -20%
shake256x4_absorb_once 4s 3s +33%
sign_open 4s 5s -20%
sign_signature_extmu 4s 5s -20%
sign_signature_pre_hash_internal 4s 3s +33%
sign_signature_pre_hash_shake256 4s 5s -20%
sign_verify_extmu 4s 8s -50%
sign_verify_pre_hash_shake256 4s 7s -43%
unpack_pk_t1 4s 2s +100%
unpack_sk_s2hat 4s 4s +0%
unpack_sk_t0hat 4s 3s +33%
intt_native_x86_64 3s 3s +0%
keccak_f1600_x1_native_aarch64_v84a 3s 1s +200%
keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid 3s 2s +50%
keccakf1600_xor_bytes (big endian) 3s 1s +200%
keccakf1600x4_extract_bytes 3s 2s +50%
keccakf1600x4_extract_bytes_native 3s 2s +50%
keccakf1600x4_permute 3s 2s +50%
keccakf1600x4_xor_bytes_native 3s 4s -25%
make_hint 3s 1s +200%
mld_ct_cmask_neg_i32 3s 4s -25%
mld_ct_cmask_nonzero_u32 3s 4s -25%
mld_ct_get_optblocker_i64 3s 1s +200%
mld_ct_sel_int32 3s 1s +200%
mld_h 3s 4s -25%
mld_keccakf1600x4_xor_bytes_c 3s 2s +50%
mld_sample_s1_s2_serial 3s 4s -25%
mld_value_barrier_u32 3s 3s +0%
mld_value_barrier_u8 3s 2s +50%
ntt_native_aarch64 3s 3s +0%
nttunpack_native_x86_64 3s 4s -25%
pack_sig_c 3s 3s +0%
pack_sig_h 3s 2s +50%
pack_sk_rho_key_tr_s2 3s 2s +50%
pack_sk_s1 3s 3s +0%
pointwise_native_aarch64 3s 4s -25%
poly_caddq 3s 2s +50%
poly_caddq_native_x86_64 3s 4s -25%
poly_chknorm_native_aarch64 3s 2s +50%
poly_decompose_32_native_aarch64 3s 3s +0%
poly_decompose_88_native_aarch64 3s 2s +50%
poly_decompose_native 3s 3s +0%
poly_decompose_native_x86_64 3s - new
poly_permute_bitrev_to_custom_optional 3s 3s +0%
poly_shiftl 3s 3s +0%
poly_uniform_eta 3s 5s -40%
poly_use_hint_native_aarch64 3s 2s +50%
polyeta_pack 3s 3s +0%
polyt1_unpack 3s 2s +50%
polyvec_matrix_pointwise_montgomery_row 3s 3s +0%
polyveck_caddq 3s 4s -25%
polyvecl_pointwise_acc_montgomery 3s 4s -25%
polyvecl_uniform_gamma1 3s 3s +0%
polyvecl_uniform_gamma1_serial 3s 2s +50%
polyvecl_unpack_eta 3s 3s +0%
polyw1_pack_88 3s 3s +0%
polyz_unpack_17_native_aarch64 3s 3s +0%
reduce32 3s 3s +0%
rej_eta 3s 2s +50%
rej_uniform_native_aarch64 3s 4s -25%
shake128_absorb 3s 3s +0%
shake128_squeeze 3s 2s +50%
shake256 3s 3s +0%
shake256_finalize 3s 3s +0%
shake256_release 3s 3s +0%
shake256_squeeze 3s 3s +0%
shake256x4_squeezeblocks 3s 2s +50%
sig_unpack_hints 3s 5s -40%
sign_keypair 3s 5s -40%
sk_s1hat_get_poly 3s 4s -25%
yvec_init 3s 2s +50%
fqscale 2s 4s -50%
keccak_f1600_x4_native_avx2 2s 3s -33%
keccak_squeeze 2s 3s -33%
keccakf1600_extract_bytes (big endian) 2s 2s +0%
keccakf1600_xor_bytes 2s 3s -33%
keccakf1600x4_xor_bytes 2s 2s +0%
mld_ct_abs_i32 2s 3s -33%
mld_ct_cmask_nonzero_u8 2s 2s +0%
mld_ct_get_optblocker_u8 2s 2s +0%
mld_keccakf1600_extract_bytes 2s 3s -33%
pointwise_native_x86_64 2s 4s -50%
poly_chknorm 2s 2s +0%
poly_decompose 2s 4s -50%
poly_pointwise_montgomery_native 2s 2s +0%
poly_reduce 2s 2s +0%
polyveck_pack_eta 2s 4s -50%
polyveck_unpack_eta 2s 3s -33%
polyvecl_pack_eta 2s 3s -33%
polyw1_pack 2s 6s -67%
polyz_unpack 2s 4s -50%
polyz_unpack_19_native_aarch64 2s 4s -50%
polyz_unpack_native_x86_64 2s 4s -50%
power2round 2s 4s -50%
shake128_finalize 2s 2s +0%
shake128_init 2s 2s +0%
shake128_release 2s 3s -33%
shake128x4_absorb_once 2s 2s +0%
shake128x4_squeezeblocks 2s 2s +0%
sign_signature 2s 3s -33%
sys_check_capability 2s 2s +0%
unpack_sk 2s 3s -33%
unpack_sk_s1hat 2s 2s +0%
use_hint 2s 4s -50%
yvec_get_poly 2s 2s +0%
keccak_f1600_x1_native_aarch64 1s 2s -50%
keccak_f1600_x4_native_aarch64_v84a 1s 3s -67%
keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid 1s 4s -75%
keccak_finalize 1s 1s +0%
pack_sig_z 1s 3s -67%
poly_pointwise_montgomery 1s 4s -75%
poly_use_hint 1s 3s -67%
shake256_absorb 1s 1s +0%
sk_s2hat_get_poly 1s 3s -67%
sk_t0hat_get_poly 1s 2s -50%

