CBMC: Introduce separate proofs for Keccak XXX_c() functions by willieyz · Pull Request #1613 · pq-code-package/mlkem-native

willieyz · 2026-03-04T08:34:36Z

Resolves: CBMC: Introduce separate proofs for Keccak XXX_c() functions #1560

For arithmetic functions that have a native implementation, we have 3 CBMC proofs:

Proof for the pure C implementation names XXX_c()
Proof for the wrapper function on top of the C implementation
Proof for the wrapper function on top of the native function (with C fallback).

This PR add cbmc proof for follwoing three keccakf1600*_c funciton:

mlk_keccakf1600_permute_c()
mlk_keccakf1600x4_extract_bytes_c()
mlk_keccakf1600x4_xor_bytes_c()

For each function, the following steps performed:

Add the corresponding CBMC contract, copied from the wrapper function.
Create a dedicated CBMC proof for the pure C implementation.
Update the existing wrapper CBMC proof Makefiles by adding XXX_C to USE_FUNCTION_CONTRACTS, and apply the same change to the native proof configuration.

oqs-bot · 2026-03-04T08:55:28Z

CBMC Results (ML-KEM-512)

Full Results (190 proofs)

Proof	Status	Current	Previous	Change
`TOTAL`	✅	1069s	1123s	-4.8%
`mlk_indcpa_enc`	✅	134s	133s	+1%
`mlk_indcpa_keypair_derand`	✅	134s	148s	-9%
`mlk_rej_uniform_c`	✅	65s	67s	-3%
`mlk_polyvec_basemul_acc_montgomery_cached_c`	✅	60s	62s	-3%
`mlk_poly_rej_uniform`	✅	37s	38s	-3%
`poly_ntt_native`	✅	25s	30s	-17%
`mlk_keccak_squeezeblocks_x4`	✅	22s	24s	-8%
`polyvec_basemul_acc_montgomery_cached_native`	✅	19s	20s	-5%
`keccakf1600x4_permute_native_x4`	✅	18s	18s	+0%
`mlk_poly_decompress_d4_native`	✅	14s	13s	+8%
`mlk_polyvec_add`	✅	14s	16s	-12%
`mlk_ntt_layer`	✅	13s	13s	+0%
`mlk_poly_decompress_d10_native`	✅	13s	14s	-7%
`mlk_poly_reduce_native`	✅	11s	13s	-15%
`mlk_indcpa_dec`	✅	10s	15s	-33%
`mlk_keccak_absorb_once_x4`	✅	9s	9s	+0%
`mlk_poly_frombytes_native`	✅	9s	8s	+12%
`mlk_poly_frommsg`	✅	9s	11s	-18%
`mlk_polymat_permute_bitrev_to_custom`	✅	9s	9s	+0%
`mlk_poly_rej_uniform_x4`	✅	8s	6s	+33%
`mlk_invntt_layer`	✅	6s	5s	+20%
`mlk_keccak_squeezeblocks`	✅	6s	5s	+20%
`mlk_keccakf1600x4_extract_bytes_c`	✅	6s	-	new
`mlk_ntt_butterfly_block`	✅	6s	7s	-14%
`poly_decompress_d4_native_x86_64`	✅	6s	8s	-25%
`mlk_fqmul`	✅	5s	6s	-17%
`mlk_keccak_squeeze_once`	✅	5s	6s	-17%
`mlk_poly_decompress_d10`	✅	5s	1s	+400%
`poly_compress_d4_native_x86_64`	✅	5s	2s	+150%
`polyvec_basemul_acc_montgomery_cached_k4_native_aarch64`	✅	5s	2s	+150%
`mlk_ct_cmov_zero`	✅	4s	1s	+300%
`mlk_ct_get_optblocker_u32`	✅	4s	3s	+33%
`mlk_ct_memcmp`	✅	4s	2s	+100%
`mlk_keccak_absorb_once`	✅	4s	4s	+0%
`mlk_keccakf1600_permute_c`	✅	4s	-	new
`mlk_keccakf1600x4_permute`	✅	4s	2s	+100%
`mlk_keccakf1600x4_xor_bytes`	✅	4s	3s	+33%
`mlk_poly_add`	✅	4s	5s	-20%
`mlk_poly_cbd_eta1`	✅	4s	2s	+100%
`mlk_poly_cbd_eta2`	✅	4s	5s	-20%
`mlk_poly_compress_d4_native`	✅	4s	2s	+100%
`mlk_poly_getnoise_eta1_4x`	✅	4s	4s	+0%
`mlk_poly_tomont_c`	✅	4s	3s	+33%
`mlk_scalar_decompress_d11`	✅	4s	2s	+100%
`mlk_shake128x4_absorb_once`	✅	4s	2s	+100%
`nttunpack_native_x86_64`	✅	4s	2s	+100%
`poly_compress_d11_native_x86_64`	✅	4s	4s	+0%
`poly_decompress_d10_native_x86_64`	✅	4s	5s	-20%
`poly_frombytes_native_x86_64`	✅	4s	3s	+33%
`poly_mulcache_compute_native_x86_64`	✅	4s	1s	+300%
`rej_uniform_native_x86_64`	✅	4s	3s	+33%
`keccak_f1600_x1_native_aarch64_v84a`	✅	3s	1s	+200%
`kem_check_pk`	✅	3s	5s	-40%
`kem_dec`	✅	3s	6s	-50%
`kem_enc`	✅	3s	1s	+200%
`kem_enc_derand`	✅	3s	3s	+0%
`kem_keypair_derand`	✅	3s	2s	+50%
`mlk_barrett_reduce`	✅	3s	2s	+50%
`mlk_ct_sel_int16`	✅	3s	2s	+50%
`mlk_ct_sel_uint8`	✅	3s	4s	-25%
`mlk_gen_matrix`	✅	3s	5s	-40%
`mlk_gen_matrix_serial`	✅	3s	3s	+0%
`mlk_keccakf1600_extract_bytes`	✅	3s	2s	+50%
`mlk_keccakf1600_xor_bytes`	✅	3s	4s	-25%
`mlk_keccakf1600_xor_bytes (big endian)`	✅	3s	2s	+50%
`mlk_poly_compress_d10_c`	✅	3s	3s	+0%
`mlk_poly_compress_d11`	✅	3s	2s	+50%
`mlk_poly_compress_d11_native`	✅	3s	3s	+0%
`mlk_poly_compress_d4_c`	✅	3s	2s	+50%
`mlk_poly_compress_d5_native`	✅	3s	2s	+50%
`mlk_poly_compress_du`	✅	3s	2s	+50%
`mlk_poly_decompress_d11_c`	✅	3s	1s	+200%
`mlk_poly_decompress_d4`	✅	3s	1s	+200%
`mlk_poly_decompress_d4_c`	✅	3s	4s	-25%
`mlk_poly_decompress_d5`	✅	3s	1s	+200%
`mlk_poly_decompress_d5_c`	✅	3s	1s	+200%
`mlk_poly_frombytes_c`	✅	3s	4s	-25%
`mlk_poly_getnoise_eta1122_4x`	✅	3s	3s	+0%
`mlk_poly_getnoise_eta1_4x_native`	✅	3s	5s	-40%
`mlk_poly_invntt_tomont`	✅	3s	2s	+50%
`mlk_poly_mulcache_compute_c`	✅	3s	4s	-25%
`mlk_poly_mulcache_compute_native`	✅	3s	4s	-25%
`mlk_poly_ntt`	✅	3s	3s	+0%
