RFC: Validate s1/s2 coefficient bounds during signing by mkannwischer · Pull Request #1003 · pq-code-package/mldsa-native

mkannwischer · 2026-03-24T01:20:54Z

RFC: This PR is to evaluate the performance impact of this change and to discuss if such a check should be added or not. From a standard compliance point, I don't see a reason why it needs to be added. If performance impact is negligible, I wouldn't object adding it. It is just somewhat unclean, that it performs some input validation, while other parts of the inputs are not validated (see the other checks that have been added to pk_from_sk) - but the other checks would require recomputing the public key which is clearly too expensive. I am interested to hear what others think.

Validate s1 and s2 coefficient bounds in unpack_sk, ensuring that signing rejects secret keys with out-of-range s1/s2 encodings. Neither FIPS 204 nor the FIPS 140-3 IG describe this check, but it is covered by Wycheproof test vectors.

The bounds check was previously only performed in pk_from_sk. By moving it into unpack_sk, both signing and pk_from_sk benefit from the same check.

Note that pk_from_sk performs additional validation beyond this: it recomputes t0 and tr from (rho, s1, s2) and checks them against the stored values to verify internal consistency of the secret key.

TODO:

[ ] Adjust CBMC proofs

Validate s1 and s2 coefficient bounds in unpack_sk, ensuring that signing rejects secret keys with out-of-range s1/s2 encodings. Neither FIPS 204 nor the FIPS 140-3 IG describe this check, but it is covered by Wycheproof test vectors. The bounds check was previously only performed in pk_from_sk. By moving it into unpack_sk, both signing and pk_from_sk benefit from the same check. Note that pk_from_sk performs additional validation beyond this: it recomputes t0 and tr from (rho, s1, s2) and checks them against the stored values to verify internal consistency of the secret key. Signed-off-by: Matthias J. Kannwischer <matthias@zerorisc.com>

github-actions

Arm Cortex-A76 (Raspberry Pi 5) benchmarks (opt)

Details

Benchmark suite	Current: `6669315`	Previous: `bb07ee8`	Ratio
`ML-DSA-44 keypair`	`113075` cycles	`113125` cycles	`1.00`
`ML-DSA-44 sign`	`356894` cycles	`355404` cycles	`1.00`
`ML-DSA-44 verify`	`117859` cycles	`117806` cycles	`1.00`
`ML-DSA-65 keypair`	`196228` cycles	`196440` cycles	`1.00`
`ML-DSA-65 sign`	`590827` cycles	`588870` cycles	`1.00`
`ML-DSA-65 verify`	`194601` cycles	`194523` cycles	`1.00`
`ML-DSA-87 keypair`	`322487` cycles	`322254` cycles	`1.00`
`ML-DSA-87 sign`	`753981` cycles	`752961` cycles	`1.00`
`ML-DSA-87 verify`	`320055` cycles	`320091` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

github-actions

Arm Cortex-A76 (Raspberry Pi 5) benchmarks (no-opt)

Details

Benchmark suite	Current: `6669315`	Previous: `bb07ee8`	Ratio
`ML-DSA-44 keypair`	`212351` cycles	`212677` cycles	`1.00`
`ML-DSA-44 sign`	`768639` cycles	`759475` cycles	`1.01`
`ML-DSA-44 verify`	`228664` cycles	`228953` cycles	`1.00`
`ML-DSA-65 keypair`	`379802` cycles	`380253` cycles	`1.00`
`ML-DSA-65 sign`	`1263677` cycles	`1251269` cycles	`1.01`
`ML-DSA-65 verify`	`371430` cycles	`372050` cycles	`1.00`
`ML-DSA-87 keypair`	`604884` cycles	`605509` cycles	`1.00`
`ML-DSA-87 sign`	`1609482` cycles	`1591320` cycles	`1.01`
`ML-DSA-87 verify`	`618678` cycles	`617579` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Intel Xeon 4th gen (c7i)

Details

Benchmark suite	Current: `6669315`	Previous: `bb07ee8`	Ratio
`ML-DSA-44 keypair`	`34419` cycles	`34508` cycles	`1.00`
`ML-DSA-44 sign`	`120151` cycles	`119762` cycles	`1.00`
`ML-DSA-44 verify`	`38152` cycles	`38106` cycles	`1.00`
`ML-DSA-65 keypair`	`60697` cycles	`61327` cycles	`0.99`
`ML-DSA-65 sign`	`200789` cycles	`202109` cycles	`0.99`
`ML-DSA-65 verify`	`62922` cycles	`62771` cycles	`1.00`
`ML-DSA-87 keypair`	`94415` cycles	`94593` cycles	`1.00`
`ML-DSA-87 sign`	`238324` cycles	`240827` cycles	`0.99`
`ML-DSA-87 verify`	`95168` cycles	`96019` cycles	`0.99`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Intel Xeon 4th gen (c7i) (no-opt)

Details

Benchmark suite	Current: `6669315`	Previous: `bb07ee8`	Ratio
`ML-DSA-44 keypair`	`93705` cycles	`93753` cycles	`1.00`
`ML-DSA-44 sign`	`337113` cycles	`333304` cycles	`1.01`
`ML-DSA-44 verify`	`99826` cycles	`99738` cycles	`1.00`
`ML-DSA-65 keypair`	`159853` cycles	`159678` cycles	`1.00`
`ML-DSA-65 sign`	`548333` cycles	`544024` cycles	`1.01`
`ML-DSA-65 verify`	`160896` cycles	`160787` cycles	`1.00`
`ML-DSA-87 keypair`	`267790` cycles	`267177` cycles	`1.00`
`ML-DSA-87 sign`	`716080` cycles	`705890` cycles	`1.01`
`ML-DSA-87 verify`	`269063` cycles	`270246` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

AMD EPYC 3rd gen (c6a)

Details

Benchmark suite	Current: `6669315`	Previous: `bb07ee8`	Ratio
`ML-DSA-44 keypair`	`69067` cycles	`69272` cycles	`1.00`
`ML-DSA-44 sign`	`187689` cycles	`188132` cycles	`1.00`
`ML-DSA-44 verify`	`68991` cycles	`69431` cycles	`0.99`
`ML-DSA-65 keypair`	`119329` cycles	`119537` cycles	`1.00`
`ML-DSA-65 sign`	`300691` cycles	`300738` cycles	`1.00`
`ML-DSA-65 verify`	`115591` cycles	`115521` cycles	`1.00`
`ML-DSA-87 keypair`	`202863` cycles	`204457` cycles	`0.99`
`ML-DSA-87 sign`	`393831` cycles	`395562` cycles	`1.00`
`ML-DSA-87 verify`	`195687` cycles	`196251` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Graviton4