@jakemas jakemas mentioned this pull request Jun 15, 2026
Merged
github-actions[bot]
github-actions Bot reviewed Jun 15, 2026
View reviewed changes

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mac Mini (M1, 2020) benchmarks (opt)

Details
Benchmark suite Current: 0b60fcc Previous: 9c5eceb Ratio
ML-DSA-44 keypair 46535 cycles 46504 cycles 1.00
ML-DSA-44 sign 131062 cycles 131079 cycles 1.00
ML-DSA-44 verify 47343 cycles 47310 cycles 1.00
ML-DSA-65 keypair 81693 cycles 81680 cycles 1.00
ML-DSA-65 sign 215321 cycles 215311 cycles 1.00
ML-DSA-65 verify 79309 cycles 79299 cycles 1.00
ML-DSA-87 keypair 132396 cycles 132405 cycles 1.00
ML-DSA-87 sign 277357 cycles 277328 cycles 1.00
ML-DSA-87 verify 134042 cycles 134051 cycles 1.00

This comment was automatically generated by workflow using github-action-benchmark.

github-actions[bot]
github-actions Bot reviewed Jun 15, 2026
View reviewed changes

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mac Mini (M1, 2020) benchmarks (no-opt)

Details
Benchmark suite Current: 0b60fcc Previous: 9c5eceb Ratio
ML-DSA-44 keypair 113111 cycles 112758 cycles 1.00
ML-DSA-44 sign 402272 cycles 400845 cycles 1.00
ML-DSA-44 verify 119782 cycles 119413 cycles 1.00
ML-DSA-65 keypair 193015 cycles 192933 cycles 1.00
ML-DSA-65 sign 650151 cycles 649924 cycles 1.00
ML-DSA-65 verify 192935 cycles 192850 cycles 1.00
ML-DSA-87 keypair 318786 cycles 318753 cycles 1.00
ML-DSA-87 sign 828784 cycles 828716 cycles 1.00
ML-DSA-87 verify 326698 cycles 326677 cycles 1.00

This comment was automatically generated by workflow using github-action-benchmark.

github-actions[bot]
github-actions Bot reviewed Jun 15, 2026
View reviewed changes

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Arm Cortex-A76 (Raspberry Pi 5) benchmarks (opt)