`mlk_poly_reduce`	✅	3s	3s	+0%
`mlk_polyvec_decompress_du`	✅	3s	5s	-40%
`mlk_polyvec_frombytes`	✅	3s	3s	+0%
`mlk_polyvec_invntt_tomont`	✅	3s	3s	+0%
`mlk_polyvec_ntt`	✅	3s	3s	+0%
`mlk_polyvec_permute_bitrev_to_custom`	✅	3s	3s	+0%
`mlk_polyvec_reduce`	✅	3s	4s	-25%
`mlk_polyvec_tomont`	✅	3s	2s	+50%
`mlk_scalar_decompress_d5`	✅	3s	1s	+200%
`mlk_sha3_512`	✅	3s	4s	-25%
`mlk_shake256x4`	✅	3s	5s	-40%
`poly_compress_d10_native_x86_64`	✅	3s	2s	+50%
`poly_getnoise_eta1122_4x_native`	✅	3s	1s	+200%
`poly_invntt_tomont_native`	✅	3s	3s	+0%
`poly_reduce_native_aarch64`	✅	3s	1s	+200%
`poly_reduce_native_x86_64`	✅	3s	2s	+50%
`rej_uniform_native_aarch64`	✅	3s	2s	+50%
`intt_native_x86_64`	✅	2s	1s	+100%
`keccakf1600_permute_native`	✅	2s	7s	-71%
`keccakf1600x4_extract_bytes_native`	✅	2s	2s	+0%
`kem_check_sk`	✅	2s	1s	+100%
`kem_keypair`	✅	2s	3s	-33%
`mlk_ct_cmask_nonzero_u16`	✅	2s	2s	+0%
`mlk_ct_cmask_nonzero_u8`	✅	2s	2s	+0%
`mlk_ct_get_optblocker_i32`	✅	2s	2s	+0%
`mlk_ct_get_optblocker_u8`	✅	2s	1s	+100%
`mlk_keccakf1600_permute`	✅	2s	4s	-50%
`mlk_keccakf1600x4_extract_bytes`	✅	2s	3s	-33%
`mlk_keccakf1600x4_xor_bytes_c`	✅	2s	-	new
`mlk_keypair_getnoise_eta1`	✅	2s	4s	-50%
`mlk_montgomery_reduce`	✅	2s	3s	-33%
`mlk_poly_compress_d10`	✅	2s	2s	+0%
`mlk_poly_compress_d10_native`	✅	2s	3s	-33%
`mlk_poly_compress_d11_c`	✅	2s	3s	-33%
`mlk_poly_compress_d4`	✅	2s	1s	+100%
`mlk_poly_compress_d5`	✅	2s	2s	+0%
`mlk_poly_compress_d5_c`	✅	2s	1s	+100%
`mlk_poly_decompress_d10_c`	✅	2s	3s	-33%
`mlk_poly_decompress_d11`	✅	2s	1s	+100%
`mlk_poly_decompress_d5_native`	✅	2s	1s	+100%
`mlk_poly_decompress_dv`	✅	2s	3s	-33%
`mlk_poly_frombytes`	✅	2s	3s	-33%
`mlk_poly_getnoise_eta2`	✅	2s	4s	-50%
`mlk_poly_invntt_tomont_c`	✅	2s	5s	-60%
`mlk_poly_mulcache_compute`	✅	2s	2s	+0%
`mlk_poly_ntt_c`	✅	2s	2s	+0%
`mlk_poly_sub`	✅	2s	1s	+100%
`mlk_poly_tobytes`	✅	2s	3s	-33%
`mlk_poly_tomont`	✅	2s	2s	+0%
`mlk_poly_tomont_native`	✅	2s	3s	-33%
`mlk_polyvec_basemul_acc_montgomery_cached`	✅	2s	4s	-50%
`mlk_polyvec_mulcache_compute`	✅	2s	3s	-33%
`mlk_polyvec_permute_bitrev_to_custom_native`	✅	2s	4s	-50%
`mlk_polyvec_tobytes`	✅	2s	2s	+0%
`mlk_rej_uniform`	✅	2s	2s	+0%
`mlk_scalar_compress_d11`	✅	2s	2s	+0%
`mlk_scalar_compress_d4`	✅	2s	1s	+100%
`mlk_scalar_decompress_d10`	✅	2s	5s	-60%
`mlk_scalar_signed_to_unsigned_q`	✅	2s	2s	+0%
`mlk_sha3_256`	✅	2s	2s	+0%
`mlk_shake128_absorb_once`	✅	2s	2s	+0%
`mlk_shake128_squeezeblocks`	✅	2s	2s	+0%
`mlk_shake256`	✅	2s	1s	+100%
`mlk_value_barrier_u32`	✅	2s	2s	+0%
`mlk_value_barrier_u8`	✅	2s	3s	-33%
`ntt_native_aarch64`	✅	2s	3s	-33%
`poly_compress_d5_native_x86_64`	✅	2s	3s	-33%
`poly_decompress_d5_native_x86_64`	✅	2s	3s	-33%
`poly_tobytes_native_aarch64`	✅	2s	3s	-33%
`poly_tobytes_native_x86_64`	✅	2s	2s	+0%
`poly_tomont_native_aarch64`	✅	2s	1s	+100%
`poly_tomont_native_x86_64`	✅	2s	3s	-33%
`polyvec_basemul_acc_montgomery_cached_k2_native_aarch64`	✅	2s	1s	+100%
`polyvec_basemul_acc_montgomery_cached_k2_native_x86_64`	✅	2s	3s	-33%
`polyvec_basemul_acc_montgomery_cached_k3_native_aarch64`	✅	2s	3s	-33%
`polyvec_basemul_acc_montgomery_cached_k4_native_x86_64`	✅	2s	4s	-50%
`rej_uniform_native`	✅	2s	5s	-60%
`intt_native_aarch64`	✅	1s	1s	+0%
`keccak_f1600_x1_native_aarch64`	✅	1s	3s	-67%
`keccak_f1600_x4_native_aarch64_v84a`	✅	1s	3s	-67%
`keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid`	✅	1s	3s	-67%
`keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid`	✅	1s	2s	-50%
`keccak_f1600_x4_native_avx2`	✅	1s	2s	-50%
`keccakf1600x4_xor_bytes_native`	✅	1s	3s	-67%
`mlk_check_pct`	✅	1s	4s	-75%
`mlk_ct_cmask_neg_i16`	✅	1s	2s	-50%
`mlk_keccakf1600_extract_bytes (big endian)`	✅	1s	4s	-75%
`mlk_matvec_mul`	✅	1s	4s	-75%
`mlk_poly_compress_dv`	✅	1s	1s	+0%
`mlk_poly_decompress_d11_native`	✅	1s	2s	-50%
`mlk_poly_decompress_du`	✅	1s	2s	-50%
`mlk_poly_reduce_c`	✅	1s	2s	-50%
`mlk_poly_tobytes_c`	✅	1s	4s	-75%
`mlk_poly_tobytes_native`	✅	1s	1s	+0%
`mlk_poly_tomsg`	✅	1s	1s	+0%
`mlk_polyvec_compress_du`	✅	1s	3s	-67%
`mlk_scalar_compress_d1`	✅	1s	3s	-67%
`mlk_scalar_compress_d10`	✅	1s	2s	-50%
`mlk_scalar_compress_d5`	✅	1s	1s	+0%
`mlk_scalar_decompress_d4`	✅	1s	4s	-75%
`mlk_shake128x4_squeezeblocks`	✅	1s	2s	-50%
`mlk_value_barrier_i32`	✅	1s	2s	-50%
`ntt_native_x86_64`	✅	1s	1s	+0%
`poly_decompress_d11_native_x86_64`	✅	1s	2s	-50%
`poly_mulcache_compute_native_aarch64`	✅	1s	1s	+0%
`polyvec_basemul_acc_montgomery_cached_k3_native_x86_64`	✅	1s	2s	-50%
`sys_check_capability`	✅	1s	2s	-50%

oqs-bot · 2026-03-04T08:59:17Z

CBMC Results (ML-KEM-768)

Full Results (190 proofs)