Details

Benchmark suite	Current: `6669315`	Previous: `bb07ee8`	Ratio
`ML-DSA-44 keypair`	`68016` cycles	`68092` cycles	`1.00`
`ML-DSA-44 sign`	`203534` cycles	`202357` cycles	`1.01`
`ML-DSA-44 verify`	`70933` cycles	`70840` cycles	`1.00`
`ML-DSA-65 keypair`	`121073` cycles	`120892` cycles	`1.00`
`ML-DSA-65 sign`	`333019` cycles	`332262` cycles	`1.00`
`ML-DSA-65 verify`	`117954` cycles	`117993` cycles	`1.00`
`ML-DSA-87 keypair`	`198182` cycles	`198285` cycles	`1.00`
`ML-DSA-87 sign`	`430011` cycles	`428165` cycles	`1.00`
`ML-DSA-87 verify`	`194700` cycles	`194638` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Intel Xeon 3rd gen (c6i)

Details

Benchmark suite	Current: `6669315`	Previous: `bb07ee8`	Ratio
`ML-DSA-44 keypair`	`56997` cycles	`56810` cycles	`1.00`
`ML-DSA-44 sign`	`184302` cycles	`181256` cycles	`1.02`
`ML-DSA-44 verify`	`62355` cycles	`61127` cycles	`1.02`
`ML-DSA-65 keypair`	`99691` cycles	`98683` cycles	`1.01`
`ML-DSA-65 sign`	`303003` cycles	`298776` cycles	`1.01`
`ML-DSA-65 verify`	`101664` cycles	`100109` cycles	`1.02`
`ML-DSA-87 keypair`	`155226` cycles	`152672` cycles	`1.02`
`ML-DSA-87 sign`	`360726` cycles	`355205` cycles	`1.02`
`ML-DSA-87 verify`	`156317` cycles	`153314` cycles	`1.02`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

AMD EPYC 3rd gen (c6a) (no-opt)

Details

Benchmark suite	Current: `6669315`	Previous: `bb07ee8`	Ratio
`ML-DSA-44 keypair`	`134872` cycles	`135154` cycles	`1.00`
`ML-DSA-44 sign`	`530269` cycles	`524730` cycles	`1.01`
`ML-DSA-44 verify`	`147815` cycles	`147590` cycles	`1.00`
`ML-DSA-65 keypair`	`228397` cycles	`228675` cycles	`1.00`
`ML-DSA-65 sign`	`871540` cycles	`866364` cycles	`1.01`
`ML-DSA-65 verify`	`236679` cycles	`236755` cycles	`1.00`
`ML-DSA-87 keypair`	`371091` cycles	`372434` cycles	`1.00`
`ML-DSA-87 sign`	`1087957` cycles	`1081953` cycles	`1.01`
`ML-DSA-87 verify`	`382510` cycles	`383807` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Graviton4 (no-opt)

Details

Benchmark suite	Current: `6669315`	Previous: `bb07ee8`	Ratio
`ML-DSA-44 keypair`	`128392` cycles	`128232` cycles	`1.00`
`ML-DSA-44 sign`	`453815` cycles	`447685` cycles	`1.01`
`ML-DSA-44 verify`	`138201` cycles	`144647` cycles	`0.96`
`ML-DSA-65 keypair`	`220724` cycles	`220666` cycles	`1.00`
`ML-DSA-65 sign`	`735582` cycles	`727390` cycles	`1.01`
`ML-DSA-65 verify`	`222772` cycles	`223179` cycles	`1.00`
`ML-DSA-87 keypair`	`364622` cycles	`365048` cycles	`1.00`
`ML-DSA-87 sign`	`937747` cycles	`925897` cycles	`1.01`
`ML-DSA-87 verify`	`372918` cycles	`372806` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Intel Xeon 3rd gen (c6i) (no-opt)

Details

Benchmark suite	Current: `6669315`	Previous: `bb07ee8`	Ratio
`ML-DSA-44 keypair`	`157358` cycles	`157591` cycles	`1.00`
`ML-DSA-44 sign`	`558028` cycles	`551560` cycles	`1.01`
`ML-DSA-44 verify`	`169116` cycles	`169402` cycles	`1.00`
`ML-DSA-65 keypair`	`268508` cycles	`267815` cycles	`1.00`
`ML-DSA-65 sign`	`914833` cycles	`904542` cycles	`1.01`
`ML-DSA-65 verify`	`274947` cycles	`274303` cycles	`1.00`
`ML-DSA-87 keypair`	`448205` cycles	`448249` cycles	`1.00`
`ML-DSA-87 sign`	`1169598` cycles	`1156908` cycles	`1.01`
`ML-DSA-87 verify`	`457676` cycles	`458389` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Graviton3

Details

Benchmark suite	Current: `6669315`	Previous: `bb07ee8`	Ratio
`ML-DSA-44 keypair`	`72343` cycles	`72262` cycles	`1.00`
`ML-DSA-44 sign`	`213593` cycles	`212358` cycles	`1.01`
`ML-DSA-44 verify`	`75743` cycles	`75722` cycles	`1.00`
`ML-DSA-65 keypair`	`127606` cycles	`127611` cycles	`1.00`
`ML-DSA-65 sign`	`352890` cycles	`350840` cycles	`1.01`
`ML-DSA-65 verify`	`125629` cycles	`125699` cycles	`1.00`
`ML-DSA-87 keypair`	`205827` cycles	`208501` cycles	`0.99`
`ML-DSA-87 sign`	`446676` cycles	`450025` cycles	`0.99`
`ML-DSA-87 verify`	`205631` cycles	`205765` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

AMD EPYC 4th gen (c7a)

Details

Benchmark suite	Current: `6669315`	Previous: `bb07ee8`	Ratio
`ML-DSA-44 keypair`	`40970` cycles	`41153` cycles	`1.00`
`ML-DSA-44 sign`	`135862` cycles	`132931` cycles	`1.02`
`ML-DSA-44 verify`	`44232` cycles	`43836` cycles	`1.01`
`ML-DSA-65 keypair`	`73239` cycles	`72244` cycles	`1.01`
`ML-DSA-65 sign`	`216331` cycles	`214745` cycles	`1.01`
`ML-DSA-65 verify`	`74592` cycles	`73096` cycles	`1.02`
`ML-DSA-87 keypair`	`114305` cycles	`108337` cycles	`1.06`
`ML-DSA-87 sign`	`259210` cycles	`253357` cycles	`1.02`
`ML-DSA-87 verify`	`116670` cycles	`110812` cycles	`1.05`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

⚠️ Performance Alert ⚠️

Possible performance regression was detected for benchmark 'AMD EPYC 4th gen (c7a)'.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 1.03.

