RFC: Add incremental encaps API to support ML-KEM Braid by mkannwischer · Pull Request #1619 · pq-code-package/mlkem-native

mkannwischer · 2026-03-12T05:29:47Z

Split ML-KEM encapsulation into two phases (mlk_kem_enc_derand_u / mlk_kem_enc_v) to support protocols like Braid that need to interleave encapsulation with other operations between computing the u- and v-components of the ciphertext. The first phase only requires the public seed and H(pk), not the full public key vector. Internally, K-PKE.Encrypt is refactored into mlk_indcpa_enc_u + mlk_indcpa_enc_v. The non-incremental KEM path calls mlk_indcpa_enc directly to avoid serialization overhead. The intermediate noise polynomial epp is serialized as 4-bit nibbles (128 bytes) - this is primarily done to not require a pre-condition on the allowed values.

oqs-bot

Intel Xeon 4th gen (c7i)

Details

Benchmark suite	Current: `ec9a558`	Previous: `712709d`	Ratio
`ML-KEM-512 keypair`	`12152` cycles	`11971` cycles	`1.02`
`ML-KEM-512 encaps`	`13644` cycles	`13745` cycles	`0.99`
`ML-KEM-512 decaps`	`17745` cycles	`17771` cycles	`1.00`
`ML-KEM-768 keypair`	`21243` cycles	`21010` cycles	`1.01`
`ML-KEM-768 encaps`	`22040` cycles	`22095` cycles	`1.00`
`ML-KEM-768 decaps`	`28171` cycles	`28300` cycles	`1.00`
`ML-KEM-1024 keypair`	`30069` cycles	`29866` cycles	`1.01`
`ML-KEM-1024 encaps`	`31921` cycles	`31758` cycles	`1.01`
`ML-KEM-1024 decaps`	`41455` cycles	`39591` cycles	`1.05`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

ppc64le (POWER10) benchmarks

Details

Benchmark suite	Current: `ec9a558`	Previous: `712709d`	Ratio
`ML-KEM-512 keypair`	`59195` cycles	`60047` cycles	`0.99`
`ML-KEM-512 encaps`	`72146` cycles	`72930` cycles	`0.99`
`ML-KEM-512 decaps`	`92035` cycles	`92987` cycles	`0.99`
`ML-KEM-768 keypair`	`98370` cycles	`98984` cycles	`0.99`
`ML-KEM-768 encaps`	`114890` cycles	`115469` cycles	`0.99`
`ML-KEM-768 decaps`	`140426` cycles	`141322` cycles	`0.99`
`ML-KEM-1024 keypair`	`150732` cycles	`149075` cycles	`1.01`
`ML-KEM-1024 encaps`	`169608` cycles	`167651` cycles	`1.01`
`ML-KEM-1024 decaps`	`200794` cycles	`198842` cycles	`1.01`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

AMD EPYC 3rd gen (c6a)

Details

Benchmark suite	Current: `ec9a558`	Previous: `712709d`	Ratio
`ML-KEM-512 keypair`	`14387` cycles	`14291` cycles	`1.01`
`ML-KEM-512 encaps`	`16035` cycles	`16019` cycles	`1.00`
`ML-KEM-512 decaps`	`21525` cycles	`21507` cycles	`1.00`
`ML-KEM-768 keypair`	`24400` cycles	`24715` cycles	`0.99`
`ML-KEM-768 encaps`	`25724` cycles	`25491` cycles	`1.01`
`ML-KEM-768 decaps`	`33593` cycles	`33275` cycles	`1.01`
`ML-KEM-1024 keypair`	`37480` cycles	`37264` cycles	`1.01`
`ML-KEM-1024 encaps`	`36769` cycles	`36892` cycles	`1.00`
`ML-KEM-1024 decaps`	`51840` cycles	`46772` cycles	`1.11`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

⚠️ Performance Alert ⚠️

Possible performance regression was detected for benchmark 'AMD EPYC 3rd gen (c6a)'.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 1.03.

Benchmark suite	Current: `ec9a558`	Previous: `712709d`	Ratio
`ML-KEM-1024 decaps`	`51840` cycles	`46772` cycles	`1.11`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Intel Xeon 4th gen (c7i) (no-opt)

Details

Benchmark suite	Current: `ec9a558`	Previous: `712709d`	Ratio
`ML-KEM-512 keypair`	`29373` cycles	`28131` cycles	`1.04`
`ML-KEM-512 encaps`	`35678` cycles	`36568` cycles	`0.98`
`ML-KEM-512 decaps`	`45642` cycles	`45119` cycles	`1.01`
`ML-KEM-768 keypair`	`46591` cycles	`46297` cycles	`1.01`
`ML-KEM-768 encaps`	`56594` cycles	`55658` cycles	`1.02`
`ML-KEM-768 decaps`	`69487` cycles	`69941` cycles	`0.99`
`ML-KEM-1024 keypair`	`70808` cycles	`70194` cycles	`1.01`
`ML-KEM-1024 encaps`	`83450` cycles	`82475` cycles	`1.01`
`ML-KEM-1024 decaps`	`99996` cycles	`98796` cycles	`1.01`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

AMD EPYC 4th gen (c7a)

Details

Benchmark suite	Current: `ec9a558`	Previous: `712709d`	Ratio
`ML-KEM-512 keypair`	`13153` cycles	`12768` cycles	`1.03`
`ML-KEM-512 encaps`	`14346` cycles	`14254` cycles	`1.01`
`ML-KEM-512 decaps`	`19181` cycles	`19131` cycles	`1.00`
`ML-KEM-768 keypair`	`22698` cycles	`22414` cycles	`1.01`
`ML-KEM-768 encaps`	`23090` cycles	`23041` cycles	`1.00`
`ML-KEM-768 decaps`	`30119` cycles	`30089` cycles	`1.00`
`ML-KEM-1024 keypair`	`34312` cycles	`33024` cycles	`1.04`
`ML-KEM-1024 encaps`	`33755` cycles	`33006` cycles	`1.02`
`ML-KEM-1024 decaps`	`49559` cycles	`42430` cycles	`1.17`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

⚠️ Performance Alert ⚠️

Possible performance regression was detected for benchmark 'AMD EPYC 4th gen (c7a)'.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 1.03.

Benchmark suite	Current: `ec9a558`	Previous: `712709d`	Ratio
`ML-KEM-512 keypair`	`13153` cycles	`12768` cycles	`1.03`
`ML-KEM-1024 keypair`	`34312` cycles	`33024` cycles	`1.04`
`ML-KEM-1024 decaps`	`49559` cycles	`42430` cycles	`1.17`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Intel Xeon 3rd gen (c6i)

Details

Benchmark suite	Current: `ec9a558`	Previous: `712709d`	Ratio
`ML-KEM-512 keypair`	`17529` cycles	`17485` cycles	`1.00`
`ML-KEM-512 encaps`	`19911` cycles	`19875` cycles	`1.00`
`ML-KEM-512 decaps`	`26540` cycles	`26415` cycles	`1.00`
`ML-KEM-768 keypair`	`30128` cycles	`31874` cycles	`0.95`
`ML-KEM-768 encaps`	`31845` cycles	`31109` cycles	`1.02`
`ML-KEM-768 decaps`	`42575` cycles	`41545` cycles	`1.02`
`ML-KEM-1024 keypair`	`44864` cycles	`46137` cycles	`0.97`
`ML-KEM-1024 encaps`	`44752` cycles	`45137` cycles	`0.99`
`ML-KEM-1024 decaps`	`64002` cycles	`58253` cycles	`1.10`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

⚠️ Performance Alert ⚠️

Possible performance regression was detected for benchmark 'Intel Xeon 3rd gen (c6i)'.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 1.03.