Proof	Status	Current	Previous	Change
`TOTAL`	✅	1338s	1432s	-6.6%
`mlk_indcpa_enc`	✅	264s	287s	-8%
`mlk_indcpa_keypair_derand`	✅	213s	221s	-4%
`mlk_rej_uniform_c`	✅	72s	90s	-20%
`polyvec_basemul_acc_montgomery_cached_native`	✅	61s	66s	-8%
`mlk_polyvec_basemul_acc_montgomery_cached_c`	✅	44s	63s	-30%
`mlk_poly_rej_uniform`	✅	29s	40s	-28%
`mlk_polyvec_add`	✅	27s	31s	-13%
`poly_ntt_native`	✅	26s	32s	-19%
`mlk_keccak_squeezeblocks_x4`	✅	24s	27s	-11%
`keccakf1600x4_permute_native_x4`	✅	21s	19s	+11%
`mlk_poly_reduce_native`	✅	17s	17s	+0%
`mlk_indcpa_dec`	✅	16s	15s	+7%
`mlk_poly_decompress_d10_native`	✅	13s	16s	-19%
`mlk_poly_decompress_d4_native`	✅	13s	14s	-7%
`mlk_ntt_layer`	✅	11s	15s	-27%
`mlk_poly_frommsg`	✅	10s	12s	-17%
`mlk_keccak_absorb_once_x4`	✅	9s	9s	+0%
`mlk_poly_rej_uniform_x4`	✅	9s	8s	+12%
`mlk_invntt_layer`	✅	7s	6s	+17%
`mlk_keccak_squeeze_once`	✅	7s	6s	+17%
`mlk_ntt_butterfly_block`	✅	7s	8s	-12%
`mlk_fqmul`	✅	6s	5s	+20%
`mlk_keccak_squeezeblocks`	✅	6s	8s	-25%
`mlk_poly_add`	✅	6s	7s	-14%
`mlk_poly_compress_d10_c`	✅	6s	3s	+100%
`mlk_poly_frombytes_native`	✅	6s	9s	-33%
`kem_dec`	✅	5s	5s	+0%
`kem_enc_derand`	✅	5s	1s	+400%
`mlk_gen_matrix`	✅	5s	3s	+67%
`mlk_gen_matrix_serial`	✅	5s	3s	+67%
`mlk_poly_compress_d11_native`	✅	5s	3s	+67%
`mlk_poly_getnoise_eta1_4x_native`	✅	5s	1s	+400%
`mlk_polymat_permute_bitrev_to_custom`	✅	5s	7s	-29%
`mlk_scalar_compress_d11`	✅	5s	2s	+150%
`poly_compress_d5_native_x86_64`	✅	5s	4s	+25%
`poly_decompress_d10_native_x86_64`	✅	5s	3s	+67%
`poly_frombytes_native_x86_64`	✅	5s	6s	-17%
`poly_mulcache_compute_native_x86_64`	✅	5s	2s	+150%
`polyvec_basemul_acc_montgomery_cached_k2_native_x86_64`	✅	5s	2s	+150%
`kem_check_pk`	✅	4s	4s	+0%
`kem_keypair`	✅	4s	2s	+100%
`mlk_ct_cmask_nonzero_u8`	✅	4s	2s	+100%
`mlk_poly_compress_d10_native`	✅	4s	1s	+300%
`mlk_poly_decompress_d5_c`	✅	4s	2s	+100%
`mlk_poly_frombytes`	✅	4s	3s	+33%
`mlk_poly_mulcache_compute_c`	✅	4s	3s	+33%
`mlk_poly_tobytes_native`	✅	4s	4s	+0%
`mlk_polyvec_compress_du`	✅	4s	3s	+33%
`mlk_polyvec_mulcache_compute`	✅	4s	2s	+100%
`mlk_shake256x4`	✅	4s	3s	+33%
`mlk_value_barrier_u8`	✅	4s	2s	+100%
`nttunpack_native_x86_64`	✅	4s	4s	+0%
`poly_decompress_d4_native_x86_64`	✅	4s	4s	+0%
`poly_invntt_tomont_native`	✅	4s	2s	+100%
`poly_reduce_native_x86_64`	✅	4s	5s	-20%
`poly_tomont_native_x86_64`	✅	4s	2s	+100%
`keccakf1600_permute_native`	✅	3s	5s	-40%
`keccakf1600x4_xor_bytes_native`	✅	3s	4s	-25%
`kem_keypair_derand`	✅	3s	2s	+50%
`mlk_barrett_reduce`	✅	3s	2s	+50%
`mlk_check_pct`	✅	3s	2s	+50%
`mlk_ct_cmask_neg_i16`	✅	3s	4s	-25%
`mlk_ct_get_optblocker_i32`	✅	3s	4s	-25%
`mlk_ct_sel_uint8`	✅	3s	2s	+50%
`mlk_keccak_absorb_once`	✅	3s	5s	-40%
`mlk_keccakf1600_permute_c`	✅	3s	-	new
`mlk_keccakf1600x4_xor_bytes_c`	✅	3s	-	new
`mlk_matvec_mul`	✅	3s	2s	+50%
`mlk_poly_cbd_eta2`	✅	3s	2s	+50%
`mlk_poly_compress_d10`	✅	3s	3s	+0%
`mlk_poly_decompress_d4_c`	✅	3s	1s	+200%
`mlk_poly_decompress_d5_native`	✅	3s	2s	+50%
`mlk_poly_decompress_du`	✅	3s	2s	+50%
`mlk_poly_decompress_dv`	✅	3s	2s	+50%
`mlk_poly_frombytes_c`	✅	3s	2s	+50%
`mlk_poly_getnoise_eta2`	✅	3s	2s	+50%
`mlk_poly_sub`	✅	3s	3s	+0%
`mlk_polyvec_basemul_acc_montgomery_cached`	✅	3s	3s	+0%
`mlk_polyvec_invntt_tomont`	✅	3s	2s	+50%
`mlk_polyvec_ntt`	✅	3s	1s	+200%
`mlk_polyvec_permute_bitrev_to_custom`	✅	3s	1s	+200%
`mlk_polyvec_tomont`	✅	3s	2s	+50%
`mlk_scalar_compress_d1`	✅	3s	2s	+50%
`mlk_scalar_decompress_d5`	✅	3s	1s	+200%
`mlk_scalar_signed_to_unsigned_q`	✅	3s	3s	+0%
`mlk_sha3_512`	✅	3s	3s	+0%
`ntt_native_aarch64`	✅	3s	2s	+50%
`poly_compress_d4_native_x86_64`	✅	3s	3s	+0%
`poly_getnoise_eta1122_4x_native`	✅	3s	2s	+50%
`poly_tobytes_native_aarch64`	✅	3s	3s	+0%
`poly_tobytes_native_x86_64`	✅	3s	3s	+0%
`polyvec_basemul_acc_montgomery_cached_k2_native_aarch64`	✅	3s	2s	+50%
`polyvec_basemul_acc_montgomery_cached_k3_native_aarch64`	✅	3s	1s	+200%
`polyvec_basemul_acc_montgomery_cached_k3_native_x86_64`	✅	3s	4s	-25%
`rej_uniform_native_aarch64`	✅	3s	5s	-40%
`intt_native_aarch64`	✅	2s	3s	-33%
`intt_native_x86_64`	✅	2s	2s	+0%
`keccak_f1600_x1_native_aarch64`	✅	2s	2s	+0%
`keccak_f1600_x4_native_avx2`	✅	2s	3s	-33%
`keccakf1600x4_extract_bytes_native`	✅	2s	3s	-33%
`kem_check_sk`	✅	2s	1s	+100%
`kem_enc`	✅	2s	3s	-33%
`mlk_ct_cmask_nonzero_u16`	✅	2s	1s	+100%
`mlk_ct_cmov_zero`	✅	2s	2s	+0%
`mlk_ct_get_optblocker_u32`	✅	2s	2s	+0%
`mlk_ct_get_optblocker_u8`	✅	2s	3s	-33%
`mlk_ct_sel_int16`	✅	2s	2s	+0%
`mlk_keccakf1600_extract_bytes (big endian)`	✅	2s	4s	-50%
`mlk_keccakf1600_permute`	✅	2s	2s	+0%
`mlk_keccakf1600_xor_bytes (big endian)`	✅	2s	2s	+0%
`mlk_keccakf1600x4_extract_bytes`	✅	2s	5s	-60%
`mlk_keccakf1600x4_extract_bytes_c`	✅	2s	-	new
`mlk_keccakf1600x4_permute`	✅	2s	4s	-50%
`mlk_keccakf1600x4_xor_bytes`	✅	2s	4s	-50%
`mlk_keypair_getnoise_eta1`	✅	2s	2s	+0%
`mlk_montgomery_reduce`	✅	2s	1s	+100%
`mlk_poly_cbd_eta1`	✅	2s	2s	+0%
`mlk_poly_compress_d11`	✅	2s	2s	+0%
`mlk_poly_compress_d4`	✅	2s	2s	+0%
`mlk_poly_compress_du`	✅	2s	3s	-33%
`mlk_poly_decompress_d10`	✅	2s	2s	+0%
`mlk_poly_decompress_d10_c`	✅	2s	3s	-33%
`mlk_poly_decompress_d11_c`	✅	2s	2s	+0%
`mlk_poly_getnoise_eta1_4x`	✅	2s	3s	-33%
`mlk_poly_invntt_tomont`	✅	2s	2s	+0%
`mlk_poly_invntt_tomont_c`	✅	2s	2s	+0%
`mlk_poly_mulcache_compute`	✅	2s	4s	-50%
`mlk_poly_ntt`	✅	2s	5s	-60%
`mlk_poly_ntt_c`	✅	2s	3s	-33%
`mlk_poly_reduce`	✅	2s	2s	+0%
`mlk_poly_tobytes`	✅	2s	2s	+0%
`mlk_poly_tomont`	✅	2s	3s	-33%
`mlk_poly_tomont_c`	✅	2s	2s	+0%
`mlk_polyvec_decompress_du`	✅	2s	2s	+0%
`mlk_polyvec_frombytes`	✅	2s	1s	+100%
`mlk_polyvec_permute_bitrev_to_custom_native`	✅	2s	1s	+100%
`mlk_polyvec_reduce`	✅	2s	4s	-50%
`mlk_rej_uniform`	✅	2s	4s	-50%
`mlk_scalar_compress_d4`	✅	2s	2s	+0%
`mlk_scalar_compress_d5`	✅	2s	3s	-33%
`mlk_scalar_decompress_d10`	✅	2s	1s	+100%
`mlk_scalar_decompress_d11`	✅	2s	2s	+0%
`mlk_scalar_decompress_d4`	✅	2s	1s	+100%
`mlk_shake128_absorb_once`	✅	2s	2s	+0%
`mlk_shake128_squeezeblocks`	✅	2s	1s	+100%
`mlk_shake128x4_absorb_once`	✅	2s	2s	+0%
`mlk_shake128x4_squeezeblocks`	✅	2s	1s	+100%
`mlk_shake256`	✅	2s	2s	+0%
`mlk_value_barrier_i32`	✅	2s	1s	+100%
`mlk_value_barrier_u32`	✅	2s	1s	+100%
`ntt_native_x86_64`	✅	2s	3s	-33%
`poly_compress_d10_native_x86_64`	✅	2s	1s	+100%
`poly_compress_d11_native_x86_64`	✅	2s	1s	+100%
`poly_decompress_d11_native_x86_64`	✅	2s	3s	-33%
`poly_mulcache_compute_native_aarch64`	✅	2s	3s	-33%
`polyvec_basemul_acc_montgomery_cached_k4_native_aarch64`	✅	2s	1s	+100%
`rej_uniform_native`	✅	2s	3s	-33%
`rej_uniform_native_x86_64`	✅	2s	3s	-33%
`keccak_f1600_x1_native_aarch64_v84a`	✅	1s	2s	-50%
`keccak_f1600_x4_native_aarch64_v84a`	✅	1s	2s	-50%
`keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid`	✅	1s	1s	+0%
`keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid`	✅	1s	2s	-50%
`mlk_ct_memcmp`	✅	1s	2s	-50%
`mlk_keccakf1600_extract_bytes`	✅	1s	2s	-50%
`mlk_keccakf1600_xor_bytes`	✅	1s	3s	-67%
`mlk_poly_compress_d11_c`	✅	1s	1s	+0%
`mlk_poly_compress_d4_c`	✅	1s	4s	-75%
`mlk_poly_compress_d4_native`	✅	1s	2s	-50%
`mlk_poly_compress_d5`	✅	1s	2s	-50%
`mlk_poly_compress_d5_c`	✅	1s	2s	-50%
`mlk_poly_compress_d5_native`	✅	1s	3s	-67%
`mlk_poly_compress_dv`	✅	1s	2s	-50%
`mlk_poly_decompress_d11`	✅	1s	4s	-75%
`mlk_poly_decompress_d11_native`	✅	1s	2s	-50%
`mlk_poly_decompress_d4`	✅	1s	2s	-50%
`mlk_poly_decompress_d5`	✅	1s	3s	-67%
`mlk_poly_getnoise_eta1122_4x`	✅	1s	2s	-50%
`mlk_poly_mulcache_compute_native`	✅	1s	2s	-50%
`mlk_poly_reduce_c`	✅	1s	2s	-50%
`mlk_poly_tobytes_c`	✅	1s	2s	-50%
`mlk_poly_tomont_native`	✅	1s	1s	+0%
`mlk_poly_tomsg`	✅	1s	1s	+0%
`mlk_polyvec_tobytes`	✅	1s	2s	-50%
`mlk_scalar_compress_d10`	✅	1s	2s	-50%
`mlk_sha3_256`	✅	1s	3s	-67%
`poly_decompress_d5_native_x86_64`	✅	1s	2s	-50%
`poly_reduce_native_aarch64`	✅	1s	2s	-50%
`poly_tomont_native_aarch64`	✅	1s	3s	-67%
`polyvec_basemul_acc_montgomery_cached_k4_native_x86_64`	✅	1s	3s	-67%
`sys_check_capability`	✅	1s	2s	-50%