Benchmark suite	Current: `6669315`	Previous: `bb07ee8`	Ratio
`ML-DSA-87 keypair`	`114305` cycles	`108337` cycles	`1.06`
`ML-DSA-87 verify`	`116670` cycles	`110812` cycles	`1.05`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Graviton3 (no-opt)

Details

Benchmark suite	Current: `6669315`	Previous: `bb07ee8`	Ratio
`ML-DSA-44 keypair`	`138631` cycles	`138488` cycles	`1.00`
`ML-DSA-44 sign`	`491225` cycles	`483902` cycles	`1.02`
`ML-DSA-44 verify`	`148433` cycles	`162298` cycles	`0.91`
`ML-DSA-65 keypair`	`241227` cycles	`241720` cycles	`1.00`
`ML-DSA-65 sign`	`802903` cycles	`792693` cycles	`1.01`
`ML-DSA-65 verify`	`240733` cycles	`241300` cycles	`1.00`
`ML-DSA-87 keypair`	`395392` cycles	`396574` cycles	`1.00`
`ML-DSA-87 sign`	`1026333` cycles	`1012397` cycles	`1.01`
`ML-DSA-87 verify`	`402834` cycles	`402619` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

AMD EPYC 4th gen (c7a) (no-opt)

Details

Benchmark suite	Current: `6669315`	Previous: `bb07ee8`	Ratio
`ML-DSA-44 keypair`	`120281` cycles	`120615` cycles	`1.00`
`ML-DSA-44 sign`	`451375` cycles	`447589` cycles	`1.01`
`ML-DSA-44 verify`	`130196` cycles	`130296` cycles	`1.00`
`ML-DSA-65 keypair`	`204546` cycles	`204314` cycles	`1.00`
`ML-DSA-65 sign`	`735017` cycles	`728144` cycles	`1.01`
`ML-DSA-65 verify`	`210314` cycles	`210151` cycles	`1.00`
`ML-DSA-87 keypair`	`339014` cycles	`338739` cycles	`1.00`
`ML-DSA-87 sign`	`938177` cycles	`924086` cycles	`1.02`
`ML-DSA-87 verify`	`348545` cycles	`347015` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Graviton2

Details

Benchmark suite	Current: `6669315`	Previous: `bb07ee8`	Ratio
`ML-DSA-44 keypair`	`113283` cycles	`113486` cycles	`1.00`
`ML-DSA-44 sign`	`357111` cycles	`355929` cycles	`1.00`
`ML-DSA-44 verify`	`118047` cycles	`118313` cycles	`1.00`
`ML-DSA-65 keypair`	`196488` cycles	`196525` cycles	`1.00`
`ML-DSA-65 sign`	`590456` cycles	`588739` cycles	`1.00`
`ML-DSA-65 verify`	`194638` cycles	`194868` cycles	`1.00`
`ML-DSA-87 keypair`	`322230` cycles	`323107` cycles	`1.00`
`ML-DSA-87 sign`	`755634` cycles	`753767` cycles	`1.00`
`ML-DSA-87 verify`	`320307` cycles	`320405` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Graviton2 (no-opt)

Details

Benchmark suite	Current: `6669315`	Previous: `bb07ee8`	Ratio
`ML-DSA-44 keypair`	`212863` cycles	`212744` cycles	`1.00`
`ML-DSA-44 sign`	`769060` cycles	`760342` cycles	`1.01`
`ML-DSA-44 verify`	`241107` cycles	`234472` cycles	`1.03`
`ML-DSA-65 keypair`	`381208` cycles	`380565` cycles	`1.00`
`ML-DSA-65 sign`	`1266242` cycles	`1254252` cycles	`1.01`
`ML-DSA-65 verify`	`373043` cycles	`372074` cycles	`1.00`
`ML-DSA-87 keypair`	`606211` cycles	`604302` cycles	`1.00`
`ML-DSA-87 sign`	`1608784` cycles	`1594512` cycles	`1.01`
`ML-DSA-87 verify`	`618129` cycles	`618492` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot · 2026-03-24T01:40:08Z

CBMC Results (ML-DSA-44)

⚠️ Attention Required

Proof	Status	Current	Previous	Change
`unpack_sk`	❌	-	5s	-
`sign_signature_internal`	⚠️	49s	31s	+58%

Full Results (176 proofs)