Benchmark suite	Current: `ec9a558`	Previous: `712709d`	Ratio
`ML-KEM-1024 decaps`	`64002` cycles	`58253` cycles	`1.10`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

AMD EPYC 3rd gen (c6a) (no-opt)

Details

Benchmark suite	Current: `ec9a558`	Previous: `712709d`	Ratio
`ML-KEM-512 keypair`	`39951` cycles	`40253` cycles	`0.99`
`ML-KEM-512 encaps`	`47767` cycles	`48411` cycles	`0.99`
`ML-KEM-512 decaps`	`61840` cycles	`62600` cycles	`0.99`
`ML-KEM-768 keypair`	`63674` cycles	`63756` cycles	`1.00`
`ML-KEM-768 encaps`	`74641` cycles	`74947` cycles	`1.00`
`ML-KEM-768 decaps`	`93375` cycles	`93618` cycles	`1.00`
`ML-KEM-1024 keypair`	`95372` cycles	`94982` cycles	`1.00`
`ML-KEM-1024 encaps`	`109781` cycles	`109167` cycles	`1.01`
`ML-KEM-1024 decaps`	`132330` cycles	`131931` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

AMD EPYC 4th gen (c7a) (no-opt)

Details

Benchmark suite	Current: `ec9a558`	Previous: `712709d`	Ratio
`ML-KEM-512 keypair`	`36701` cycles	`36584` cycles	`1.00`
`ML-KEM-512 encaps`	`43152` cycles	`43043` cycles	`1.00`
`ML-KEM-512 decaps`	`55795` cycles	`55694` cycles	`1.00`
`ML-KEM-768 keypair`	`58743` cycles	`58618` cycles	`1.00`
`ML-KEM-768 encaps`	`67609` cycles	`67618` cycles	`1.00`
`ML-KEM-768 decaps`	`84501` cycles	`84427` cycles	`1.00`
`ML-KEM-1024 keypair`	`89062` cycles	`88963` cycles	`1.00`
`ML-KEM-1024 encaps`	`99756` cycles	`99133` cycles	`1.01`
`ML-KEM-1024 decaps`	`121245` cycles	`120720` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Arm Cortex-A76 (Raspberry Pi 5) benchmarks

Details

Benchmark suite	Current: `ec9a558`	Previous: `712709d`	Ratio
`ML-KEM-512 keypair`	`28275` cycles	`28233` cycles	`1.00`
`ML-KEM-512 encaps`	`34131` cycles	`34105` cycles	`1.00`
`ML-KEM-512 decaps`	`44304` cycles	`44329` cycles	`1.00`
`ML-KEM-768 keypair`	`47642` cycles	`47627` cycles	`1.00`
`ML-KEM-768 encaps`	`53960` cycles	`53956` cycles	`1.00`
`ML-KEM-768 decaps`	`68365` cycles	`68377` cycles	`1.00`
`ML-KEM-1024 keypair`	`70313` cycles	`70255` cycles	`1.00`
`ML-KEM-1024 encaps`	`78726` cycles	`78806` cycles	`1.00`
`ML-KEM-1024 decaps`	`98488` cycles	`98442` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Graviton4

Details

Benchmark suite	Current: `ec9a558`	Previous: `712709d`	Ratio
`ML-KEM-512 keypair`	`17680` cycles	`17650` cycles	`1.00`
`ML-KEM-512 encaps`	`20631` cycles	`20601` cycles	`1.00`
`ML-KEM-512 decaps`	`27073` cycles	`27068` cycles	`1.00`
`ML-KEM-768 keypair`	`29910` cycles	`29899` cycles	`1.00`
`ML-KEM-768 encaps`	`32727` cycles	`32776` cycles	`1.00`
`ML-KEM-768 decaps`	`41962` cycles	`41967` cycles	`1.00`
`ML-KEM-1024 keypair`	`43761` cycles	`43750` cycles	`1.00`
`ML-KEM-1024 encaps`	`48733` cycles	`48727` cycles	`1.00`
`ML-KEM-1024 decaps`	`61415` cycles	`61390` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Intel Xeon 3rd gen (c6i) (no-opt)

Details

Benchmark suite	Current: `ec9a558`	Previous: `712709d`	Ratio
`ML-KEM-512 keypair`	`46111` cycles	`45656` cycles	`1.01`
`ML-KEM-512 encaps`	`55139` cycles	`54451` cycles	`1.01`
`ML-KEM-512 decaps`	`70721` cycles	`69753` cycles	`1.01`
`ML-KEM-768 keypair`	`73470` cycles	`74171` cycles	`0.99`
`ML-KEM-768 encaps`	`85413` cycles	`85948` cycles	`0.99`
`ML-KEM-768 decaps`	`105843` cycles	`106520` cycles	`0.99`
`ML-KEM-1024 keypair`	`111019` cycles	`112098` cycles	`0.99`
`ML-KEM-1024 encaps`	`125122` cycles	`124601` cycles	`1.00`
`ML-KEM-1024 decaps`	`151053` cycles	`150531` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Graviton4 (no-opt)

Details

Benchmark suite	Current: `ec9a558`	Previous: `712709d`	Ratio
`ML-KEM-512 keypair`	`35447` cycles	`35416` cycles	`1.00`
`ML-KEM-512 encaps`	`40331` cycles	`40122` cycles	`1.01`
`ML-KEM-512 decaps`	`51344` cycles	`51145` cycles	`1.00`
`ML-KEM-768 keypair`	`57094` cycles	`56670` cycles	`1.01`
`ML-KEM-768 encaps`	`64575` cycles	`65151` cycles	`0.99`
`ML-KEM-768 decaps`	`78817` cycles	`79295` cycles	`0.99`
`ML-KEM-1024 keypair`	`88008` cycles	`87866` cycles	`1.00`
`ML-KEM-1024 encaps`	`96932` cycles	`96879` cycles	`1.00`
`ML-KEM-1024 decaps`	`115797` cycles	`115822` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Graviton3

Details

Benchmark suite	Current: `ec9a558`	Previous: `712709d`	Ratio
`ML-KEM-512 keypair`	`18658` cycles	`18639` cycles	`1.00`
`ML-KEM-512 encaps`	`21870` cycles	`21876` cycles	`1.00`
`ML-KEM-512 decaps`	`28837` cycles	`28861` cycles	`1.00`
`ML-KEM-768 keypair`	`31600` cycles	`31540` cycles	`1.00`
`ML-KEM-768 encaps`	`34735` cycles	`34771` cycles	`1.00`
`ML-KEM-768 decaps`	`44751` cycles	`44775` cycles	`1.00`
`ML-KEM-1024 keypair`	`46031` cycles	`46082` cycles	`1.00`
`ML-KEM-1024 encaps`	`51541` cycles	`51501` cycles	`1.00`
`ML-KEM-1024 decaps`	`65106` cycles	`65036` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Graviton2

Details

Benchmark suite	Current: `ec9a558`	Previous: `712709d`	Ratio
`ML-KEM-512 keypair`	`28320` cycles	`28256` cycles	`1.00`
`ML-KEM-512 encaps`	`34158` cycles	`34110` cycles	`1.00`
`ML-KEM-512 decaps`	`44412` cycles	`44398` cycles	`1.00`
`ML-KEM-768 keypair`	`47625` cycles	`47665` cycles	`1.00`
`ML-KEM-768 encaps`	`53977` cycles	`53940` cycles	`1.00`
`ML-KEM-768 decaps`	`68358` cycles	`68363` cycles	`1.00`
`ML-KEM-1024 keypair`	`70289` cycles	`70328` cycles	`1.00`
`ML-KEM-1024 encaps`	`78826` cycles	`78757` cycles	`1.00`
`ML-KEM-1024 decaps`	`98493` cycles	`98529` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Graviton3 (no-opt)