Details
Benchmark suite Current: 0b60fcc Previous: 9c5eceb Ratio
ML-DSA-44 keypair 112171 cycles 112128 cycles 1.00
ML-DSA-44 sign 353480 cycles 353788 cycles 1.00
ML-DSA-44 verify 117004 cycles 117189 cycles 1.00
ML-DSA-65 keypair 194786 cycles 194358 cycles 1.00
ML-DSA-65 sign 583882 cycles 583733 cycles 1.00
ML-DSA-65 verify 192717 cycles 193111 cycles 1.00
ML-DSA-87 keypair 320911 cycles 320083 cycles 1.00
ML-DSA-87 sign 747254 cycles 747201 cycles 1.00
ML-DSA-87 verify 318739 cycles 317895 cycles 1.00

This comment was automatically generated by workflow using github-action-benchmark.

github-actions[bot]
github-actions Bot reviewed Jun 15, 2026
View reviewed changes

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Arm Cortex-A76 (Raspberry Pi 5) benchmarks (no-opt)

Details
Benchmark suite Current: 0b60fcc Previous: 9c5eceb Ratio
ML-DSA-44 keypair 211464 cycles 211527 cycles 1.00
ML-DSA-44 sign 759041 cycles 759858 cycles 1.00
ML-DSA-44 verify 228925 cycles 229351 cycles 1.00
ML-DSA-65 keypair 377183 cycles 378548 cycles 1.00
ML-DSA-65 sign 1247203 cycles 1247648 cycles 1.00
ML-DSA-65 verify 371278 cycles 372375 cycles 1.00
ML-DSA-87 keypair 600236 cycles 601887 cycles 1.00
ML-DSA-87 sign 1582442 cycles 1582472 cycles 1.00
ML-DSA-87 verify 615930 cycles 617767 cycles 1.00

This comment was automatically generated by workflow using github-action-benchmark.

github-actions[bot]
github-actions Bot reviewed Jun 15, 2026
View reviewed changes

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SpacemiT K1 8 (Banana Pi F3) benchmarks (no-opt)

Details
Benchmark suite Current: 0b60fcc Previous: 9c5eceb Ratio
ML-DSA-44 keypair 760108 cycles 759567 cycles 1.00
ML-DSA-44 sign 3139979 cycles 3137937 cycles 1.00
ML-DSA-44 verify 859276 cycles 858870 cycles 1.00
ML-DSA-65 keypair 1285510 cycles 1285661 cycles 1.00
ML-DSA-65 sign 5076473 cycles 5075651 cycles 1.00
ML-DSA-65 verify 1363683 cycles 1364449 cycles 1.00
ML-DSA-87 keypair 2108565 cycles 2111749 cycles 1.00
ML-DSA-87 sign 6349814 cycles 6355811 cycles 1.00
ML-DSA-87 verify 2227740 cycles 2228276 cycles 1.00

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot
oqs-bot reviewed Jun 15, 2026
View reviewed changes

@oqs-bot oqs-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Intel Xeon 4th gen (c7i)

Details
Benchmark suite Current: 0b60fcc Previous: 9c5eceb Ratio
ML-DSA-44 keypair 43320 cycles 43415 cycles 1.00
ML-DSA-44 sign 130447 cycles 130832 cycles 1.00
ML-DSA-44 verify 45019 cycles 45316 cycles 0.99
ML-DSA-65 keypair 75630 cycles 75430 cycles 1.00
ML-DSA-65 sign 214636 cycles 215011 cycles 1.00
ML-DSA-65 verify 74259 cycles 74350 cycles 1.00
ML-DSA-87 keypair 123222 cycles 123299 cycles 1.00
ML-DSA-87 sign 271095 cycles 271370 cycles 1.00
ML-DSA-87 verify 120682 cycles 120802 cycles 1.00

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot
oqs-bot reviewed Jun 15, 2026
View reviewed changes

@oqs-bot oqs-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Intel Xeon 4th gen (c7i) (no-opt)

Details
Benchmark suite Current: 0b60fcc Previous: 9c5eceb Ratio
ML-DSA-44 keypair 91460 cycles 91498 cycles 1.00
ML-DSA-44 sign 352421 cycles 352373 cycles 1.00
ML-DSA-44 verify 99823 cycles 99791 cycles 1.00
ML-DSA-65 keypair 153853 cycles 153828 cycles 1.00
ML-DSA-65 sign 571320 cycles 571106 cycles 1.00
ML-DSA-65 verify 159824 cycles 159761 cycles 1.00
ML-DSA-87 keypair 255642 cycles 255664 cycles 1.00
ML-DSA-87 sign 725720 cycles 726163 cycles 1.00
ML-DSA-87 verify 263733 cycles 263879 cycles 1.00