oqs-bot · 2026-03-04T09:13:44Z

CBMC Results (ML-KEM-1024)

Full Results (190 proofs)

Proof	Status	Current	Previous	Change
`TOTAL`	✅	1353s	1333s	+1.5%
`mlk_indcpa_enc`	✅	245s	255s	-4%
`polyvec_basemul_acc_montgomery_cached_native`	✅	130s	125s	+4%
`mlk_indcpa_keypair_derand`	✅	82s	81s	+1%
`mlk_rej_uniform_c`	✅	77s	75s	+3%
`mlk_polyvec_basemul_acc_montgomery_cached_c`	✅	72s	71s	+1%
`mlk_poly_rej_uniform`	✅	33s	34s	-3%
`poly_ntt_native`	✅	33s	33s	+0%
`mlk_keccak_squeezeblocks_x4`	✅	28s	24s	+17%
`mlk_polyvec_add`	✅	25s	28s	-11%
`keccakf1600x4_permute_native_x4`	✅	18s	23s	-22%
`mlk_ntt_layer`	✅	15s	14s	+7%
`mlk_poly_reduce_native`	✅	15s	16s	-6%
`mlk_polyvec_ntt`	✅	14s	12s	+17%
`mlk_indcpa_dec`	✅	13s	12s	+8%
`mlk_poly_decompress_d11_native`	✅	13s	13s	+0%
`mlk_poly_frommsg`	✅	13s	12s	+8%
`mlk_poly_decompress_d5_native`	✅	12s	12s	+0%
`mlk_keccak_absorb_once_x4`	✅	11s	10s	+10%
`mlk_poly_compress_d11_c`	✅	11s	7s	+57%
`mlk_poly_frombytes_native`	✅	11s	9s	+22%
`mlk_gen_matrix`	✅	10s	6s	+67%
`mlk_polymat_permute_bitrev_to_custom`	✅	10s	9s	+11%
`mlk_keccak_squeezeblocks`	✅	8s	6s	+33%
`kem_dec`	✅	7s	6s	+17%
`mlk_ntt_butterfly_block`	✅	7s	8s	-12%
`mlk_poly_rej_uniform_x4`	✅	7s	8s	-12%
`mlk_check_pct`	✅	6s	4s	+50%
`mlk_fqmul`	✅	6s	7s	-14%
`mlk_invntt_layer`	✅	6s	4s	+50%
`mlk_keccak_absorb_once`	✅	6s	4s	+50%
`mlk_keccak_squeeze_once`	✅	6s	5s	+20%
`mlk_gen_matrix_serial`	✅	5s	5s	+0%
`mlk_keccakf1600_extract_bytes`	✅	5s	2s	+150%
`mlk_poly_cbd_eta1`	✅	5s	7s	-29%
`mlk_poly_compress_dv`	✅	5s	3s	+67%
`mlk_poly_decompress_d11`	✅	5s	5s	+0%
`mlk_poly_getnoise_eta2`	✅	5s	2s	+150%
`mlk_shake256x4`	✅	5s	4s	+25%
`poly_decompress_d11_native_x86_64`	✅	5s	4s	+25%
`poly_decompress_d5_native_x86_64`	✅	5s	5s	+0%
`poly_frombytes_native_x86_64`	✅	5s	4s	+25%
`kem_check_pk`	✅	4s	6s	-33%
`kem_enc`	✅	4s	2s	+100%
`mlk_poly_add`	✅	4s	5s	-20%
`mlk_poly_frombytes`	✅	4s	4s	+0%
`mlk_poly_mulcache_compute_c`	✅	4s	3s	+33%
`mlk_poly_reduce`	✅	4s	2s	+100%
`mlk_poly_tomont_c`	✅	4s	2s	+100%
`mlk_poly_tomsg`	✅	4s	5s	-20%
`mlk_polyvec_invntt_tomont`	✅	4s	3s	+33%
`mlk_scalar_decompress_d5`	✅	4s	4s	+0%
`mlk_shake128_absorb_once`	✅	4s	1s	+300%
`poly_compress_d11_native_x86_64`	✅	4s	2s	+100%
`poly_getnoise_eta1122_4x_native`	✅	4s	2s	+100%
`poly_tobytes_native_x86_64`	✅	4s	3s	+33%
`rej_uniform_native`	✅	4s	4s	+0%
`intt_native_aarch64`	✅	3s	3s	+0%
`keccak_f1600_x1_native_aarch64_v84a`	✅	3s	2s	+50%
`keccakf1600_permute_native`	✅	3s	5s	-40%
`mlk_ct_cmask_nonzero_u16`	✅	3s	2s	+50%
`mlk_ct_cmask_nonzero_u8`	✅	3s	1s	+200%
`mlk_ct_cmov_zero`	✅	3s	1s	+200%
`mlk_ct_memcmp`	✅	3s	2s	+50%
`mlk_ct_sel_uint8`	✅	3s	2s	+50%
`mlk_keccakf1600_extract_bytes (big endian)`	✅	3s	2s	+50%
`mlk_keypair_getnoise_eta1`	✅	3s	3s	+0%
`mlk_matvec_mul`	✅	3s	2s	+50%
`mlk_poly_cbd_eta2`	✅	3s	5s	-40%
`mlk_poly_compress_d10`	✅	3s	1s	+200%
`mlk_poly_compress_d10_c`	✅	3s	2s	+50%
`mlk_poly_compress_d11_native`	✅	3s	2s	+50%
`mlk_poly_compress_d4`	✅	3s	1s	+200%
`mlk_poly_compress_d5_native`	✅	3s	3s	+0%
`mlk_poly_decompress_d10_native`	✅	3s	2s	+50%
`mlk_poly_decompress_du`	✅	3s	1s	+200%
`mlk_poly_decompress_dv`	✅	3s	3s	+0%
`mlk_poly_getnoise_eta1122_4x`	✅	3s	2s	+50%
`mlk_poly_getnoise_eta1_4x`	✅	3s	5s	-40%
`mlk_poly_getnoise_eta1_4x_native`	✅	3s	4s	-25%
`mlk_poly_mulcache_compute`	✅	3s	2s	+50%
`mlk_poly_ntt`	✅	3s	2s	+50%
`mlk_poly_sub`	✅	3s	3s	+0%
`mlk_poly_tobytes_c`	✅	3s	2s	+50%
`mlk_polyvec_compress_du`	✅	3s	3s	+0%
`mlk_polyvec_decompress_du`	✅	3s	2s	+50%
`mlk_polyvec_frombytes`	✅	3s	2s	+50%
`mlk_polyvec_reduce`	✅	3s	4s	-25%
`mlk_polyvec_tobytes`	✅	3s	3s	+0%
`mlk_scalar_compress_d1`	✅	3s	2s	+50%
`mlk_scalar_compress_d11`	✅	3s	1s	+200%
`mlk_scalar_compress_d5`	✅	3s	1s	+200%
`mlk_scalar_decompress_d11`	✅	3s	3s	+0%
`mlk_scalar_signed_to_unsigned_q`	✅	3s	2s	+50%
`mlk_sha3_256`	✅	3s	3s	+0%
`mlk_shake256`	✅	3s	3s	+0%
`mlk_value_barrier_u32`	✅	3s	2s	+50%
`mlk_value_barrier_u8`	✅	3s	1s	+200%
`ntt_native_aarch64`	✅	3s	2s	+50%
`ntt_native_x86_64`	✅	3s	2s	+50%