Details

Benchmark suite	Current: `ec9a558`	Previous: `712709d`	Ratio
`ML-KEM-512 keypair`	`39109` cycles	`38887` cycles	`1.01`
`ML-KEM-512 encaps`	`44790` cycles	`44596` cycles	`1.00`
`ML-KEM-512 decaps`	`56879` cycles	`56673` cycles	`1.00`
`ML-KEM-768 keypair`	`62450` cycles	`62294` cycles	`1.00`
`ML-KEM-768 encaps`	`71104` cycles	`72330` cycles	`0.98`
`ML-KEM-768 decaps`	`86786` cycles	`87696` cycles	`0.99`
`ML-KEM-1024 keypair`	`96321` cycles	`96160` cycles	`1.00`
`ML-KEM-1024 encaps`	`106404` cycles	`106135` cycles	`1.00`
`ML-KEM-1024 decaps`	`126710` cycles	`126583` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Graviton2 (no-opt)

Details

Benchmark suite	Current: `ec9a558`	Previous: `712709d`	Ratio
`ML-KEM-512 keypair`	`59172` cycles	`59049` cycles	`1.00`
`ML-KEM-512 encaps`	`68760` cycles	`68578` cycles	`1.00`
`ML-KEM-512 decaps`	`87506` cycles	`87314` cycles	`1.00`
`ML-KEM-768 keypair`	`95700` cycles	`95479` cycles	`1.00`
`ML-KEM-768 encaps`	`110650` cycles	`109908` cycles	`1.01`
`ML-KEM-768 decaps`	`134421` cycles	`134361` cycles	`1.00`
`ML-KEM-1024 keypair`	`147695` cycles	`147876` cycles	`1.00`
`ML-KEM-1024 encaps`	`163732` cycles	`163805` cycles	`1.00`
`ML-KEM-1024 decaps`	`195466` cycles	`195456` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot · 2026-03-12T06:54:39Z

CBMC Results (ML-KEM-512)

⚠️ Attention Required

Proof	Status	Current	Previous	Change
`mlk_enc_derand_u`	❌	-	-	-
`mlk_enc_v`	❌	-	-	-
`mlk_indcpa_enc`	❌	-	152s	-
`mlk_indcpa_enc_u`	❌	-	-	-
`mlk_indcpa_enc_v`	❌	-	-	-
`mlk_indcpa_keypair_derand`	⚠️	165s	99s	+67%

Full Results (191 proofs)