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot
oqs-bot reviewed Jun 15, 2026
View reviewed changes

@oqs-bot oqs-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AMD EPYC 3rd gen (c6a)

Details
Benchmark suite Current: 0b60fcc Previous: 9c5eceb Ratio
ML-DSA-44 keypair 55422 cycles 55320 cycles 1.00
ML-DSA-44 sign 159104 cycles 159183 cycles 1.00
ML-DSA-44 verify 57499 cycles 57873 cycles 0.99
ML-DSA-65 keypair 96456 cycles 95830 cycles 1.01
ML-DSA-65 sign 263091 cycles 263504 cycles 1.00
ML-DSA-65 verify 96045 cycles 96058 cycles 1.00
ML-DSA-87 keypair 154978 cycles 154555 cycles 1.00
ML-DSA-87 sign 322539 cycles 322765 cycles 1.00
ML-DSA-87 verify 151291 cycles 150846 cycles 1.00

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot
oqs-bot reviewed Jun 15, 2026
View reviewed changes

@oqs-bot oqs-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AMD EPYC 3rd gen (c6a) (no-opt)

Details
Benchmark suite Current: 0b60fcc Previous: 9c5eceb Ratio
ML-DSA-44 keypair 133314 cycles 133213 cycles 1.00
ML-DSA-44 sign 518729 cycles 518708 cycles 1.00
ML-DSA-44 verify 146430 cycles 146419 cycles 1.00
ML-DSA-65 keypair 223838 cycles 225658 cycles 0.99
ML-DSA-65 sign 842432 cycles 848883 cycles 0.99
ML-DSA-65 verify 233764 cycles 236008 cycles 0.99
ML-DSA-87 keypair 366923 cycles 366727 cycles 1.00
ML-DSA-87 sign 1059620 cycles 1060028 cycles 1.00
ML-DSA-87 verify 381222 cycles 380316 cycles 1.00

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot
oqs-bot reviewed Jun 15, 2026
View reviewed changes

@oqs-bot oqs-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Graviton4

Details
Benchmark suite Current: 0b60fcc Previous: 9c5eceb Ratio
ML-DSA-44 keypair 67282 cycles 67251 cycles 1.00
ML-DSA-44 sign 198335 cycles 198318 cycles 1.00
ML-DSA-44 verify 70214 cycles 70240 cycles 1.00
ML-DSA-65 keypair 119470 cycles 119362 cycles 1.00
ML-DSA-65 sign 326115 cycles 325982 cycles 1.00
ML-DSA-65 verify 116920 cycles 116934 cycles 1.00
ML-DSA-87 keypair 196541 cycles 196595 cycles 1.00
ML-DSA-87 sign 421505 cycles 421892 cycles 1.00
ML-DSA-87 verify 193377 cycles 193379 cycles 1.00

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot
oqs-bot reviewed Jun 15, 2026
View reviewed changes

@oqs-bot oqs-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AMD EPYC 4th gen (c7a)

Details
Benchmark suite Current: 0b60fcc Previous: 9c5eceb Ratio
ML-DSA-44 keypair 46676 cycles 46860 cycles 1.00
ML-DSA-44 sign 139525 cycles 139486 cycles 1.00
ML-DSA-44 verify 49201 cycles 49318 cycles 1.00
ML-DSA-65 keypair 82513 cycles 81920 cycles 1.01
ML-DSA-65 sign 227275 cycles 227729 cycles 1.00
ML-DSA-65 verify 81963 cycles 81877 cycles 1.00
ML-DSA-87 keypair 129267 cycles 131127 cycles 0.99
ML-DSA-87 sign 280881 cycles 281288 cycles 1.00
ML-DSA-87 verify 128438 cycles 129015 cycles 1.00

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot
oqs-bot reviewed Jun 15, 2026
View reviewed changes

@oqs-bot oqs-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Intel Xeon 3rd gen (c6i)