`nttunpack_native_x86_64`	✅	3s	3s	+0%
`poly_mulcache_compute_native_aarch64`	✅	3s	4s	-25%
`poly_reduce_native_aarch64`	✅	3s	1s	+200%
`poly_reduce_native_x86_64`	✅	3s	3s	+0%
`polyvec_basemul_acc_montgomery_cached_k4_native_aarch64`	✅	3s	3s	+0%
`rej_uniform_native_aarch64`	✅	3s	1s	+200%
`sys_check_capability`	✅	3s	2s	+50%
`intt_native_x86_64`	✅	2s	1s	+100%
`keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid`	✅	2s	2s	+0%
`keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid`	✅	2s	3s	-33%
`keccak_f1600_x4_native_avx2`	✅	2s	1s	+100%
`keccakf1600x4_extract_bytes_native`	✅	2s	2s	+0%
`kem_enc_derand`	✅	2s	4s	-50%
`kem_keypair`	✅	2s	3s	-33%
`kem_keypair_derand`	✅	2s	3s	-33%
`mlk_barrett_reduce`	✅	2s	4s	-50%
`mlk_ct_cmask_neg_i16`	✅	2s	2s	+0%
`mlk_ct_get_optblocker_u8`	✅	2s	3s	-33%
`mlk_keccakf1600_permute`	✅	2s	2s	+0%
`mlk_keccakf1600_permute_c`	✅	2s	-	new
`mlk_keccakf1600_xor_bytes`	✅	2s	2s	+0%
`mlk_keccakf1600_xor_bytes (big endian)`	✅	2s	2s	+0%
`mlk_keccakf1600x4_extract_bytes`	✅	2s	2s	+0%
`mlk_keccakf1600x4_extract_bytes_c`	✅	2s	-	new
`mlk_keccakf1600x4_xor_bytes`	✅	2s	2s	+0%
`mlk_keccakf1600x4_xor_bytes_c`	✅	2s	-	new
`mlk_montgomery_reduce`	✅	2s	2s	+0%
`mlk_poly_compress_d4_c`	✅	2s	1s	+100%
`mlk_poly_compress_d4_native`	✅	2s	2s	+0%
`mlk_poly_compress_d5`	✅	2s	1s	+100%
`mlk_poly_compress_du`	✅	2s	2s	+0%
`mlk_poly_decompress_d10`	✅	2s	2s	+0%
`mlk_poly_decompress_d10_c`	✅	2s	1s	+100%
`mlk_poly_decompress_d11_c`	✅	2s	3s	-33%
`mlk_poly_decompress_d4`	✅	2s	1s	+100%
`mlk_poly_decompress_d5`	✅	2s	4s	-50%
`mlk_poly_decompress_d5_c`	✅	2s	2s	+0%
`mlk_poly_frombytes_c`	✅	2s	3s	-33%
`mlk_poly_invntt_tomont_c`	✅	2s	2s	+0%
`mlk_poly_ntt_c`	✅	2s	3s	-33%
`mlk_poly_tobytes_native`	✅	2s	2s	+0%
`mlk_poly_tomont`	✅	2s	3s	-33%
`mlk_poly_tomont_native`	✅	2s	1s	+100%
`mlk_polyvec_mulcache_compute`	✅	2s	1s	+100%
`mlk_polyvec_permute_bitrev_to_custom`	✅	2s	1s	+100%
`mlk_polyvec_permute_bitrev_to_custom_native`	✅	2s	4s	-50%
`mlk_polyvec_tomont`	✅	2s	3s	-33%
`mlk_rej_uniform`	✅	2s	3s	-33%
`mlk_scalar_compress_d10`	✅	2s	2s	+0%
`mlk_scalar_compress_d4`	✅	2s	3s	-33%
`mlk_scalar_decompress_d10`	✅	2s	2s	+0%
`mlk_scalar_decompress_d4`	✅	2s	2s	+0%
`mlk_sha3_512`	✅	2s	2s	+0%
`mlk_shake128_squeezeblocks`	✅	2s	1s	+100%
`mlk_shake128x4_absorb_once`	✅	2s	4s	-50%
`mlk_shake128x4_squeezeblocks`	✅	2s	2s	+0%
`mlk_value_barrier_i32`	✅	2s	2s	+0%
`poly_compress_d10_native_x86_64`	✅	2s	1s	+100%
`poly_compress_d5_native_x86_64`	✅	2s	2s	+0%
`poly_decompress_d10_native_x86_64`	✅	2s	2s	+0%
`poly_decompress_d4_native_x86_64`	✅	2s	2s	+0%
`poly_tomont_native_aarch64`	✅	2s	2s	+0%
`polyvec_basemul_acc_montgomery_cached_k2_native_aarch64`	✅	2s	1s	+100%
`polyvec_basemul_acc_montgomery_cached_k3_native_aarch64`	✅	2s	3s	-33%
`polyvec_basemul_acc_montgomery_cached_k3_native_x86_64`	✅	2s	4s	-50%
`rej_uniform_native_x86_64`	✅	2s	3s	-33%
`keccak_f1600_x1_native_aarch64`	✅	1s	2s	-50%
`keccak_f1600_x4_native_aarch64_v84a`	✅	1s	4s	-75%
`keccakf1600x4_xor_bytes_native`	✅	1s	4s	-75%
`kem_check_sk`	✅	1s	2s	-50%
`mlk_ct_get_optblocker_i32`	✅	1s	4s	-75%
`mlk_ct_get_optblocker_u32`	✅	1s	2s	-50%
`mlk_ct_sel_int16`	✅	1s	2s	-50%
`mlk_keccakf1600x4_permute`	✅	1s	4s	-75%
`mlk_poly_compress_d10_native`	✅	1s	3s	-67%
`mlk_poly_compress_d11`	✅	1s	1s	+0%
`mlk_poly_compress_d5_c`	✅	1s	1s	+0%
`mlk_poly_decompress_d4_c`	✅	1s	4s	-75%
`mlk_poly_decompress_d4_native`	✅	1s	2s	-50%
`mlk_poly_invntt_tomont`	✅	1s	3s	-67%
`mlk_poly_mulcache_compute_native`	✅	1s	3s	-67%
`mlk_poly_reduce_c`	✅	1s	2s	-50%
`mlk_poly_tobytes`	✅	1s	2s	-50%
`mlk_polyvec_basemul_acc_montgomery_cached`	✅	1s	2s	-50%
`poly_compress_d4_native_x86_64`	✅	1s	1s	+0%
`poly_invntt_tomont_native`	✅	1s	3s	-67%
`poly_mulcache_compute_native_x86_64`	✅	1s	3s	-67%
`poly_tobytes_native_aarch64`	✅	1s	3s	-67%
`poly_tomont_native_x86_64`	✅	1s	4s	-75%
`polyvec_basemul_acc_montgomery_cached_k2_native_x86_64`	✅	1s	4s	-75%
`polyvec_basemul_acc_montgomery_cached_k4_native_x86_64`	✅	1s	3s	-67%