Proof	Status	Current	Previous	Change
`TOTAL`	✅	2217s	1998s	+11.0%
`mld_attempt_signature_generation`	✅	287s	231s	+24%
`polyvecl_pointwise_acc_montgomery_c`	✅	243s	208s	+17%
`poly_pointwise_montgomery_c`	✅	179s	152s	+18%
`rej_uniform_native`	✅	155s	146s	+6%
`sign_verify_internal`	✅	130s	126s	+3%
`mld_invntt_layer`	✅	94s	88s	+7%
`mld_ct_memcmp`	✅	81s	77s	+5%
`mld_ntt_layer`	✅	61s	59s	+3%
`sign_signature_internal`	⚠️	49s	31s	+58%
`keccak_squeezeblocks_x4`	✅	45s	42s	+7%
`polyvec_matrix_expand`	✅	32s	28s	+14%
`fqmul`	✅	23s	20s	+15%
`poly_chknorm_c`	✅	22s	19s	+16%
`rej_uniform`	✅	22s	22s	+0%
`polyeta_unpack`	✅	20s	16s	+25%
`poly_uniform_eta_4x`	✅	17s	17s	+0%
`rej_uniform_c`	✅	17s	14s	+21%
`mld_compute_t0_t1_tr_from_sk_components`	✅	16s	14s	+14%
`poly_uniform_4x`	✅	16s	14s	+14%
`polymat_permute_bitrev_to_custom`	✅	16s	15s	+7%
`keccakf1600x4_permute_native`	✅	15s	13s	+15%
`mld_ntt_butterfly_block`	✅	14s	12s	+17%
`polyvec_matrix_expand_serial`	✅	14s	13s	+8%
`polyt0_unpack`	✅	13s	14s	-7%
`polyvec_matrix_pointwise_montgomery`	✅	12s	13s	-8%
`mld_check_pct`	✅	11s	5s	+120%
`poly_add`	✅	11s	9s	+22%
`polyveck_power2round`	✅	11s	12s	-8%
`polyz_unpack_c`	✅	11s	11s	+0%
`mld_polyvecl_permute_bitrev_to_custom_native`	✅	10s	7s	+43%
`keccak_absorb`	✅	9s	9s	+0%
`keccak_absorb_once_x4`	✅	9s	10s	-10%
`keccakf1600_permute_native`	✅	8s	7s	+14%
`poly_invntt_tomont_c`	✅	8s	5s	+60%
`poly_use_hint_c`	✅	8s	5s	+60%
`polyveck_reduce`	✅	8s	6s	+33%
`sign_pk_from_sk`	✅	8s	7s	+14%
`caddq`	✅	7s	3s	+133%
`keccakf1600_permute`	✅	7s	7s	+0%
`mld_compute_pack_z`	✅	7s	7s	+0%
`polyveck_use_hint`	✅	7s	9s	-22%
`sign_open`	✅	7s	5s	+40%
`mld_prepare_domain_separation_prefix`	✅	6s	7s	-14%
`poly_make_hint`	✅	6s	4s	+50%
`poly_uniform_eta`	✅	6s	3s	+100%
`polyveck_add`	✅	6s	9s	-33%
`polyveck_ntt`	✅	6s	6s	+0%
`polyveck_shiftl`	✅	6s	4s	+50%
`rej_eta_native`	✅	6s	5s	+20%
`sign_signature_pre_hash_shake256`	✅	6s	3s	+100%
`sign_verify_pre_hash_internal`	✅	6s	4s	+50%
`unpack_hints`	✅	6s	8s	-25%
`fqscale`	✅	5s	4s	+25%
`make_hint`	✅	5s	3s	+67%
`montgomery_reduce`	✅	5s	3s	+67%
`poly_caddq`	✅	5s	3s	+67%
`poly_challenge`	✅	5s	4s	+25%
`poly_invntt_tomont_native`	✅	5s	4s	+25%
`poly_pointwise_montgomery`	✅	5s	4s	+25%
`poly_reduce`	✅	5s	3s	+67%
`poly_uniform_gamma1_4x`	✅	5s	3s	+67%
`poly_use_hint_native`	✅	5s	3s	+67%
`polyveck_caddq`	✅	5s	3s	+67%
`polyveck_chknorm`	✅	5s	4s	+25%
`polyveck_decompose`	✅	5s	5s	+0%
`polyveck_sub`	✅	5s	5s	+0%
`polyveck_unpack_eta`	✅	5s	2s	+150%
`polyvecl_chknorm`	✅	5s	4s	+25%
`polyvecl_pack_eta`	✅	5s	2s	+150%
`power2round`	✅	5s	3s	+67%
`sign`	✅	5s	7s	-29%
`sign_keypair_internal`	✅	5s	9s	-44%
`sign_signature_pre_hash_internal`	✅	5s	3s	+67%
`sign_verify`	✅	5s	7s	-29%
`sign_verify_extmu`	✅	5s	5s	+0%
`decompose`	✅	4s	4s	+0%
`keccakf1600_extract_bytes (big endian)`	✅	4s	2s	+100%
`keccakf1600_xor_bytes (big endian)`	✅	4s	3s	+33%
`keccakf1600x4_extract_bytes`	✅	4s	5s	-20%
`keccakf1600x4_permute`	✅	4s	3s	+33%
`mld_ct_cmask_nonzero_u32`	✅	4s	4s	+0%
`mld_h`	✅	4s	6s	-33%
`mld_sample_s1_s2`	✅	4s	2s	+100%
`mld_value_barrier_i64`	✅	4s	3s	+33%
`mld_value_barrier_u32`	✅	4s	2s	+100%
`pack_sig_c_h`	✅	4s	5s	-20%
`poly_caddq_c`	✅	4s	4s	+0%
`poly_caddq_native`	✅	4s	3s	+33%
`poly_chknorm_native`	✅	4s	2s	+100%
`poly_decompose_native`	✅	4s	3s	+33%
`poly_ntt_c`	✅	4s	4s	+0%
`poly_ntt_native`	✅	4s	3s	+33%
`poly_pointwise_montgomery_native`	✅	4s	2s	+100%
`poly_power2round`	✅	4s	8s	-50%
`polyt0_pack`	✅	4s	5s	-20%
`polyt1_pack`	✅	4s	3s	+33%
`polyveck_pack_t0`	✅	4s	3s	+33%
`polyveck_pointwise_poly_montgomery`	✅	4s	2s	+100%
`polyvecl_permute_bitrev_to_custom`	✅	4s	4s	+0%
`polyvecl_uniform_gamma1`	✅	4s	3s	+33%
`polyvecl_unpack_eta`	✅	4s	3s	+33%
`polyvecl_unpack_z`	✅	4s	4s	+0%
`rej_eta`	✅	4s	4s	+0%
`rej_eta_c`	✅	4s	5s	-20%
`shake128x4_absorb_once`	✅	4s	1s	+300%
`shake256_squeeze`	✅	4s	2s	+100%
`sign_verify_pre_hash_shake256`	✅	4s	5s	-20%
`sys_check_capability`	✅	4s	2s	+100%
`unpack_sig`	✅	4s	4s	+0%
`intt_native_x86_64`	✅	3s	3s	+0%
`keccak_init`	✅	3s	2s	+50%
`keccak_squeeze`	✅	3s	3s	+0%
`keccakf1600x4_xor_bytes`	✅	3s	4s	-25%
`mld_ct_abs_i32`	✅	3s	3s	+0%
`mld_keccakf1600_extract_bytes`	✅	3s	3s	+0%
`mld_sample_s1_s2_serial`	✅	3s	3s	+0%
`pack_sig_z`	✅	3s	3s	+0%
`pack_sk`	✅	3s	3s	+0%
`poly_caddq_native_aarch64`	✅	3s	6s	-50%
`poly_chknorm`	✅	3s	4s	-25%
`poly_decompose`	✅	3s	2s	+50%
`poly_decompose_c`	✅	3s	2s	+50%
`poly_invntt_tomont`	✅	3s	3s	+0%
`poly_ntt`	✅	3s	3s	+0%
`poly_shiftl`	✅	3s	2s	+50%
`poly_sub`	✅	3s	3s	+0%
`poly_uniform`	✅	3s	3s	+0%
`poly_uniform_gamma1`	✅	3s	2s	+50%
`poly_use_hint`	✅	3s	3s	+0%
`polyveck_invntt_tomont`	✅	3s	3s	+0%
`polyveck_make_hint`	✅	3s	4s	-25%
`polyveck_pack_eta`	✅	3s	2s	+50%
`polyveck_pack_w1`	✅	3s	6s	-50%
`polyveck_unpack_t0`	✅	3s	3s	+0%
`polyvecl_ntt`	✅	3s	7s	-57%
`polyvecl_uniform_gamma1_serial`	✅	3s	2s	+50%
`polyw1_pack`	✅	3s	5s	-40%
`polyz_pack`	✅	3s	5s	-40%
`shake128_absorb`	✅	3s	3s	+0%
`shake128_finalize`	✅	3s	2s	+50%
`shake128_init`	✅	3s	2s	+50%
`shake128_squeeze`	✅	3s	3s	+0%
`shake256`	✅	3s	3s	+0%
`shake256_init`	✅	3s	1s	+200%
`shake256_release`	✅	3s	2s	+50%
`sign_keypair`	✅	3s	3s	+0%
`sign_signature`	✅	3s	5s	-40%
`sign_signature_extmu`	✅	3s	5s	-40%
`unpack_pk`	✅	3s	3s	+0%
`keccak_finalize`	✅	2s	4s	-50%
`mld_ct_cmask_nonzero_u8`	✅	2s	2s	+0%
`mld_ct_get_optblocker_i64`	✅	2s	2s	+0%
`mld_ct_get_optblocker_u32`	✅	2s	3s	-33%
`mld_ct_sel_int32`	✅	2s	2s	+0%
`mld_value_barrier_u8`	✅	2s	1s	+100%
`ntt_native_x86_64`	✅	2s	4s	-50%
`pack_pk`	✅	2s	3s	-33%
`poly_chknorm_native_aarch64`	✅	2s	5s	-60%
`polyeta_pack`	✅	2s	4s	-50%
`polyt1_unpack`	✅	2s	4s	-50%
`polyvecl_pointwise_acc_montgomery`	✅	2s	2s	+0%
`polyvecl_pointwise_acc_montgomery_native`	✅	2s	3s	-33%
`polyz_unpack`	✅	2s	2s	+0%
`polyz_unpack_native`	✅	2s	3s	-33%
`reduce32`	✅	2s	3s	-33%
`shake128x4_squeezeblocks`	✅	2s	2s	+0%
`shake256_finalize`	✅	2s	3s	-33%
`shake256x4_absorb_once`	✅	2s	3s	-33%
`use_hint`	✅	2s	2s	+0%
`unpack_sk`	❌	-	5s	-
`keccakf1600_xor_bytes`	✅	1s	1s	+0%
`mld_ct_cmask_neg_i32`	✅	1s	1s	+0%
`mld_ct_get_optblocker_u8`	✅	1s	3s	-67%
`shake128_release`	✅	1s	2s	-50%
`shake256_absorb`	✅	1s	6s	-83%
`shake256x4_squeezeblocks`	✅	1s	2s	-50%