Details
Benchmark suite Current: 0b60fcc Previous: 9c5eceb Ratio
ML-DSA-44 keypair 61777 cycles 61685 cycles 1.00
ML-DSA-44 sign 189264 cycles 188995 cycles 1.00
ML-DSA-44 verify 66152 cycles 66273 cycles 1.00
ML-DSA-65 keypair 108472 cycles 111473 cycles 0.97
ML-DSA-65 sign 312431 cycles 312617 cycles 1.00
ML-DSA-65 verify 109611 cycles 110558 cycles 0.99
ML-DSA-87 keypair 171304 cycles 171460 cycles 1.00
ML-DSA-87 sign 377394 cycles 377513 cycles 1.00
ML-DSA-87 verify 169493 cycles 169102 cycles 1.00

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot
oqs-bot reviewed Jun 15, 2026
View reviewed changes

@oqs-bot oqs-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Graviton4 (no-opt)

Details
Benchmark suite Current: 0b60fcc Previous: 9c5eceb Ratio
ML-DSA-44 keypair 127565 cycles 127647 cycles 1.00
ML-DSA-44 sign 441234 cycles 441052 cycles 1.00
ML-DSA-44 verify 136402 cycles 136340 cycles 1.00
ML-DSA-65 keypair 220501 cycles 220707 cycles 1.00
ML-DSA-65 sign 714356 cycles 713810 cycles 1.00
ML-DSA-65 verify 221036 cycles 220735 cycles 1.00
ML-DSA-87 keypair 364581 cycles 365112 cycles 1.00
ML-DSA-87 sign 915625 cycles 921310 cycles 0.99
ML-DSA-87 verify 370856 cycles 370798 cycles 1.00

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot
oqs-bot reviewed Jun 15, 2026
View reviewed changes

@oqs-bot oqs-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AMD EPYC 4th gen (c7a) (no-opt)

Details
Benchmark suite Current: 0b60fcc Previous: 9c5eceb Ratio
ML-DSA-44 keypair 118183 cycles 118568 cycles 1.00
ML-DSA-44 sign 457225 cycles 458777 cycles 1.00
ML-DSA-44 verify 130648 cycles 131112 cycles 1.00
ML-DSA-65 keypair 200891 cycles 200686 cycles 1.00
ML-DSA-65 sign 745651 cycles 743736 cycles 1.00
ML-DSA-65 verify 209587 cycles 209264 cycles 1.00
ML-DSA-87 keypair 331930 cycles 330171 cycles 1.01
ML-DSA-87 sign 942737 cycles 935697 cycles 1.01
ML-DSA-87 verify 342981 cycles 343489 cycles 1.00

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot
oqs-bot reviewed Jun 15, 2026
View reviewed changes

@oqs-bot oqs-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Intel Xeon 3rd gen (c6i) (no-opt)

Details
Benchmark suite Current: 0b60fcc Previous: 9c5eceb Ratio
ML-DSA-44 keypair 154189 cycles 154753 cycles 1.00
ML-DSA-44 sign 587855 cycles 591158 cycles 0.99
ML-DSA-44 verify 169480 cycles 169947 cycles 1.00
ML-DSA-65 keypair 262646 cycles 261726 cycles 1.00
ML-DSA-65 sign 964482 cycles 963022 cycles 1.00
ML-DSA-65 verify 272290 cycles 271733 cycles 1.00
ML-DSA-87 keypair 432007 cycles 431775 cycles 1.00
ML-DSA-87 sign 1210654 cycles 1213443 cycles 1.00
ML-DSA-87 verify 447323 cycles 447885 cycles 1.00

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot
oqs-bot reviewed Jun 15, 2026
View reviewed changes

@oqs-bot oqs-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Graviton3

Details
Benchmark suite Current: 0b60fcc Previous: 9c5eceb Ratio
ML-DSA-44 keypair 71405 cycles 71561 cycles 1.00
ML-DSA-44 sign 208966 cycles 209019 cycles 1.00
ML-DSA-44 verify 74818 cycles 74745 cycles 1.00
ML-DSA-65 keypair 125948 cycles 125918 cycles 1.00
ML-DSA-65 sign 345621 cycles 345393 cycles 1.00
ML-DSA-65 verify 124114 cycles 124184 cycles 1.00
ML-DSA-87 keypair 207058 cycles 206649 cycles 1.00
ML-DSA-87 sign 443965 cycles 439798 cycles 1.01
ML-DSA-87 verify 204102 cycles 204451 cycles 1.00