Proof	Status	Current	Previous	Change
`TOTAL`	✅	1154s	1186s	-2.7%
`mlk_indcpa_keypair_derand`	⚠️	165s	99s	+67%
`mlk_keccak_squeezeblocks_x4`	✅	139s	129s	+8%
`mlk_polyvec_basemul_acc_montgomery_cached_c`	✅	88s	64s	+38%
`mlk_rej_uniform_c`	✅	66s	79s	-16%
`mlk_poly_rej_uniform`	✅	38s	38s	+0%
`poly_ntt_native`	✅	31s	29s	+7%
`polyvec_basemul_acc_montgomery_cached_native`	✅	21s	19s	+11%
`keccakf1600x4_permute_native_x4`	✅	20s	19s	+5%
`mlk_ntt_layer`	✅	18s	13s	+38%
`mlk_polyvec_add`	✅	16s	17s	-6%
`mlk_poly_frommsg`	✅	15s	8s	+88%
`mlk_poly_reduce_native`	✅	15s	14s	+7%
`mlk_poly_decompress_d4_native`	✅	12s	11s	+9%
`mlk_indcpa_dec`	✅	11s	11s	+0%
`mlk_poly_decompress_d10_native`	✅	11s	12s	-8%
`mlk_poly_frombytes_native`	✅	11s	8s	+38%
`mlk_poly_rej_uniform_x4`	✅	10s	8s	+25%
`mlk_polymat_permute_bitrev_to_custom`	✅	10s	8s	+25%
`keccakf1600_permute_native`	✅	9s	8s	+12%
`mlk_keccak_squeeze_once`	✅	8s	6s	+33%
`mlk_fqmul`	✅	7s	7s	+0%
`mlk_invntt_layer`	✅	7s	4s	+75%
`mlk_keccak_squeezeblocks`	✅	7s	5s	+40%
`mlk_ntt_butterfly_block`	✅	7s	8s	-12%
`mlk_keccak_absorb_once_x4`	✅	6s	8s	-25%
`kem_dec`	✅	5s	5s	+0%
`mlk_keccakf1600x4_permute`	✅	5s	1s	+400%
`mlk_poly_add`	✅	5s	5s	+0%
`mlk_poly_cbd_eta1`	✅	5s	1s	+400%
`mlk_poly_compress_d4_native`	✅	5s	3s	+67%
`mlk_polyvec_mulcache_compute`	✅	5s	3s	+67%
`poly_decompress_d10_native_x86_64`	✅	5s	5s	+0%
`poly_reduce_native_x86_64`	✅	5s	3s	+67%
`kem_enc_derand`	✅	4s	4s	+0%
`kem_keypair_derand`	✅	4s	3s	+33%
`mlk_keccak_absorb_once`	✅	4s	6s	-33%
`mlk_keccakf1600x4_extract_bytes`	✅	4s	2s	+100%
`mlk_poly_cbd_eta2`	✅	4s	4s	+0%
`mlk_poly_compress_d10_c`	✅	4s	3s	+33%
`mlk_poly_getnoise_eta1_4x_native`	✅	4s	3s	+33%
`mlk_polyvec_invntt_tomont`	✅	4s	1s	+300%
`mlk_polyvec_reduce`	✅	4s	3s	+33%
`mlk_scalar_decompress_d5`	✅	4s	4s	+0%
`mlk_shake128x4_squeezeblocks`	✅	4s	1s	+300%
`poly_compress_d5_native_x86_64`	✅	4s	1s	+300%
`poly_decompress_d4_native_x86_64`	✅	4s	5s	-20%
`poly_getnoise_eta1122_4x_native`	✅	4s	2s	+100%
`polyvec_basemul_acc_montgomery_cached_k4_native_x86_64`	✅	4s	3s	+33%
`intt_native_aarch64`	✅	3s	2s	+50%
`keccak_f1600_x1_native_aarch64_v84a`	✅	3s	1s	+200%
`keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid`	✅	3s	3s	+0%
`keccakf1600x4_xor_bytes_native`	✅	3s	2s	+50%
`kem_check_pk`	✅	3s	4s	-25%
`kem_check_sk`	✅	3s	2s	+50%
`kem_keypair`	✅	3s	4s	-25%
`mlk_ct_cmov_zero`	✅	3s	3s	+0%
`mlk_ct_sel_int16`	✅	3s	3s	+0%
`mlk_gen_matrix_serial`	✅	3s	2s	+50%
`mlk_keccakf1600_extract_bytes (big endian)`	✅	3s	3s	+0%
`mlk_keccakf1600_permute`	✅	3s	4s	-25%
`mlk_keccakf1600_xor_bytes (big endian)`	✅	3s	2s	+50%
`mlk_keccakf1600x4_xor_bytes`	✅	3s	2s	+50%
`mlk_montgomery_reduce`	✅	3s	1s	+200%
`mlk_poly_compress_d10`	✅	3s	4s	-25%
`mlk_poly_compress_d11_c`	✅	3s	4s	-25%
`mlk_poly_compress_d5_native`	✅	3s	2s	+50%
`mlk_poly_decompress_d10_c`	✅	3s	5s	-40%
`mlk_poly_decompress_d4`	✅	3s	2s	+50%
`mlk_poly_decompress_d5_c`	✅	3s	1s	+200%
`mlk_poly_decompress_d5_native`	✅	3s	1s	+200%
`mlk_poly_frombytes`	✅	3s	2s	+50%
`mlk_poly_frombytes_c`	✅	3s	4s	-25%
`mlk_poly_getnoise_eta1122_4x`	✅	3s	2s	+50%
`mlk_poly_getnoise_eta1_4x`	✅	3s	3s	+0%
`mlk_poly_invntt_tomont_c`	✅	3s	2s	+50%
`mlk_poly_mulcache_compute`	✅	3s	2s	+50%
`mlk_poly_mulcache_compute_c`	✅	3s	3s	+0%
`mlk_poly_mulcache_compute_native`	✅	3s	1s	+200%
`mlk_poly_ntt`	✅	3s	3s	+0%
`mlk_poly_ntt_c`	✅	3s	1s	+200%
`mlk_poly_tobytes`	✅	3s	3s	+0%
`mlk_poly_tobytes_c`	✅	3s	3s	+0%
`mlk_poly_tomont`	✅	3s	1s	+200%
`mlk_poly_tomont_c`	✅	3s	3s	+0%
`mlk_poly_tomont_native`	✅	3s	2s	+50%
`mlk_polyvec_compress_du`	✅	3s	2s	+50%
`mlk_polyvec_ntt`	✅	3s	5s	-40%
`mlk_polyvec_permute_bitrev_to_custom`	✅	3s	2s	+50%
`mlk_scalar_compress_d1`	✅	3s	3s	+0%
`mlk_scalar_compress_d4`	✅	3s	1s	+200%
`mlk_sha3_256`	✅	3s	2s	+50%
`mlk_shake256`	✅	3s	3s	+0%
`mlk_shake256x4`	✅	3s	5s	-40%
`poly_compress_d10_native_x86_64`	✅	3s	3s	+0%
`poly_compress_d11_native_x86_64`	✅	3s	2s	+50%
`poly_frombytes_native_x86_64`	✅	3s	4s	-25%
`poly_invntt_tomont_native`	✅	3s	4s	-25%
`poly_reduce_native_aarch64`	✅	3s	1s	+200%
`poly_tobytes_native_aarch64`	✅	3s	2s	+50%
`poly_tomont_native_aarch64`	✅	3s	1s	+200%
`poly_tomont_native_x86_64`	✅	3s	2s	+50%
`polyvec_basemul_acc_montgomery_cached_k3_native_aarch64`	✅	3s	2s	+50%
`rej_uniform_native_aarch64`	✅	3s	3s	+0%
`rej_uniform_native_x86_64`	✅	3s	4s	-25%
`intt_native_x86_64`	✅	2s	2s	+0%
`keccak_f1600_x1_native_aarch64`	✅	2s	1s	+100%
`keccak_f1600_x4_native_aarch64_v84a`	✅	2s	3s	-33%
`keccakf1600x4_extract_bytes_native`	✅	2s	3s	-33%
`kem_enc`	✅	2s	2s	+0%
`mlk_ct_cmask_neg_i16`	✅	2s	1s	+100%
`mlk_ct_cmask_nonzero_u16`	✅	2s	1s	+100%
`mlk_ct_get_optblocker_u8`	✅	2s	3s	-33%
`mlk_ct_memcmp`	✅	2s	2s	+0%
`mlk_ct_sel_uint8`	✅	2s	1s	+100%
`mlk_gen_matrix`	✅	2s	3s	-33%
`mlk_keccakf1600_xor_bytes`	✅	2s	3s	-33%
`mlk_keypair_getnoise`	✅	2s	2s	+0%
`mlk_poly_compress_d10_native`	✅	2s	2s	+0%
`mlk_poly_compress_d4`	✅	2s	3s	-33%
`mlk_poly_compress_d4_c`	✅	2s	2s	+0%
`mlk_poly_compress_d5`	✅	2s	3s	-33%
`mlk_poly_compress_du`	✅	2s	4s	-50%
`mlk_poly_decompress_d10`	✅	2s	3s	-33%
`mlk_poly_decompress_d11_c`	✅	2s	3s	-33%
`mlk_poly_decompress_d4_c`	✅	2s	3s	-33%
`mlk_poly_decompress_d5`	✅	2s	2s	+0%
`mlk_poly_decompress_du`	✅	2s	2s	+0%
`mlk_poly_getnoise_eta2`	✅	2s	2s	+0%
`mlk_poly_invntt_tomont`	✅	2s	1s	+100%
`mlk_poly_reduce`	✅	2s	3s	-33%
`mlk_poly_reduce_c`	✅	2s	2s	+0%
`mlk_poly_tobytes_native`	✅	2s	4s	-50%
`mlk_poly_tomsg`	✅	2s	3s	-33%
`mlk_polyvec_basemul_acc_montgomery_cached`	✅	2s	2s	+0%
`mlk_polyvec_decompress_du`	✅	2s	2s	+0%
`mlk_polyvec_permute_bitrev_to_custom_native`	✅	2s	4s	-50%
`mlk_polyvec_tomont`	✅	2s	1s	+100%
`mlk_rej_uniform`	✅	2s	1s	+100%
`mlk_scalar_compress_d10`	✅	2s	1s	+100%
`mlk_scalar_compress_d11`	✅	2s	2s	+0%
`mlk_scalar_compress_d5`	✅	2s	1s	+100%
`mlk_scalar_decompress_d10`	✅	2s	1s	+100%
`mlk_sha3_512`	✅	2s	2s	+0%
`mlk_shake128_squeezeblocks`	✅	2s	3s	-33%
`mlk_shake128x4_absorb_once`	✅	2s	2s	+0%
`mlk_value_barrier_i32`	✅	2s	4s	-50%
`mlk_value_barrier_u32`	✅	2s	2s	+0%
`ntt_native_x86_64`	✅	2s	4s	-50%
`nttunpack_native_x86_64`	✅	2s	4s	-50%
`poly_compress_d4_native_x86_64`	✅	2s	3s	-33%
`poly_decompress_d11_native_x86_64`	✅	2s	1s	+100%
`poly_decompress_d5_native_x86_64`	✅	2s	2s	+0%
`poly_mulcache_compute_native_aarch64`	✅	2s	4s	-50%
`poly_mulcache_compute_native_x86_64`	✅	2s	3s	-33%
`poly_tobytes_native_x86_64`	✅	2s	2s	+0%
`polyvec_basemul_acc_montgomery_cached_k2_native_aarch64`	✅	2s	4s	-50%
`polyvec_basemul_acc_montgomery_cached_k2_native_x86_64`	✅	2s	2s	+0%
`polyvec_basemul_acc_montgomery_cached_k4_native_aarch64`	✅	2s	2s	+0%
`rej_uniform_native`	✅	2s	4s	-50%
`sys_check_capability`	✅	2s	1s	+100%
`mlk_enc_derand_u`	❌	-	-	-
`mlk_enc_v`	❌	-	-	-
`mlk_indcpa_enc`	❌	-	152s	-
`mlk_indcpa_enc_u`	❌	-	-	-
`mlk_indcpa_enc_v`	❌	-	-	-
`keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid`	✅	1s	1s	+0%
`keccak_f1600_x4_native_avx2`	✅	1s	3s	-67%
`mlk_barrett_reduce`	✅	1s	2s	-50%
`mlk_check_pct`	✅	1s	2s	-50%
`mlk_ct_cmask_nonzero_u8`	✅	1s	3s	-67%
`mlk_ct_get_optblocker_i32`	✅	1s	1s	+0%
`mlk_ct_get_optblocker_u32`	✅	1s	4s	-75%
`mlk_keccakf1600_extract_bytes`	✅	1s	3s	-67%
`mlk_matvec_mul`	✅	1s	2s	-50%
`mlk_poly_compress_d11`	✅	1s	1s	+0%
`mlk_poly_compress_d11_native`	✅	1s	1s	+0%
`mlk_poly_compress_d5_c`	✅	1s	2s	-50%
`mlk_poly_compress_dv`	✅	1s	1s	+0%
`mlk_poly_decompress_d11`	✅	1s	2s	-50%
`mlk_poly_decompress_d11_native`	✅	1s	1s	+0%
`mlk_poly_decompress_dv`	✅	1s	2s	-50%
`mlk_poly_sub`	✅	1s	3s	-67%
`mlk_polyvec_frombytes`	✅	1s	1s	+0%
`mlk_polyvec_tobytes`	✅	1s	1s	+0%
`mlk_scalar_decompress_d11`	✅	1s	2s	-50%
`mlk_scalar_decompress_d4`	✅	1s	2s	-50%
`mlk_scalar_signed_to_unsigned_q`	✅	1s	2s	-50%
`mlk_shake128_absorb_once`	✅	1s	3s	-67%
`mlk_value_barrier_u8`	✅	1s	2s	-50%
`ntt_native_aarch64`	✅	1s	4s	-75%
`polyvec_basemul_acc_montgomery_cached_k3_native_x86_64`	✅	1s	4s	-75%