mkannwischer · 2026-03-24T01:55:33Z

Performance impact seems to be negligible. In the meantime, I have also verified that with this change, we pass the InvalidPrivateKey test vectors in Wycheproof.

I have traced back where those testvectors got added to Wycheproof: C2SP/wycheproof#146
There has been some discussion on the inclusion of those test vectors and there have been more people questioning it. For example, CIRCL also does not implement the validation of s1/s2: https://github.com/cloudflare/circl/blob/f7d2180d6a77cfb283379ec6ad357ebf1d444aed/sign/schemes/wycheproof_test.go#L76

Thinking about it more: It seems inconsistent to validate some parts of the secret key (s1, s2), but do not validate other parts (t0, tr). Validating t0 and tr would require running keygen inside of signing which is clearly too expensive.

My current opinion is that we should not partially validate the secret key. I recommend just skipping the invalid secret key tests in the Wycheproof tests (which is straightforward by filtering for InvalidPrivateKey in flags). If consumers are concerned about invalid secret keys, they should not be using the expanded secret key format anyway, but instead use a seed to re-derive the secret key.

@hanno-becker, @jakemas, @rod-chapman, @dkostic, would be great to hear your opinion.

oqs-bot · 2026-03-24T02:05:22Z

CBMC Results (ML-DSA-87)

⚠️ Attention Required

Proof	Status	Current	Previous	Change
`unpack_sk`	❌	-	5s	-

Full Results (176 proofs)