hanno-becker · 2026-03-19T05:15:32Z

@willieyz Could you rebase this?

@mkannwischer Do you have time to take on the review? If so, can you assign yourself?

willieyz · 2026-03-21T04:02:28Z

@willieyz Could you rebase this?

@mkannwischer Do you have time to take on the review? If so, can you assign yourself?

Hello @hanno-becker and @mkannwischer,
sorry for the late reply...
I’m on vacation right now and will be back on March 23. Is it okay if I rebase the PR then?
I will report with discord chat when I finish the rebase!

rod-chapman · 2026-03-23T17:44:06Z

I can review if you like...

rod-chapman

All proofs for K=2,3,4 looks good.
"tests all" on macOS look good.

rod-chapman

Looks good. Please squash and merge.

willieyz · 2026-03-25T02:14:43Z

@mkannwischer , @rod-chapman ,

Thank you for helping review!
The CI look goods after squash,
I don't have the authority to merge branch to main...is it ok to help me merge this PR?
Thank you for your help again!

This commit introduce separate proof for: - mlk_keccakf1600_permute_c() - mlk_keccakf1600x4_extract_bytes_c() - mlk_keccakf1600x4_xor_bytes_c() For arithmetic function that have a native implementation, we have 3 CBMC proofs: 1. Proof for the pure C implementation names XXX_c() 2. Proof for the wrapper function on top of the C implementation 3. Proof for the wrapper function on top of the native function (with C fallback). This commit seperate current proofs for these three functions follow above structure. For each function, the following steps performed: - Add the corresponding CBMC contract, copied from the wrapper function. - Create a dedicated CBMC proof for the pure C implementation. - Update the existing wrapper CBMC proof Makefiles by adding XXX_C to USE_FUNCTION_CONTRACTS, and apply the same change to the native proof configuration. Signed-off-by: willieyz <willie.zhao@chelpis.com>

mkannwischer

Thanks @willieyz! Everything looks good to me.

oqs-bot

ppc64le (POWER10) benchmarks

Details

Benchmark suite	Current: `b31d508`	Previous: `e07bff5`	Ratio
`ML-KEM-512 keypair`	`59316` cycles	`59252` cycles	`1.00`
`ML-KEM-512 encaps`	`71934` cycles	`72002` cycles	`1.00`
`ML-KEM-512 decaps`	`91807` cycles	`91771` cycles	`1.00`
`ML-KEM-768 keypair`	`98320` cycles	`98502` cycles	`1.00`
`ML-KEM-768 encaps`	`114831` cycles	`115188` cycles	`1.00`
`ML-KEM-768 decaps`	`140331` cycles	`141190` cycles	`0.99`
`ML-KEM-1024 keypair`	`149240` cycles	`150793` cycles	`0.99`
`ML-KEM-1024 encaps`	`167613` cycles	`169928` cycles	`0.99`
`ML-KEM-1024 decaps`	`198818` cycles	`201704` cycles	`0.99`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

AMD EPYC 3rd gen (c6a)

Details

Benchmark suite	Current: `b31d508`	Previous: `e07bff5`	Ratio
`ML-KEM-512 keypair`	`14222` cycles	`14251` cycles	`1.00`
`ML-KEM-512 encaps`	`16002` cycles	`15979` cycles	`1.00`
`ML-KEM-512 decaps`	`21505` cycles	`21481` cycles	`1.00`
`ML-KEM-768 keypair`	`25141` cycles	`24668` cycles	`1.02`
`ML-KEM-768 encaps`	`25682` cycles	`25470` cycles	`1.01`
`ML-KEM-768 decaps`	`33494` cycles	`33270` cycles	`1.01`
`ML-KEM-1024 keypair`	`34933` cycles	`37191` cycles	`0.94`
`ML-KEM-1024 encaps`	`36123` cycles	`36706` cycles	`0.98`
`ML-KEM-1024 decaps`	`47329` cycles	`46710` cycles	`1.01`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

AMD EPYC 4th gen (c7a)

Details

Benchmark suite	Current: `b31d508`	Previous: `e07bff5`	Ratio
`ML-KEM-512 keypair`	`12791` cycles	`12775` cycles	`1.00`
`ML-KEM-512 encaps`	`14274` cycles	`14255` cycles	`1.00`
`ML-KEM-512 decaps`	`19144` cycles	`19129` cycles	`1.00`
`ML-KEM-768 keypair`	`22520` cycles	`22420` cycles	`1.00`
`ML-KEM-768 encaps`	`23084` cycles	`23055` cycles	`1.00`
`ML-KEM-768 decaps`	`30070` cycles	`30105` cycles	`1.00`
`ML-KEM-1024 keypair`	`34220` cycles	`33051` cycles	`1.04`
`ML-KEM-1024 encaps`	`32991` cycles	`33046` cycles	`1.00`
`ML-KEM-1024 decaps`	`42428` cycles	`42462` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

⚠️ Performance Alert ⚠️

Possible performance regression was detected for benchmark 'AMD EPYC 4th gen (c7a)'.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 1.03.