oqs-bot · 2026-03-12T06:55:27Z

CBMC Results (ML-KEM-768)

⚠️ Attention Required

Proof	Status	Current	Previous	Change
`mlk_enc_derand_u`	❌	-	-	-
`mlk_enc_v`	❌	-	-	-
`mlk_indcpa_enc`	❌	-	243s	-
`mlk_indcpa_enc_u`	❌	-	-	-
`mlk_indcpa_enc_v`	❌	-	-	-

Full Results (191 proofs)

Proof	Status	Current	Previous	Change
`TOTAL`	✅	1064s	1413s	-24.7%
`mlk_indcpa_keypair_derand`	✅	163s	231s	-29%
`mlk_keccak_squeezeblocks_x4`	✅	113s	118s	-4%
`mlk_rej_uniform_c`	✅	65s	73s	-11%
`polyvec_basemul_acc_montgomery_cached_native`	✅	58s	57s	+2%
`mlk_polyvec_basemul_acc_montgomery_cached_c`	✅	44s	46s	-4%
`mlk_poly_rej_uniform`	✅	32s	29s	+10%
`mlk_polyvec_add`	✅	27s	26s	+4%
`poly_ntt_native`	✅	22s	22s	+0%
`keccakf1600x4_permute_native_x4`	✅	19s	20s	-5%
`mlk_indcpa_dec`	✅	15s	14s	+7%
`mlk_poly_decompress_d4_native`	✅	13s	12s	+8%
`mlk_poly_decompress_d10_native`	✅	12s	11s	+9%
`mlk_poly_reduce_native`	✅	11s	14s	-21%
`mlk_ntt_layer`	✅	10s	14s	-29%
`mlk_poly_frommsg`	✅	10s	13s	-23%
`mlk_poly_frombytes_native`	✅	8s	6s	+33%
`mlk_poly_rej_uniform_x4`	✅	8s	7s	+14%
`mlk_keccak_squeezeblocks`	✅	7s	6s	+17%
`keccakf1600_permute_native`	✅	6s	5s	+20%
`kem_dec`	✅	6s	5s	+20%
`mlk_keccak_absorb_once_x4`	✅	6s	9s	-33%
`mlk_ntt_butterfly_block`	✅	6s	8s	-25%
`mlk_poly_decompress_d10_c`	✅	6s	5s	+20%
`nttunpack_native_x86_64`	✅	6s	3s	+100%
`kem_enc_derand`	✅	5s	2s	+150%
`mlk_fqmul`	✅	5s	7s	-29%
`mlk_gen_matrix_serial`	✅	5s	2s	+150%
`mlk_keccak_squeeze_once`	✅	5s	7s	-29%
`mlk_poly_add`	✅	5s	6s	-17%
`mlk_polymat_permute_bitrev_to_custom`	✅	5s	5s	+0%
`mlk_shake256x4`	✅	5s	4s	+25%
`poly_decompress_d10_native_x86_64`	✅	5s	3s	+67%
`poly_decompress_d4_native_x86_64`	✅	5s	4s	+25%
`polyvec_basemul_acc_montgomery_cached_k3_native_aarch64`	✅	5s	2s	+150%
`kem_check_pk`	✅	4s	2s	+100%
`mlk_ct_cmov_zero`	✅	4s	3s	+33%
`mlk_invntt_layer`	✅	4s	6s	-33%
`mlk_keccak_absorb_once`	✅	4s	5s	-20%
`mlk_poly_compress_d11_native`	✅	4s	2s	+100%
`mlk_poly_mulcache_compute_c`	✅	4s	3s	+33%
`mlk_poly_tomont`	✅	4s	3s	+33%
`mlk_scalar_compress_d1`	✅	4s	2s	+100%
`polyvec_basemul_acc_montgomery_cached_k2_native_x86_64`	✅	4s	3s	+33%
`keccak_f1600_x1_native_aarch64_v84a`	✅	3s	1s	+200%
`keccak_f1600_x4_native_aarch64_v84a`	✅	3s	1s	+200%
`keccakf1600x4_xor_bytes_native`	✅	3s	4s	-25%
`kem_enc`	✅	3s	2s	+50%
`kem_keypair_derand`	✅	3s	3s	+0%
`mlk_barrett_reduce`	✅	3s	3s	+0%
`mlk_check_pct`	✅	3s	3s	+0%
`mlk_ct_cmask_nonzero_u8`	✅	3s	3s	+0%
`mlk_ct_get_optblocker_u8`	✅	3s	3s	+0%
`mlk_ct_sel_int16`	✅	3s	2s	+50%
`mlk_keccakf1600_extract_bytes`	✅	3s	1s	+200%
`mlk_keccakf1600_extract_bytes (big endian)`	✅	3s	3s	+0%
`mlk_keccakf1600_permute`	✅	3s	4s	-25%
`mlk_keccakf1600x4_permute`	✅	3s	1s	+200%
`mlk_poly_compress_d10_c`	✅	3s	6s	-50%
`mlk_poly_compress_d10_native`	✅	3s	1s	+200%
`mlk_poly_decompress_d5`	✅	3s	2s	+50%
`mlk_poly_decompress_d5_c`	✅	3s	2s	+50%
`mlk_poly_decompress_d5_native`	✅	3s	3s	+0%
`mlk_poly_invntt_tomont_c`	✅	3s	4s	-25%
`mlk_poly_ntt`	✅	3s	3s	+0%
`mlk_poly_ntt_c`	✅	3s	4s	-25%
`mlk_poly_reduce_c`	✅	3s	1s	+200%
`mlk_poly_tobytes_c`	✅	3s	3s	+0%
`mlk_polyvec_basemul_acc_montgomery_cached`	✅	3s	3s	+0%
`mlk_polyvec_invntt_tomont`	✅	3s	3s	+0%
`mlk_polyvec_permute_bitrev_to_custom`	✅	3s	4s	-25%
`mlk_polyvec_reduce`	✅	3s	2s	+50%
`mlk_polyvec_tomont`	✅	3s	3s	+0%
`mlk_rej_uniform`	✅	3s	2s	+50%
`mlk_scalar_compress_d11`	✅	3s	2s	+50%
`mlk_scalar_compress_d4`	✅	3s	4s	-25%
`mlk_scalar_decompress_d4`	✅	3s	2s	+50%
`mlk_scalar_signed_to_unsigned_q`	✅	3s	2s	+50%
`mlk_shake128_absorb_once`	✅	3s	4s	-25%
`mlk_shake256`	✅	3s	2s	+50%
`mlk_value_barrier_u32`	✅	3s	3s	+0%
`ntt_native_x86_64`	✅	3s	4s	-25%
`poly_compress_d11_native_x86_64`	✅	3s	3s	+0%
`poly_mulcache_compute_native_aarch64`	✅	3s	3s	+0%
`poly_tobytes_native_aarch64`	✅	3s	3s	+0%
`poly_tobytes_native_x86_64`	✅	3s	2s	+50%
`polyvec_basemul_acc_montgomery_cached_k4_native_x86_64`	✅	3s	3s	+0%
`rej_uniform_native_aarch64`	✅	3s	3s	+0%
`sys_check_capability`	✅	3s	2s	+50%
`intt_native_aarch64`	✅	2s	4s	-50%
`intt_native_x86_64`	✅	2s	4s	-50%
`keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid`	✅	2s	3s	-33%