Proof	Status	Current	Previous	Change
`TOTAL`	✅	2562s	2658s	-3.6%
`polyvecl_pointwise_acc_montgomery_c`	✅	286s	276s	+4%
`sign_verify_internal`	✅	267s	330s	-19%
`mld_attempt_signature_generation`	✅	197s	237s	-17%
`polyvec_matrix_expand`	✅	178s	177s	+1%
`poly_pointwise_montgomery_c`	✅	155s	153s	+1%
`rej_uniform_native`	✅	141s	140s	+1%
`mld_invntt_layer`	✅	96s	94s	+2%
`polyvec_matrix_expand_serial`	✅	80s	79s	+1%
`mld_ct_memcmp`	✅	75s	73s	+3%
`polyveck_decompose`	✅	59s	56s	+5%
`sign_signature_internal`	✅	55s	56s	-2%
`mld_ntt_layer`	✅	53s	52s	+2%
`polymat_permute_bitrev_to_custom`	✅	49s	45s	+9%
`keccak_squeezeblocks_x4`	✅	43s	42s	+2%
`mld_compute_t0_t1_tr_from_sk_components`	✅	24s	25s	-4%
`fqmul`	✅	21s	18s	+17%
`rej_uniform`	✅	21s	21s	+0%
`poly_chknorm_c`	✅	19s	18s	+6%
`poly_uniform_4x`	✅	18s	14s	+29%
`polyeta_unpack`	✅	18s	18s	+0%
`poly_uniform_eta_4x`	✅	15s	16s	-6%
`polyt0_unpack`	✅	15s	14s	+7%
`keccakf1600x4_permute_native`	✅	14s	15s	-7%
`mld_ntt_butterfly_block`	✅	14s	12s	+17%
`rej_uniform_c`	✅	14s	12s	+17%
`mld_polyvecl_permute_bitrev_to_custom_native`	✅	12s	13s	-8%
`polyveck_use_hint`	✅	12s	13s	-8%
`keccak_absorb_once_x4`	✅	10s	10s	+0%
`poly_add`	✅	10s	13s	-23%
`polyvec_matrix_pointwise_montgomery`	✅	10s	12s	-17%
`polyveck_add`	✅	10s	9s	+11%
`polyveck_reduce`	✅	10s	10s	+0%
`polyveck_invntt_tomont`	✅	9s	7s	+29%
`polyvecl_ntt`	✅	9s	9s	+0%
`polyz_unpack_c`	✅	9s	7s	+29%
`sign_keypair_internal`	✅	9s	7s	+29%
`keccakf1600_permute`	✅	8s	7s	+14%
`keccakf1600_permute_native`	✅	8s	9s	-11%
`mld_check_pct`	✅	8s	9s	-11%
`poly_decompose_c`	✅	8s	7s	+14%
`polyveck_caddq`	✅	8s	9s	-11%
`polyveck_ntt`	✅	8s	7s	+14%
`polyveck_power2round`	✅	8s	8s	+0%
`polyveck_shiftl`	✅	8s	7s	+14%
`keccak_absorb`	✅	7s	7s	+0%
`poly_invntt_tomont_c`	✅	7s	8s	-12%
`polyveck_pointwise_poly_montgomery`	✅	7s	7s	+0%
`polyveck_sub`	✅	7s	6s	+17%
`sign`	✅	7s	7s	+0%
`sign_pk_from_sk`	✅	7s	6s	+17%
`mld_compute_pack_z`	✅	6s	8s	-25%
`mld_sample_s1_s2`	✅	6s	7s	-14%
`poly_challenge`	✅	6s	4s	+50%
`poly_ntt_native`	✅	6s	2s	+200%
`poly_power2round`	✅	6s	5s	+20%
`polyveck_chknorm`	✅	6s	6s	+0%
`polyveck_pack_t0`	✅	6s	3s	+100%
`sign_signature_extmu`	✅	6s	3s	+100%
`sign_verify_pre_hash_shake256`	✅	6s	6s	+0%
`unpack_pk`	✅	6s	3s	+100%
`fqscale`	✅	5s	5s	+0%
`mld_prepare_domain_separation_prefix`	✅	5s	5s	+0%
`mld_sample_s1_s2_serial`	✅	5s	9s	-44%
`poly_caddq_c`	✅	5s	7s	-29%
`poly_chknorm_native`	✅	5s	2s	+150%
`poly_invntt_tomont_native`	✅	5s	4s	+25%
`poly_uniform_gamma1`	✅	5s	2s	+150%
`polyvecl_uniform_gamma1_serial`	✅	5s	4s	+25%
`polyvecl_unpack_z`	✅	5s	6s	-17%
`shake256_init`	✅	5s	1s	+400%
`sign_open`	✅	5s	5s	+0%
`sign_verify_pre_hash_internal`	✅	5s	5s	+0%
`unpack_hints`	✅	5s	5s	+0%
`intt_native_x86_64`	✅	4s	4s	+0%
`keccak_squeeze`	✅	4s	2s	+100%
`keccakf1600_xor_bytes`	✅	4s	4s	+0%
`mld_ct_get_optblocker_u8`	✅	4s	1s	+300%
`mld_keccakf1600_extract_bytes`	✅	4s	2s	+100%
`montgomery_reduce`	✅	4s	4s	+0%
`pack_pk`	✅	4s	2s	+100%
`pack_sk`	✅	4s	3s	+33%
`poly_caddq_native_aarch64`	✅	4s	2s	+100%
`poly_ntt_c`	✅	4s	4s	+0%
`poly_reduce`	✅	4s	3s	+33%
`poly_sub`	✅	4s	5s	-20%
`poly_uniform`	✅	4s	4s	+0%
`poly_uniform_eta`	✅	4s	5s	-20%
`poly_uniform_gamma1_4x`	✅	4s	4s	+0%
`polyt0_pack`	✅	4s	4s	+0%
`polyveck_make_hint`	✅	4s	7s	-43%
`polyveck_unpack_t0`	✅	4s	6s	-33%
`polyvecl_chknorm`	✅	4s	6s	-33%
`polyvecl_pack_eta`	✅	4s	4s	+0%
`polyvecl_pointwise_acc_montgomery`	✅	4s	4s	+0%
`polyvecl_uniform_gamma1`	✅	4s	4s	+0%
`polyvecl_unpack_eta`	✅	4s	4s	+0%
`rej_eta_c`	✅	4s	3s	+33%
`rej_eta_native`	✅	4s	4s	+0%
`shake256_finalize`	✅	4s	3s	+33%
`shake256x4_absorb_once`	✅	4s	2s	+100%
`sign_signature_pre_hash_shake256`	✅	4s	6s	-33%
`use_hint`	✅	4s	3s	+33%
`caddq`	✅	3s	4s	-25%
`decompose`	✅	3s	2s	+50%
`keccak_init`	✅	3s	4s	-25%
`keccakf1600_extract_bytes (big endian)`	✅	3s	2s	+50%
`keccakf1600x4_permute`	✅	3s	3s	+0%
`keccakf1600x4_xor_bytes`	✅	3s	3s	+0%
`mld_ct_cmask_neg_i32`	✅	3s	2s	+50%
`mld_ct_cmask_nonzero_u32`	✅	3s	5s	-40%
`mld_ct_get_optblocker_i64`	✅	3s	3s	+0%
`mld_ct_get_optblocker_u32`	✅	3s	4s	-25%
`mld_value_barrier_i64`	✅	3s	4s	-25%
`ntt_native_x86_64`	✅	3s	3s	+0%
`pack_sig_c_h`	✅	3s	3s	+0%
`poly_decompose`	✅	3s	3s	+0%
`poly_invntt_tomont`	✅	3s	2s	+50%
`poly_ntt`	✅	3s	3s	+0%
`poly_pointwise_montgomery`	✅	3s	4s	-25%
`poly_shiftl`	✅	3s	3s	+0%
`poly_use_hint`	✅	3s	2s	+50%
`poly_use_hint_c`	✅	3s	3s	+0%
`poly_use_hint_native`	✅	3s	4s	-25%
`polyt1_unpack`	✅	3s	3s	+0%
`polyveck_pack_eta`	✅	3s	4s	-25%
`polyvecl_pointwise_acc_montgomery_native`	✅	3s	4s	-25%
`polyw1_pack`	✅	3s	4s	-25%
`polyz_unpack`	✅	3s	4s	-25%
`polyz_unpack_native`	✅	3s	6s	-50%
`power2round`	✅	3s	2s	+50%
`reduce32`	✅	3s	3s	+0%
`rej_eta`	✅	3s	6s	-50%
`shake256x4_squeezeblocks`	✅	3s	7s	-57%
`sign_keypair`	✅	3s	3s	+0%
`sign_signature`	✅	3s	6s	-50%
`sign_verify`	✅	3s	3s	+0%
`sys_check_capability`	✅	3s	4s	-25%
`unpack_sig`	✅	3s	5s	-40%
`keccak_finalize`	✅	2s	2s	+0%
`keccakf1600_xor_bytes (big endian)`	✅	2s	2s	+0%
`keccakf1600x4_extract_bytes`	✅	2s	2s	+0%
`make_hint`	✅	2s	3s	-33%
`mld_ct_abs_i32`	✅	2s	2s	+0%
`mld_ct_cmask_nonzero_u8`	✅	2s	5s	-60%
`mld_ct_sel_int32`	✅	2s	1s	+100%
`mld_h`	✅	2s	4s	-50%
`mld_value_barrier_u32`	✅	2s	4s	-50%
`mld_value_barrier_u8`	✅	2s	1s	+100%
`pack_sig_z`	✅	2s	6s	-67%
`poly_caddq`	✅	2s	2s	+0%
`poly_caddq_native`	✅	2s	2s	+0%
`poly_chknorm`	✅	2s	3s	-33%
`poly_chknorm_native_aarch64`	✅	2s	2s	+0%
`poly_decompose_native`	✅	2s	2s	+0%
`poly_make_hint`	✅	2s	4s	-50%
`poly_pointwise_montgomery_native`	✅	2s	2s	+0%
`polyeta_pack`	✅	2s	3s	-33%
`polyt1_pack`	✅	2s	3s	-33%
`polyveck_pack_w1`	✅	2s	2s	+0%
`polyveck_unpack_eta`	✅	2s	5s	-60%
`polyvecl_permute_bitrev_to_custom`	✅	2s	2s	+0%
`polyz_pack`	✅	2s	2s	+0%
`shake128_absorb`	✅	2s	2s	+0%
`shake128_finalize`	✅	2s	3s	-33%
`shake128_init`	✅	2s	2s	+0%
`shake128_release`	✅	2s	3s	-33%
`shake128x4_absorb_once`	✅	2s	4s	-50%
`shake128x4_squeezeblocks`	✅	2s	3s	-33%
`shake256_absorb`	✅	2s	2s	+0%
`sign_signature_pre_hash_internal`	✅	2s	3s	-33%
`sign_verify_extmu`	✅	2s	5s	-60%
`unpack_sk`	❌	-	5s	-
`shake128_squeeze`	✅	1s	2s	-50%
`shake256`	✅	1s	2s	-50%
`shake256_release`	✅	1s	1s	+0%
`shake256_squeeze`	✅	1s	2s	-50%

oqs-bot · 2026-03-24T02:05:43Z

CBMC Results (ML-DSA-65)

⚠️ Attention Required

Proof	Status	Current	Previous	Change
`unpack_sk`	❌	-	5s	-

Full Results (176 proofs)