This comment was automatically generated by workflow using github-action-benchmark.

github-actions[bot]
github-actions Bot reviewed Jun 15, 2026
View reviewed changes

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Arm Cortex-A55 (Snapdragon 888) benchmarks (opt)

Details
Benchmark suite Current: 0b60fcc Previous: 9c5eceb Ratio
ML-DSA-44 keypair 268177 cycles 266639 cycles 1.01
ML-DSA-44 sign 811656 cycles 808808 cycles 1.00
ML-DSA-44 verify 270342 cycles 270153 cycles 1.00
ML-DSA-65 keypair 460977 cycles 461300 cycles 1.00
ML-DSA-65 sign 1323114 cycles 1323365 cycles 1.00
ML-DSA-65 verify 446367 cycles 447313 cycles 1.00
ML-DSA-87 keypair 786856 cycles 789934 cycles 1.00
ML-DSA-87 sign 1817396 cycles 1827662 cycles 0.99
ML-DSA-87 verify 765924 cycles 769879 cycles 0.99

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot
oqs-bot reviewed Jun 15, 2026
View reviewed changes

@oqs-bot oqs-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Graviton3 (no-opt)

Details
Benchmark suite Current: 0b60fcc Previous: 9c5eceb Ratio
ML-DSA-44 keypair 137915 cycles 138038 cycles 1.00
ML-DSA-44 sign 485929 cycles 486082 cycles 1.00
ML-DSA-44 verify 149011 cycles 149093 cycles 1.00
ML-DSA-65 keypair 241465 cycles 241929 cycles 1.00
ML-DSA-65 sign 791930 cycles 791534 cycles 1.00
ML-DSA-65 verify 242169 cycles 241280 cycles 1.00
ML-DSA-87 keypair 395764 cycles 396309 cycles 1.00
ML-DSA-87 sign 1013504 cycles 1019346 cycles 0.99
ML-DSA-87 verify 403644 cycles 403741 cycles 1.00

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot
oqs-bot reviewed Jun 15, 2026
View reviewed changes

@oqs-bot oqs-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Graviton2

Details
Benchmark suite Current: 0b60fcc Previous: 9c5eceb Ratio
ML-DSA-44 keypair 112267 cycles 112529 cycles 1.00
ML-DSA-44 sign 354171 cycles 354040 cycles 1.00
ML-DSA-44 verify 117356 cycles 117389 cycles 1.00
ML-DSA-65 keypair 194413 cycles 194738 cycles 1.00
ML-DSA-65 sign 584338 cycles 584565 cycles 1.00
ML-DSA-65 verify 193374 cycles 193297 cycles 1.00
ML-DSA-87 keypair 320843 cycles 321000 cycles 1.00
ML-DSA-87 sign 747781 cycles 746870 cycles 1.00
ML-DSA-87 verify 317959 cycles 318737 cycles 1.00

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot
oqs-bot reviewed Jun 15, 2026
View reviewed changes

@oqs-bot oqs-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Graviton2 (no-opt)

Details
Benchmark suite Current: 0b60fcc Previous: 9c5eceb Ratio
ML-DSA-44 keypair 212082 cycles 211802 cycles 1.00
ML-DSA-44 sign 760968 cycles 759783 cycles 1.00
ML-DSA-44 verify 229827 cycles 229307 cycles 1.00
ML-DSA-65 keypair 378584 cycles 377288 cycles 1.00
ML-DSA-65 sign 1247669 cycles 1247192 cycles 1.00
ML-DSA-65 verify 373212 cycles 371605 cycles 1.00
ML-DSA-87 keypair 602191 cycles 601230 cycles 1.00
ML-DSA-87 sign 1584300 cycles 1584827 cycles 1.00
ML-DSA-87 verify 618115 cycles 616717 cycles 1.00

This comment was automatically generated by workflow using github-action-benchmark.

github-actions[bot]
github-actions Bot reviewed Jun 15, 2026
View reviewed changes

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Arm Cortex-A55 (Snapdragon 888) benchmarks (no-opt)