`keccak_f1600_x4_native_avx2`	✅	2s	3s	-33%
`keccakf1600x4_extract_bytes_native`	✅	2s	2s	+0%
`kem_check_sk`	✅	2s	1s	+100%
`kem_keypair`	✅	2s	1s	+100%
`mlk_ct_cmask_nonzero_u16`	✅	2s	3s	-33%
`mlk_ct_get_optblocker_i32`	✅	2s	2s	+0%
`mlk_ct_get_optblocker_u32`	✅	2s	2s	+0%
`mlk_ct_memcmp`	✅	2s	2s	+0%
`mlk_gen_matrix`	✅	2s	4s	-50%
`mlk_keccakf1600_xor_bytes`	✅	2s	2s	+0%
`mlk_keccakf1600x4_xor_bytes`	✅	2s	1s	+100%
`mlk_keypair_getnoise`	✅	2s	2s	+0%
`mlk_matvec_mul`	✅	2s	1s	+100%
`mlk_poly_cbd_eta1`	✅	2s	1s	+100%
`mlk_poly_cbd_eta2`	✅	2s	1s	+100%
`mlk_poly_compress_d10`	✅	2s	2s	+0%
`mlk_poly_compress_d11`	✅	2s	2s	+0%
`mlk_poly_compress_d11_c`	✅	2s	3s	-33%
`mlk_poly_compress_d4`	✅	2s	2s	+0%
`mlk_poly_compress_d4_c`	✅	2s	3s	-33%
`mlk_poly_compress_d4_native`	✅	2s	3s	-33%
`mlk_poly_compress_dv`	✅	2s	2s	+0%
`mlk_poly_decompress_d10`	✅	2s	1s	+100%
`mlk_poly_decompress_d11`	✅	2s	1s	+100%
`mlk_poly_decompress_d11_c`	✅	2s	2s	+0%
`mlk_poly_decompress_d4`	✅	2s	2s	+0%
`mlk_poly_decompress_dv`	✅	2s	5s	-60%
`mlk_poly_frombytes`	✅	2s	1s	+100%
`mlk_poly_getnoise_eta1122_4x`	✅	2s	3s	-33%
`mlk_poly_getnoise_eta1_4x`	✅	2s	3s	-33%
`mlk_poly_getnoise_eta1_4x_native`	✅	2s	2s	+0%
`mlk_poly_getnoise_eta2`	✅	2s	1s	+100%
`mlk_poly_invntt_tomont`	✅	2s	2s	+0%
`mlk_poly_mulcache_compute`	✅	2s	1s	+100%
`mlk_poly_mulcache_compute_native`	✅	2s	2s	+0%
`mlk_poly_reduce`	✅	2s	2s	+0%
`mlk_poly_tobytes`	✅	2s	4s	-50%
`mlk_poly_tobytes_native`	✅	2s	3s	-33%
`mlk_poly_tomont_c`	✅	2s	4s	-50%
`mlk_poly_tomsg`	✅	2s	1s	+100%
`mlk_polyvec_compress_du`	✅	2s	2s	+0%
`mlk_polyvec_decompress_du`	✅	2s	1s	+100%
`mlk_polyvec_frombytes`	✅	2s	2s	+0%
`mlk_polyvec_permute_bitrev_to_custom_native`	✅	2s	3s	-33%
`mlk_scalar_compress_d10`	✅	2s	2s	+0%
`mlk_scalar_compress_d5`	✅	2s	2s	+0%
`mlk_scalar_decompress_d10`	✅	2s	2s	+0%
`mlk_scalar_decompress_d11`	✅	2s	2s	+0%
`mlk_scalar_decompress_d5`	✅	2s	1s	+100%
`mlk_sha3_256`	✅	2s	2s	+0%
`mlk_sha3_512`	✅	2s	2s	+0%
`mlk_shake128_squeezeblocks`	✅	2s	2s	+0%
`mlk_shake128x4_absorb_once`	✅	2s	4s	-50%
`mlk_shake128x4_squeezeblocks`	✅	2s	2s	+0%
`ntt_native_aarch64`	✅	2s	3s	-33%
`poly_compress_d4_native_x86_64`	✅	2s	1s	+100%
`poly_decompress_d11_native_x86_64`	✅	2s	3s	-33%
`poly_decompress_d5_native_x86_64`	✅	2s	2s	+0%
`poly_frombytes_native_x86_64`	✅	2s	4s	-50%
`poly_getnoise_eta1122_4x_native`	✅	2s	4s	-50%
`poly_invntt_tomont_native`	✅	2s	3s	-33%
`poly_reduce_native_aarch64`	✅	2s	2s	+0%
`poly_reduce_native_x86_64`	✅	2s	1s	+100%
`poly_tomont_native_aarch64`	✅	2s	2s	+0%
`poly_tomont_native_x86_64`	✅	2s	3s	-33%
`polyvec_basemul_acc_montgomery_cached_k3_native_x86_64`	✅	2s	3s	-33%
`polyvec_basemul_acc_montgomery_cached_k4_native_aarch64`	✅	2s	3s	-33%
`rej_uniform_native`	✅	2s	2s	+0%
`rej_uniform_native_x86_64`	✅	2s	1s	+100%
`mlk_enc_derand_u`	❌	-	-	-
`mlk_enc_v`	❌	-	-	-
`mlk_indcpa_enc`	❌	-	243s	-
`mlk_indcpa_enc_u`	❌	-	-	-
`mlk_indcpa_enc_v`	❌	-	-	-
`keccak_f1600_x1_native_aarch64`	✅	1s	2s	-50%
`keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid`	✅	1s	3s	-67%
`mlk_ct_cmask_neg_i16`	✅	1s	2s	-50%
`mlk_ct_sel_uint8`	✅	1s	1s	+0%
`mlk_keccakf1600_xor_bytes (big endian)`	✅	1s	2s	-50%
`mlk_keccakf1600x4_extract_bytes`	✅	1s	1s	+0%
`mlk_montgomery_reduce`	✅	1s	1s	+0%
`mlk_poly_compress_d5`	✅	1s	4s	-75%
`mlk_poly_compress_d5_c`	✅	1s	2s	-50%
`mlk_poly_compress_d5_native`	✅	1s	2s	-50%
`mlk_poly_compress_du`	✅	1s	2s	-50%
`mlk_poly_decompress_d11_native`	✅	1s	4s	-75%
`mlk_poly_decompress_d4_c`	✅	1s	2s	-50%
`mlk_poly_decompress_du`	✅	1s	3s	-67%
`mlk_poly_frombytes_c`	✅	1s	3s	-67%
`mlk_poly_sub`	✅	1s	4s	-75%
`mlk_poly_tomont_native`	✅	1s	1s	+0%
`mlk_polyvec_mulcache_compute`	✅	1s	3s	-67%
`mlk_polyvec_ntt`	✅	1s	3s	-67%
`mlk_polyvec_tobytes`	✅	1s	4s	-75%
`mlk_value_barrier_i32`	✅	1s	2s	-50%
`mlk_value_barrier_u8`	✅	1s	1s	+0%
`poly_compress_d10_native_x86_64`	✅	1s	2s	-50%
`poly_compress_d5_native_x86_64`	✅	1s	2s	-50%
`poly_mulcache_compute_native_x86_64`	✅	1s	1s	+0%
`polyvec_basemul_acc_montgomery_cached_k2_native_aarch64`	✅	1s	4s	-75%

oqs-bot · 2026-03-12T07:20:46Z

CBMC Results (ML-KEM-1024)