Benchmark suite	Current: `b31d508`	Previous: `e07bff5`	Ratio
`ML-KEM-1024 keypair`	`34220` cycles	`33051` cycles	`1.04`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Intel Xeon 3rd gen (c6i)

Details

Benchmark suite	Current: `b31d508`	Previous: `e07bff5`	Ratio
`ML-KEM-512 keypair`	`17635` cycles	`17527` cycles	`1.01`
`ML-KEM-512 encaps`	`19858` cycles	`19877` cycles	`1.00`
`ML-KEM-512 decaps`	`26404` cycles	`26407` cycles	`1.00`
`ML-KEM-768 keypair`	`32989` cycles	`32729` cycles	`1.01`
`ML-KEM-768 encaps`	`31031` cycles	`31098` cycles	`1.00`
`ML-KEM-768 decaps`	`41488` cycles	`41525` cycles	`1.00`
`ML-KEM-1024 keypair`	`43791` cycles	`43945` cycles	`1.00`
`ML-KEM-1024 encaps`	`46090` cycles	`45566` cycles	`1.01`
`ML-KEM-1024 decaps`	`58086` cycles	`58248` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

AMD EPYC 3rd gen (c6a) (no-opt)

Details

Benchmark suite	Current: `b31d508`	Previous: `e07bff5`	Ratio
`ML-KEM-512 keypair`	`40211` cycles	`40248` cycles	`1.00`
`ML-KEM-512 encaps`	`48373` cycles	`48390` cycles	`1.00`
`ML-KEM-512 decaps`	`62515` cycles	`62592` cycles	`1.00`
`ML-KEM-768 keypair`	`63778` cycles	`63722` cycles	`1.00`
`ML-KEM-768 encaps`	`74904` cycles	`74924` cycles	`1.00`
`ML-KEM-768 decaps`	`93528` cycles	`93580` cycles	`1.00`
`ML-KEM-1024 keypair`	`95278` cycles	`95181` cycles	`1.00`
`ML-KEM-1024 encaps`	`109357` cycles	`109356` cycles	`1.00`
`ML-KEM-1024 decaps`	`132118` cycles	`132123` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

AMD EPYC 4th gen (c7a) (no-opt)

Details

Benchmark suite	Current: `b31d508`	Previous: `e07bff5`	Ratio
`ML-KEM-512 keypair`	`36738` cycles	`36607` cycles	`1.00`
`ML-KEM-512 encaps`	`43105` cycles	`43075` cycles	`1.00`
`ML-KEM-512 decaps`	`55699` cycles	`55712` cycles	`1.00`
`ML-KEM-768 keypair`	`58653` cycles	`58684` cycles	`1.00`
`ML-KEM-768 encaps`	`67574` cycles	`67535` cycles	`1.00`
`ML-KEM-768 decaps`	`84473` cycles	`84482` cycles	`1.00`
`ML-KEM-1024 keypair`	`89041` cycles	`89050` cycles	`1.00`
`ML-KEM-1024 encaps`	`99192` cycles	`99289` cycles	`1.00`
`ML-KEM-1024 decaps`	`120586` cycles	`120664` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Graviton4

Details

Benchmark suite	Current: `b31d508`	Previous: `e07bff5`	Ratio
`ML-KEM-512 keypair`	`17688` cycles	`17644` cycles	`1.00`
`ML-KEM-512 encaps`	`20643` cycles	`20600` cycles	`1.00`
`ML-KEM-512 decaps`	`27087` cycles	`27075` cycles	`1.00`
`ML-KEM-768 keypair`	`29976` cycles	`29912` cycles	`1.00`
`ML-KEM-768 encaps`	`32751` cycles	`32771` cycles	`1.00`
`ML-KEM-768 decaps`	`42012` cycles	`41970` cycles	`1.00`
`ML-KEM-1024 keypair`	`43724` cycles	`43743` cycles	`1.00`
`ML-KEM-1024 encaps`	`48765` cycles	`48647` cycles	`1.00`
`ML-KEM-1024 decaps`	`61386` cycles	`61390` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Graviton3

Details

Benchmark suite	Current: `b31d508`	Previous: `e07bff5`	Ratio
`ML-KEM-512 keypair`	`18673` cycles	`18638` cycles	`1.00`
`ML-KEM-512 encaps`	`21882` cycles	`21880` cycles	`1.00`
`ML-KEM-512 decaps`	`28889` cycles	`28867` cycles	`1.00`
`ML-KEM-768 keypair`	`31627` cycles	`31540` cycles	`1.00`
`ML-KEM-768 encaps`	`34790` cycles	`34772` cycles	`1.00`
`ML-KEM-768 decaps`	`44838` cycles	`44774` cycles	`1.00`
`ML-KEM-1024 keypair`	`46068` cycles	`46064` cycles	`1.00`
`ML-KEM-1024 encaps`	`51499` cycles	`51478` cycles	`1.00`
`ML-KEM-1024 decaps`	`65009` cycles	`65016` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Intel Xeon 3rd gen (c6i) (no-opt)

Details

Benchmark suite	Current: `b31d508`	Previous: `e07bff5`	Ratio
`ML-KEM-512 keypair`	`45678` cycles	`45640` cycles	`1.00`
`ML-KEM-512 encaps`	`54401` cycles	`54165` cycles	`1.00`
`ML-KEM-512 decaps`	`69715` cycles	`69737` cycles	`1.00`
`ML-KEM-768 keypair`	`74426` cycles	`74168` cycles	`1.00`
`ML-KEM-768 encaps`	`86069` cycles	`86023` cycles	`1.00`
`ML-KEM-768 decaps`	`106666` cycles	`106591` cycles	`1.00`
`ML-KEM-1024 keypair`	`112116` cycles	`111992` cycles	`1.00`
`ML-KEM-1024 encaps`	`124597` cycles	`124502` cycles	`1.00`
`ML-KEM-1024 decaps`	`150596` cycles	`150505` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Arm Cortex-A76 (Raspberry Pi 5) benchmarks

Details

Benchmark suite	Current: `b31d508`	Previous: `e07bff5`	Ratio
`ML-KEM-512 keypair`	`28283` cycles	`28251` cycles	`1.00`
`ML-KEM-512 encaps`	`34106` cycles	`34100` cycles	`1.00`
`ML-KEM-512 decaps`	`44378` cycles	`44327` cycles	`1.00`
`ML-KEM-768 keypair`	`47689` cycles	`47616` cycles	`1.00`
`ML-KEM-768 encaps`	`53909` cycles	`53939` cycles	`1.00`
`ML-KEM-768 decaps`	`68364` cycles	`68367` cycles	`1.00`
`ML-KEM-1024 keypair`	`70320` cycles	`70214` cycles	`1.00`
`ML-KEM-1024 encaps`	`78754` cycles	`78751` cycles	`1.00`
`ML-KEM-1024 decaps`	`98534` cycles	`98433` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Graviton4 (no-opt)