Proof	Status	Current	Previous	Change
`TOTAL`	✅	2623s	2485s	+5.6%
`sign_verify_internal`	✅	331s	336s	-1%
`mld_attempt_signature_generation`	✅	274s	275s	-0%
`polyvecl_pointwise_acc_montgomery_c`	✅	225s	192s	+17%
`poly_pointwise_montgomery_c`	✅	187s	153s	+22%
`rej_uniform_native`	✅	162s	148s	+9%
`polyvec_matrix_expand`	✅	134s	126s	+6%
`mld_invntt_layer`	✅	103s	96s	+7%
`mld_ct_memcmp`	✅	86s	76s	+13%
`polyvec_matrix_expand_serial`	✅	75s	68s	+10%
`mld_ntt_layer`	✅	60s	55s	+9%
`keccak_squeezeblocks_x4`	✅	51s	43s	+19%
`sign_signature_internal`	✅	37s	39s	-5%
`polymat_permute_bitrev_to_custom`	✅	34s	30s	+13%
`mld_compute_t0_t1_tr_from_sk_components`	✅	29s	27s	+7%
`poly_chknorm_c`	✅	25s	21s	+19%
`rej_uniform`	✅	23s	24s	-4%
`fqmul`	✅	21s	21s	+0%
`rej_uniform_c`	✅	18s	13s	+38%
`poly_uniform_eta_4x`	✅	16s	16s	+0%
`polyt0_unpack`	✅	15s	15s	+0%
`poly_uniform_4x`	✅	14s	17s	-18%
`polyvecl_chknorm`	✅	14s	11s	+27%
`keccakf1600x4_permute_native`	✅	13s	13s	+0%
`polyveck_sub`	✅	13s	11s	+18%
`mld_ntt_butterfly_block`	✅	12s	12s	+0%
`polyveck_decompose`	✅	12s	11s	+9%
`polyveck_power2round`	✅	12s	11s	+9%
`keccak_absorb_once_x4`	✅	11s	11s	+0%
`poly_add`	✅	11s	12s	-8%
`polyvec_matrix_pointwise_montgomery`	✅	11s	11s	+0%
`polyveck_invntt_tomont`	✅	11s	9s	+22%
`mld_check_pct`	✅	10s	8s	+25%
`poly_invntt_tomont_c`	✅	9s	6s	+50%
`polyveck_ntt`	✅	9s	12s	-25%
`polyveck_use_hint`	✅	9s	8s	+12%
`sign_pk_from_sk`	✅	9s	8s	+12%
`keccak_absorb`	✅	8s	7s	+14%
`keccakf1600_permute_native`	✅	8s	8s	+0%
`mld_polyvecl_permute_bitrev_to_custom_native`	✅	8s	7s	+14%
`poly_decompose_c`	✅	8s	9s	-11%
`polyveck_add`	✅	8s	9s	-11%
`polyveck_reduce`	✅	8s	6s	+33%
`polyveck_shiftl`	✅	8s	7s	+14%
`polyvecl_ntt`	✅	8s	7s	+14%
`rej_eta_native`	✅	8s	4s	+100%
`keccakf1600_permute`	✅	7s	7s	+0%
`poly_caddq_c`	✅	7s	5s	+40%
`polyveck_caddq`	✅	7s	8s	-12%
`sign_keypair_internal`	✅	7s	5s	+40%
`mld_sample_s1_s2_serial`	✅	6s	5s	+20%
`poly_uniform_eta`	✅	6s	5s	+20%
`polyeta_unpack`	✅	6s	6s	+0%
`polyveck_make_hint`	✅	6s	7s	-14%
`polyveck_pointwise_poly_montgomery`	✅	6s	7s	-14%
`polyveck_unpack_t0`	✅	6s	6s	+0%
`polyz_unpack_native`	✅	6s	3s	+100%
`sign`	✅	6s	7s	-14%
`sign_signature_extmu`	✅	6s	4s	+50%
`sign_signature_pre_hash_shake256`	✅	6s	3s	+100%
`mld_h`	✅	5s	3s	+67%
`pack_sk`	✅	5s	3s	+67%
`poly_challenge`	✅	5s	4s	+25%
`poly_invntt_tomont_native`	✅	5s	3s	+67%
`poly_ntt_c`	✅	5s	3s	+67%
`poly_pointwise_montgomery_native`	✅	5s	4s	+25%
`poly_uniform`	✅	5s	4s	+25%
`poly_use_hint_c`	✅	5s	4s	+25%
`poly_use_hint_native`	✅	5s	5s	+0%
`polyt0_pack`	✅	5s	3s	+67%
`polyvecl_uniform_gamma1`	✅	5s	4s	+25%
`power2round`	✅	5s	3s	+67%
`sign_open`	✅	5s	5s	+0%
`sign_signature_pre_hash_internal`	✅	5s	6s	-17%
`sign_verify_pre_hash_internal`	✅	5s	4s	+25%
`use_hint`	✅	5s	3s	+67%
`decompose`	✅	4s	2s	+100%
`intt_native_x86_64`	✅	4s	4s	+0%
`keccak_squeeze`	✅	4s	4s	+0%
`keccakf1600_extract_bytes (big endian)`	✅	4s	2s	+100%
`mld_compute_pack_z`	✅	4s	6s	-33%
`mld_ct_cmask_nonzero_u8`	✅	4s	2s	+100%
`mld_ct_get_optblocker_i64`	✅	4s	5s	-20%
`mld_sample_s1_s2`	✅	4s	8s	-50%
`montgomery_reduce`	✅	4s	2s	+100%
`pack_sig_z`	✅	4s	4s	+0%
`poly_caddq_native`	✅	4s	2s	+100%
`poly_chknorm_native_aarch64`	✅	4s	3s	+33%
`poly_decompose`	✅	4s	2s	+100%
`poly_decompose_native`	✅	4s	3s	+33%
`poly_ntt`	✅	4s	2s	+100%
`poly_power2round`	✅	4s	5s	-20%
`poly_uniform_gamma1_4x`	✅	4s	7s	-43%
`poly_use_hint`	✅	4s	3s	+33%
`polyt1_unpack`	✅	4s	2s	+100%
`polyveck_chknorm`	✅	4s	3s	+33%
`polyveck_pack_eta`	✅	4s	2s	+100%
`polyveck_pack_t0`	✅	4s	5s	-20%
`polyveck_pack_w1`	✅	4s	3s	+33%
`polyvecl_pack_eta`	✅	4s	4s	+0%
`polyvecl_pointwise_acc_montgomery_native`	✅	4s	4s	+0%
`polyvecl_uniform_gamma1_serial`	✅	4s	4s	+0%
`polyw1_pack`	✅	4s	3s	+33%
`polyz_pack`	✅	4s	3s	+33%
`rej_eta_c`	✅	4s	3s	+33%
`shake128_squeeze`	✅	4s	3s	+33%
`shake256_squeeze`	✅	4s	3s	+33%
`sign_verify`	✅	4s	7s	-43%
`sign_verify_extmu`	✅	4s	4s	+0%
`sign_verify_pre_hash_shake256`	✅	4s	2s	+100%
`unpack_hints`	✅	4s	5s	-20%
`keccak_init`	✅	3s	3s	+0%
`keccakf1600_xor_bytes`	✅	3s	3s	+0%
`keccakf1600x4_permute`	✅	3s	3s	+0%
`keccakf1600x4_xor_bytes`	✅	3s	2s	+50%
`make_hint`	✅	3s	5s	-40%
`mld_ct_cmask_neg_i32`	✅	3s	1s	+200%
`mld_ct_get_optblocker_u8`	✅	3s	5s	-40%
`mld_prepare_domain_separation_prefix`	✅	3s	4s	-25%
`ntt_native_x86_64`	✅	3s	5s	-40%
`poly_caddq_native_aarch64`	✅	3s	5s	-40%
`poly_chknorm`	✅	3s	2s	+50%
`poly_chknorm_native`	✅	3s	4s	-25%
`poly_invntt_tomont`	✅	3s	4s	-25%
`poly_make_hint`	✅	3s	5s	-40%
`poly_ntt_native`	✅	3s	2s	+50%
`poly_pointwise_montgomery`	✅	3s	7s	-57%
`poly_uniform_gamma1`	✅	3s	4s	-25%
`polyeta_pack`	✅	3s	4s	-25%
`polyt1_pack`	✅	3s	2s	+50%
`polyveck_unpack_eta`	✅	3s	3s	+0%
`polyvecl_permute_bitrev_to_custom`	✅	3s	3s	+0%
`polyvecl_unpack_eta`	✅	3s	1s	+200%
`polyvecl_unpack_z`	✅	3s	4s	-25%
`polyz_unpack`	✅	3s	4s	-25%
`shake128_finalize`	✅	3s	3s	+0%
`shake128_init`	✅	3s	2s	+50%
`shake128_release`	✅	3s	5s	-40%
`shake256_finalize`	✅	3s	5s	-40%
`sign_keypair`	✅	3s	5s	-40%
`unpack_pk`	✅	3s	4s	-25%
`unpack_sig`	✅	3s	4s	-25%
`caddq`	✅	2s	4s	-50%
`fqscale`	✅	2s	2s	+0%
`keccak_finalize`	✅	2s	2s	+0%
`keccakf1600_xor_bytes (big endian)`	✅	2s	4s	-50%
`keccakf1600x4_extract_bytes`	✅	2s	2s	+0%
`mld_ct_abs_i32`	✅	2s	2s	+0%
`mld_ct_cmask_nonzero_u32`	✅	2s	3s	-33%
`mld_ct_get_optblocker_u32`	✅	2s	2s	+0%
`mld_ct_sel_int32`	✅	2s	3s	-33%
`mld_keccakf1600_extract_bytes`	✅	2s	2s	+0%
`mld_value_barrier_i64`	✅	2s	3s	-33%
`mld_value_barrier_u32`	✅	2s	2s	+0%
`mld_value_barrier_u8`	✅	2s	2s	+0%
`pack_sig_c_h`	✅	2s	4s	-50%
`poly_caddq`	✅	2s	3s	-33%
`poly_reduce`	✅	2s	4s	-50%
`poly_shiftl`	✅	2s	4s	-50%
`poly_sub`	✅	2s	3s	-33%
`polyvecl_pointwise_acc_montgomery`	✅	2s	3s	-33%
`polyz_unpack_c`	✅	2s	3s	-33%
`reduce32`	✅	2s	4s	-50%
`rej_eta`	✅	2s	3s	-33%
`shake128x4_absorb_once`	✅	2s	2s	+0%
`shake256`	✅	2s	3s	-33%
`shake256_absorb`	✅	2s	1s	+100%
`shake256_init`	✅	2s	2s	+0%
`shake256_release`	✅	2s	2s	+0%
`shake256x4_absorb_once`	✅	2s	3s	-33%
`sign_signature`	✅	2s	3s	-33%
`sys_check_capability`	✅	2s	2s	+0%
`unpack_sk`	❌	-	5s	-
`pack_pk`	✅	1s	5s	-80%
`shake128_absorb`	✅	1s	1s	+0%
`shake128x4_squeezeblocks`	✅	1s	3s	-67%
`shake256x4_squeezeblocks`	✅	1s	2s	-50%