⚠️ Attention Required

Proof	Status	Current	Previous	Change
`mlk_enc_derand_u`	❌	-	-	-
`mlk_enc_v`	❌	-	-	-
`mlk_indcpa_enc`	❌	-	275s	-
`mlk_indcpa_enc_u`	❌	-	-	-
`mlk_indcpa_enc_v`	❌	-	-	-

Full Results (191 proofs)

Proof	Status	Current	Previous	Change
`TOTAL`	✅	1284s	1744s	-26.4%
`mlk_indcpa_keypair_derand`	✅	184s	378s	-51%
`polyvec_basemul_acc_montgomery_cached_native`	✅	133s	127s	+5%
`mlk_keccak_squeezeblocks_x4`	✅	122s	124s	-2%
`mlk_polyvec_basemul_acc_montgomery_cached_c`	✅	76s	70s	+9%
`mlk_rej_uniform_c`	✅	74s	70s	+6%
`mlk_poly_rej_uniform`	✅	36s	36s	+0%
`poly_ntt_native`	✅	28s	27s	+4%
`mlk_polyvec_add`	✅	25s	25s	+0%
`keccakf1600x4_permute_native_x4`	✅	19s	21s	-10%
`mlk_indcpa_dec`	✅	18s	15s	+20%
`mlk_polymat_permute_bitrev_to_custom`	✅	14s	10s	+40%
`mlk_poly_frommsg`	✅	13s	11s	+18%
`mlk_poly_reduce_native`	✅	13s	15s	-13%
`mlk_ntt_layer`	✅	12s	11s	+9%
`mlk_poly_decompress_d11_native`	✅	12s	12s	+0%
`mlk_poly_decompress_d5_native`	✅	12s	14s	-14%
`mlk_polyvec_ntt`	✅	11s	14s	-21%
`mlk_fqmul`	✅	9s	6s	+50%
`mlk_keccak_squeezeblocks`	✅	9s	6s	+50%
`mlk_poly_frombytes_native`	✅	9s	7s	+29%
`mlk_keccak_absorb_once_x4`	✅	8s	9s	-11%
`mlk_poly_rej_uniform_x4`	✅	8s	8s	+0%
`kem_dec`	✅	7s	6s	+17%
`mlk_invntt_layer`	✅	7s	4s	+75%
`mlk_ntt_butterfly_block`	✅	7s	7s	+0%
`mlk_poly_compress_d11_c`	✅	7s	8s	-12%
`poly_decompress_d5_native_x86_64`	✅	7s	5s	+40%
`kem_check_pk`	✅	6s	4s	+50%
`mlk_gen_matrix`	✅	6s	9s	-33%
`mlk_keccak_absorb_once`	✅	6s	4s	+50%
`mlk_keccak_squeeze_once`	✅	6s	7s	-14%
`poly_reduce_native_aarch64`	✅	6s	1s	+500%
`mlk_keccakf1600x4_extract_bytes`	✅	5s	1s	+400%
`mlk_keccakf1600x4_xor_bytes`	✅	5s	3s	+67%
`rej_uniform_native`	✅	5s	3s	+67%
`keccakf1600_permute_native`	✅	4s	7s	-43%
`mlk_ct_sel_uint8`	✅	4s	2s	+100%
`mlk_gen_matrix_serial`	✅	4s	6s	-33%
`mlk_poly_add`	✅	4s	4s	+0%
`mlk_poly_compress_d10_native`	✅	4s	3s	+33%
`mlk_poly_compress_d11_native`	✅	4s	3s	+33%
`mlk_poly_getnoise_eta1_4x_native`	✅	4s	1s	+300%
`mlk_poly_mulcache_compute_c`	✅	4s	4s	+0%
`mlk_polyvec_decompress_du`	✅	4s	3s	+33%
`mlk_polyvec_tobytes`	✅	4s	1s	+300%
`mlk_shake256`	✅	4s	2s	+100%
`nttunpack_native_x86_64`	✅	4s	3s	+33%
`poly_decompress_d10_native_x86_64`	✅	4s	3s	+33%
`poly_decompress_d11_native_x86_64`	✅	4s	4s	+0%
`poly_frombytes_native_x86_64`	✅	4s	4s	+0%
`poly_getnoise_eta1122_4x_native`	✅	4s	2s	+100%
`poly_mulcache_compute_native_aarch64`	✅	4s	2s	+100%
`poly_tomont_native_x86_64`	✅	4s	1s	+300%
`polyvec_basemul_acc_montgomery_cached_k2_native_x86_64`	✅	4s	2s	+100%
`intt_native_aarch64`	✅	3s	1s	+200%
`keccak_f1600_x4_native_aarch64_v84a`	✅	3s	3s	+0%
`keccakf1600x4_extract_bytes_native`	✅	3s	3s	+0%
`keccakf1600x4_xor_bytes_native`	✅	3s	4s	-25%
`kem_enc_derand`	✅	3s	4s	-25%
`mlk_check_pct`	✅	3s	3s	+0%
`mlk_ct_cmask_nonzero_u16`	✅	3s	2s	+50%
`mlk_ct_memcmp`	✅	3s	6s	-50%
`mlk_keccakf1600_extract_bytes`	✅	3s	1s	+200%
`mlk_keccakf1600_permute`	✅	3s	4s	-25%
`mlk_keccakf1600_xor_bytes (big endian)`	✅	3s	2s	+50%
`mlk_keccakf1600x4_permute`	✅	3s	1s	+200%
`mlk_keypair_getnoise`	✅	3s	1s	+200%
`mlk_matvec_mul`	✅	3s	1s	+200%
`mlk_poly_cbd_eta2`	✅	3s	4s	-25%
`mlk_poly_compress_dv`	✅	3s	3s	+0%
`mlk_poly_decompress_d11`	✅	3s	3s	+0%
`mlk_poly_decompress_d4_native`	✅	3s	1s	+200%
`mlk_poly_decompress_d5`	✅	3s	2s	+50%
`mlk_poly_decompress_dv`	✅	3s	1s	+200%
`mlk_poly_getnoise_eta1122_4x`	✅	3s	2s	+50%
`mlk_poly_getnoise_eta1_4x`	✅	3s	3s	+0%
`mlk_poly_mulcache_compute`	✅	3s	3s	+0%
`mlk_poly_mulcache_compute_native`	✅	3s	2s	+50%
`mlk_poly_ntt_c`	✅	3s	3s	+0%
`mlk_poly_reduce`	✅	3s	2s	+50%
`mlk_poly_tobytes`	✅	3s	2s	+50%
`mlk_poly_tobytes_native`	✅	3s	4s	-25%
`mlk_poly_tomont_c`	✅	3s	2s	+50%
`mlk_poly_tomont_native`	✅	3s	2s	+50%
`mlk_poly_tomsg`	✅	3s	2s	+50%
`mlk_polyvec_basemul_acc_montgomery_cached`	✅	3s	3s	+0%
`mlk_polyvec_compress_du`	✅	3s	3s	+0%
`mlk_polyvec_invntt_tomont`	✅	3s	3s	+0%
`mlk_polyvec_permute_bitrev_to_custom`	✅	3s	3s	+0%
`mlk_polyvec_permute_bitrev_to_custom_native`	✅	3s	4s	-25%