Details

Benchmark suite	Current: `b31d508`	Previous: `e07bff5`	Ratio
`ML-KEM-512 keypair`	`35454` cycles	`35413` cycles	`1.00`
`ML-KEM-512 encaps`	`40096` cycles	`40113` cycles	`1.00`
`ML-KEM-512 decaps`	`51098` cycles	`51138` cycles	`1.00`
`ML-KEM-768 keypair`	`56746` cycles	`56670` cycles	`1.00`
`ML-KEM-768 encaps`	`64562` cycles	`65148` cycles	`0.99`
`ML-KEM-768 decaps`	`79382` cycles	`79302` cycles	`1.00`
`ML-KEM-1024 keypair`	`87851` cycles	`87866` cycles	`1.00`
`ML-KEM-1024 encaps`	`97112` cycles	`96877` cycles	`1.00`
`ML-KEM-1024 decaps`	`115948` cycles	`115816` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Graviton3 (no-opt)

Details

Benchmark suite	Current: `b31d508`	Previous: `e07bff5`	Ratio
`ML-KEM-512 keypair`	`39029` cycles	`38897` cycles	`1.00`
`ML-KEM-512 encaps`	`44584` cycles	`44596` cycles	`1.00`
`ML-KEM-512 decaps`	`56647` cycles	`56669` cycles	`1.00`
`ML-KEM-768 keypair`	`62454` cycles	`62285` cycles	`1.00`
`ML-KEM-768 encaps`	`71387` cycles	`72299` cycles	`0.99`
`ML-KEM-768 decaps`	`86857` cycles	`87688` cycles	`0.99`
`ML-KEM-1024 keypair`	`96225` cycles	`96159` cycles	`1.00`
`ML-KEM-1024 encaps`	`106381` cycles	`106134` cycles	`1.00`
`ML-KEM-1024 decaps`	`126813` cycles	`126582` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Graviton2

Details

Benchmark suite	Current: `b31d508`	Previous: `e07bff5`	Ratio
`ML-KEM-512 keypair`	`28248` cycles	`28276` cycles	`1.00`
`ML-KEM-512 encaps`	`34160` cycles	`34135` cycles	`1.00`
`ML-KEM-512 decaps`	`44353` cycles	`44418` cycles	`1.00`
`ML-KEM-768 keypair`	`47636` cycles	`47670` cycles	`1.00`
`ML-KEM-768 encaps`	`53922` cycles	`53905` cycles	`1.00`
`ML-KEM-768 decaps`	`68402` cycles	`68360` cycles	`1.00`
`ML-KEM-1024 keypair`	`70344` cycles	`70229` cycles	`1.00`
`ML-KEM-1024 encaps`	`78742` cycles	`78814` cycles	`1.00`
`ML-KEM-1024 decaps`	`98527` cycles	`98458` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Graviton2 (no-opt)

Details

Benchmark suite	Current: `b31d508`	Previous: `e07bff5`	Ratio
`ML-KEM-512 keypair`	`59207` cycles	`59133` cycles	`1.00`
`ML-KEM-512 encaps`	`68651` cycles	`68648` cycles	`1.00`
`ML-KEM-512 decaps`	`87381` cycles	`87354` cycles	`1.00`
`ML-KEM-768 keypair`	`95416` cycles	`95243` cycles	`1.00`
`ML-KEM-768 encaps`	`110374` cycles	`109832` cycles	`1.00`
`ML-KEM-768 decaps`	`134612` cycles	`134307` cycles	`1.00`
`ML-KEM-1024 keypair`	`148054` cycles	`147904` cycles	`1.00`
`ML-KEM-1024 encaps`	`163784` cycles	`163729` cycles	`1.00`
`ML-KEM-1024 decaps`	`195572` cycles	`195378` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

willieyz force-pushed the separate-keccakf1600-cbmc branch from 3483598 to 9d9121d Compare March 4, 2026 08:51

willieyz force-pushed the separate-keccakf1600-cbmc branch from 9d9121d to 74f0e3f Compare March 4, 2026 09:04

willieyz force-pushed the separate-keccakf1600-cbmc branch from 74f0e3f to 88a8405 Compare March 4, 2026 09:15

willieyz marked this pull request as ready for review March 4, 2026 10:27

willieyz requested a review from a team as a code owner March 4, 2026 10:27

hanno-becker force-pushed the separate-keccakf1600-cbmc branch from 88a8405 to a183422 Compare March 7, 2026 00:44

willieyz force-pushed the separate-keccakf1600-cbmc branch 2 times, most recently from 03d8088 to 58e8720 Compare March 23, 2026 17:23

rod-chapman reviewed Mar 23, 2026

View reviewed changes

Comment thread proofs/cbmc/keccakf1600x4_extract_bytes_c/Makefile Outdated

Comment thread proofs/cbmc/keccakf1600x4_xor_bytes_c/Makefile Outdated

willieyz force-pushed the separate-keccakf1600-cbmc branch from 58e8720 to 164f161 Compare March 24, 2026 03:22

rod-chapman approved these changes Mar 24, 2026

View reviewed changes

willieyz force-pushed the separate-keccakf1600-cbmc branch from 164f161 to 1fa8997 Compare March 24, 2026 10:07

mkannwischer self-assigned this Apr 2, 2026

mkannwischer force-pushed the separate-keccakf1600-cbmc branch from 1fa8997 to b31d508 Compare April 4, 2026 02:02

mkannwischer approved these changes Apr 4, 2026

View reviewed changes

mkannwischer merged commit 80712a8 into main Apr 4, 2026
370 checks passed

mkannwischer deleted the separate-keccakf1600-cbmc branch April 4, 2026 02:59

mkannwischer added the needs-mldsa-native-port label Apr 6, 2026

oqs-bot reviewed Apr 6, 2026

View reviewed changes

Conversation

willieyz commented Mar 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

oqs-bot commented Mar 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

CBMC Results (ML-KEM-512)

Uh oh!

oqs-bot commented Mar 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

CBMC Results (ML-KEM-768)

Uh oh!

oqs-bot commented Mar 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

CBMC Results (ML-KEM-1024)

Uh oh!

hanno-becker commented Mar 19, 2026

Uh oh!

willieyz commented Mar 21, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

rod-chapman commented Mar 23, 2026

Uh oh!

rod-chapman left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

rod-chapman left a comment

Choose a reason for hiding this comment

Uh oh!

willieyz commented Mar 25, 2026

Uh oh!

mkannwischer left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

oqs-bot left a comment

Choose a reason for hiding this comment

ppc64le (POWER10) benchmarks

Uh oh!

oqs-bot left a comment

Choose a reason for hiding this comment

AMD EPYC 3rd gen (c6a)

Uh oh!

oqs-bot left a comment

Choose a reason for hiding this comment

AMD EPYC 4th gen (c7a)

Uh oh!

oqs-bot left a comment

Choose a reason for hiding this comment

⚠️ Performance Alert ⚠️

Uh oh!

oqs-bot left a comment

Choose a reason for hiding this comment

Intel Xeon 3rd gen (c6i)

Uh oh!

oqs-bot left a comment

Choose a reason for hiding this comment

AMD EPYC 3rd gen (c6a) (no-opt)

Uh oh!

oqs-bot left a comment

Choose a reason for hiding this comment

AMD EPYC 4th gen (c7a) (no-opt)

Uh oh!

oqs-bot left a comment

Choose a reason for hiding this comment

Graviton4

Uh oh!

oqs-bot left a comment

Choose a reason for hiding this comment

Graviton3

Uh oh!

oqs-bot left a comment

Choose a reason for hiding this comment

Intel Xeon 3rd gen (c6i) (no-opt)

Uh oh!

oqs-bot left a comment

Choose a reason for hiding this comment

Arm Cortex-A76 (Raspberry Pi 5) benchmarks

willieyz commented Mar 4, 2026 •

edited

Loading

oqs-bot commented Mar 4, 2026 •

edited

Loading

oqs-bot commented Mar 4, 2026 •

edited

Loading

oqs-bot commented Mar 4, 2026 •

edited

Loading

willieyz commented Mar 21, 2026 •

edited

Loading