mkannwischer added the benchmark label Mar 24, 2026

mkannwischer changed the title ~~Validate s1/s2 coefficient bounds during signing~~ RFC: Validate s1/s2 coefficient bounds during signing Mar 24, 2026

github-actions bot reviewed Mar 24, 2026

View reviewed changes

oqs-bot reviewed Mar 24, 2026

View reviewed changes

Conversation

mkannwischer commented Mar 24, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot left a comment

Choose a reason for hiding this comment

Arm Cortex-A76 (Raspberry Pi 5) benchmarks (opt)

Uh oh!

github-actions bot left a comment

Choose a reason for hiding this comment

Arm Cortex-A76 (Raspberry Pi 5) benchmarks (no-opt)

Uh oh!

oqs-bot left a comment

Choose a reason for hiding this comment

Intel Xeon 4th gen (c7i)

Uh oh!

oqs-bot left a comment

Choose a reason for hiding this comment

Intel Xeon 4th gen (c7i) (no-opt)

Uh oh!

oqs-bot left a comment

Choose a reason for hiding this comment

AMD EPYC 3rd gen (c6a)

Uh oh!

oqs-bot left a comment

Choose a reason for hiding this comment

Graviton4

Uh oh!

oqs-bot left a comment

Choose a reason for hiding this comment

Intel Xeon 3rd gen (c6i)

Uh oh!

oqs-bot left a comment

Choose a reason for hiding this comment

AMD EPYC 3rd gen (c6a) (no-opt)

Uh oh!

oqs-bot left a comment

Choose a reason for hiding this comment

Graviton4 (no-opt)

Uh oh!

oqs-bot left a comment

Choose a reason for hiding this comment

Intel Xeon 3rd gen (c6i) (no-opt)

Uh oh!

oqs-bot left a comment

Choose a reason for hiding this comment

Graviton3

Uh oh!

oqs-bot left a comment

Choose a reason for hiding this comment

AMD EPYC 4th gen (c7a)

Uh oh!

oqs-bot left a comment

Choose a reason for hiding this comment

⚠️ Performance Alert ⚠️

Uh oh!

oqs-bot left a comment

Choose a reason for hiding this comment

Graviton3 (no-opt)

Uh oh!

oqs-bot left a comment

Choose a reason for hiding this comment

AMD EPYC 4th gen (c7a) (no-opt)

Uh oh!

oqs-bot left a comment

Choose a reason for hiding this comment

Graviton2

Uh oh!

oqs-bot left a comment

Choose a reason for hiding this comment

Graviton2 (no-opt)

Uh oh!

oqs-bot commented Mar 24, 2026

CBMC Results (ML-DSA-44)

Uh oh!

mkannwischer commented Mar 24, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

oqs-bot commented Mar 24, 2026

CBMC Results (ML-DSA-87)

mkannwischer commented Mar 24, 2026 •

edited

Loading

mkannwischer commented Mar 24, 2026 •

edited

Loading