Details
Benchmark suite Current: 0b60fcc Previous: 9c5eceb Ratio
ML-DSA-44 keypair 463207 cycles 462947 cycles 1.00
ML-DSA-44 sign 2133669 cycles 2132913 cycles 1.00
ML-DSA-44 verify 554980 cycles 555065 cycles 1.00
ML-DSA-65 keypair 782046 cycles 781178 cycles 1.00
ML-DSA-65 sign 3489865 cycles 3495803 cycles 1.00
ML-DSA-65 verify 866230 cycles 863872 cycles 1.00
ML-DSA-87 keypair 1263324 cycles 1265586 cycles 1.00
ML-DSA-87 sign 4306970 cycles 4308959 cycles 1.00
ML-DSA-87 verify 1388306 cycles 1390453 cycles 1.00

This comment was automatically generated by workflow using github-action-benchmark.

github-actions[bot]
github-actions Bot reviewed Jun 15, 2026
View reviewed changes

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Arm Cortex-A72 (Raspberry Pi 4) benchmarks (opt)

Details
Benchmark suite Current: 0b60fcc Previous: 9c5eceb Ratio
ML-DSA-44 keypair 220427 cycles 214312 cycles 1.03
ML-DSA-44 sign 612973 cycles 605496 cycles 1.01
ML-DSA-44 verify 217524 cycles 222932 cycles 0.98
ML-DSA-65 keypair 388694 cycles 390142 cycles 1.00
ML-DSA-65 sign 1009947 cycles 1004679 cycles 1.01
ML-DSA-65 verify 371807 cycles 374059 cycles 0.99
ML-DSA-87 keypair 651583 cycles 652450 cycles 1.00
ML-DSA-87 sign 1325525 cycles 1336385 cycles 0.99
ML-DSA-87 verify 631906 cycles 633167 cycles 1.00

This comment was automatically generated by workflow using github-action-benchmark.

github-actions[bot]
github-actions Bot reviewed Jun 15, 2026
View reviewed changes

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Arm Cortex-A72 (Raspberry Pi 4) benchmarks (no-opt)

Details
Benchmark suite Current: 0b60fcc Previous: 9c5eceb Ratio
ML-DSA-44 keypair 310128 cycles 312767 cycles 0.99
ML-DSA-44 sign 1174409 cycles 1207539 cycles 0.97
ML-DSA-44 verify 346573 cycles 342752 cycles 1.01
ML-DSA-65 keypair 560465 cycles 567893 cycles 0.99
ML-DSA-65 sign 1886833 cycles 1961247 cycles 0.96
ML-DSA-65 verify 539864 cycles 560470 cycles 0.96
ML-DSA-87 keypair 876500 cycles 849145 cycles 1.03
ML-DSA-87 sign 2402521 cycles 2376735 cycles 1.01
ML-DSA-87 verify 899316 cycles 890655 cycles 1.01

This comment was automatically generated by workflow using github-action-benchmark.

github-actions[bot]
github-actions Bot reviewed Jun 15, 2026
View reviewed changes

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Performance Alert ⚠️

Possible performance regression was detected for benchmark 'Arm Cortex-A72 (Raspberry Pi 4) benchmarks (no-opt)'.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 1.03.

Benchmark suite Current: 0b60fcc Previous: 9c5eceb Ratio
ML-DSA-87 keypair 876500 cycles 849145 cycles 1.03

This comment was automatically generated by workflow using github-action-benchmark.

@jakemas jakemas force-pushed the jakemas/poly-decompose-asm branch from 0b60fcc to 7ef3442 Compare June 16, 2026 17:46
@jakemas
x86_64: Replace poly_decompose AVX2 intrinsics with hand-written asse…
2174def 
…mbly

Mirror the AArch64 conversion in poly_decompose_{32,88}_aarch64_asm:
replace the C intrinsics with fully-unrolled AVX2 routines, add HOL-Light
correctness and memory-safety proofs, and CBMC contracts. Helper lemmas
common to both variants are shared via the x86-only mldsa_utils.ml.

- Resolves #420
- Resolves #914

Signed-off-by: Jake Massimo <jakemas@amazon.com>
@jakemas jakemas force-pushed the jakemas/poly-decompose-asm branch from 7ef3442 to 2174def Compare June 16, 2026 18:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@oqs-bot oqs-bot oqs-bot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

benchmark

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

HOL-Light: Prove AVX2 poly_decompose AVX2: Replace intrinsics implementation of poly_decompose with assembly

2 participants

@jakemas @oqs-bot