`mlk_rej_uniform`	✅	3s	1s	+200%
`mlk_scalar_compress_d4`	✅	3s	1s	+200%
`mlk_shake128_squeezeblocks`	✅	3s	1s	+200%
`mlk_shake128x4_absorb_once`	✅	3s	3s	+0%
`mlk_shake128x4_squeezeblocks`	✅	3s	2s	+50%
`mlk_shake256x4`	✅	3s	5s	-40%
`mlk_value_barrier_i32`	✅	3s	3s	+0%
`mlk_value_barrier_u8`	✅	3s	2s	+50%
`ntt_native_x86_64`	✅	3s	3s	+0%
`poly_compress_d11_native_x86_64`	✅	3s	4s	-25%
`poly_compress_d5_native_x86_64`	✅	3s	4s	-25%
`poly_invntt_tomont_native`	✅	3s	4s	-25%
`poly_mulcache_compute_native_x86_64`	✅	3s	4s	-25%
`poly_reduce_native_x86_64`	✅	3s	1s	+200%
`polyvec_basemul_acc_montgomery_cached_k3_native_x86_64`	✅	3s	4s	-25%
`rej_uniform_native_aarch64`	✅	3s	1s	+200%
`sys_check_capability`	✅	3s	2s	+50%
`intt_native_x86_64`	✅	2s	1s	+100%
`keccak_f1600_x1_native_aarch64`	✅	2s	2s	+0%
`keccak_f1600_x1_native_aarch64_v84a`	✅	2s	1s	+100%
`keccak_f1600_x4_native_avx2`	✅	2s	1s	+100%
`kem_enc`	✅	2s	2s	+0%
`kem_keypair_derand`	✅	2s	5s	-60%
`mlk_barrett_reduce`	✅	2s	3s	-33%
`mlk_ct_cmask_neg_i16`	✅	2s	1s	+100%
`mlk_ct_cmask_nonzero_u8`	✅	2s	3s	-33%
`mlk_ct_get_optblocker_i32`	✅	2s	3s	-33%
`mlk_ct_get_optblocker_u32`	✅	2s	2s	+0%
`mlk_ct_get_optblocker_u8`	✅	2s	2s	+0%
`mlk_ct_sel_int16`	✅	2s	3s	-33%
`mlk_poly_compress_d10_c`	✅	2s	3s	-33%
`mlk_poly_compress_d4_c`	✅	2s	2s	+0%
`mlk_poly_compress_d5_native`	✅	2s	3s	-33%
`mlk_poly_decompress_d10_native`	✅	2s	2s	+0%
`mlk_poly_decompress_d11_c`	✅	2s	2s	+0%
`mlk_poly_decompress_d4`	✅	2s	3s	-33%
`mlk_poly_decompress_d4_c`	✅	2s	3s	-33%
`mlk_poly_decompress_d5_c`	✅	2s	2s	+0%
`mlk_poly_decompress_du`	✅	2s	4s	-50%
`mlk_poly_frombytes_c`	✅	2s	1s	+100%
`mlk_poly_getnoise_eta2`	✅	2s	3s	-33%
`mlk_poly_invntt_tomont`	✅	2s	3s	-33%
`mlk_poly_sub`	✅	2s	2s	+0%
`mlk_poly_tomont`	✅	2s	3s	-33%
`mlk_polyvec_frombytes`	✅	2s	2s	+0%
`mlk_polyvec_mulcache_compute`	✅	2s	2s	+0%
`mlk_polyvec_reduce`	✅	2s	4s	-50%
`mlk_polyvec_tomont`	✅	2s	2s	+0%
`mlk_scalar_compress_d5`	✅	2s	3s	-33%
`mlk_scalar_decompress_d10`	✅	2s	3s	-33%
`mlk_scalar_decompress_d4`	✅	2s	2s	+0%
`mlk_scalar_decompress_d5`	✅	2s	2s	+0%
`mlk_shake128_absorb_once`	✅	2s	2s	+0%
`mlk_value_barrier_u32`	✅	2s	2s	+0%
`ntt_native_aarch64`	✅	2s	3s	-33%
`poly_compress_d10_native_x86_64`	✅	2s	2s	+0%
`poly_compress_d4_native_x86_64`	✅	2s	1s	+100%
`poly_tobytes_native_aarch64`	✅	2s	4s	-50%
`poly_tobytes_native_x86_64`	✅	2s	2s	+0%
`poly_tomont_native_aarch64`	✅	2s	1s	+100%
`polyvec_basemul_acc_montgomery_cached_k4_native_aarch64`	✅	2s	1s	+100%
`rej_uniform_native_x86_64`	✅	2s	3s	-33%
`mlk_enc_derand_u`	❌	-	-	-
`mlk_enc_v`	❌	-	-	-
`mlk_indcpa_enc`	❌	-	275s	-
`mlk_indcpa_enc_u`	❌	-	-	-
`mlk_indcpa_enc_v`	❌	-	-	-
`keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid`	✅	1s	2s	-50%
`keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid`	✅	1s	3s	-67%
`kem_check_sk`	✅	1s	4s	-75%
`kem_keypair`	✅	1s	1s	+0%
`mlk_ct_cmov_zero`	✅	1s	4s	-75%
`mlk_keccakf1600_extract_bytes (big endian)`	✅	1s	1s	+0%
`mlk_keccakf1600_xor_bytes`	✅	1s	4s	-75%
`mlk_montgomery_reduce`	✅	1s	4s	-75%
`mlk_poly_cbd_eta1`	✅	1s	2s	-50%
`mlk_poly_compress_d10`	✅	1s	4s	-75%
`mlk_poly_compress_d11`	✅	1s	1s	+0%
`mlk_poly_compress_d4`	✅	1s	2s	-50%
`mlk_poly_compress_d4_native`	✅	1s	1s	+0%
`mlk_poly_compress_d5`	✅	1s	4s	-75%
`mlk_poly_compress_d5_c`	✅	1s	3s	-67%
`mlk_poly_compress_du`	✅	1s	3s	-67%
`mlk_poly_decompress_d10`	✅	1s	5s	-80%
`mlk_poly_decompress_d10_c`	✅	1s	2s	-50%
`mlk_poly_frombytes`	✅	1s	3s	-67%
`mlk_poly_invntt_tomont_c`	✅	1s	5s	-80%
`mlk_poly_ntt`	✅	1s	3s	-67%
`mlk_poly_reduce_c`	✅	1s	1s	+0%
`mlk_poly_tobytes_c`	✅	1s	2s	-50%
`mlk_scalar_compress_d1`	✅	1s	3s	-67%
`mlk_scalar_compress_d10`	✅	1s	3s	-67%
`mlk_scalar_compress_d11`	✅	1s	1s	+0%
`mlk_scalar_decompress_d11`	✅	1s	1s	+0%
`mlk_scalar_signed_to_unsigned_q`	✅	1s	2s	-50%
`mlk_sha3_256`	✅	1s	3s	-67%
`mlk_sha3_512`	✅	1s	1s	+0%
`poly_decompress_d4_native_x86_64`	✅	1s	3s	-67%
`polyvec_basemul_acc_montgomery_cached_k2_native_aarch64`	✅	1s	3s	-67%
`polyvec_basemul_acc_montgomery_cached_k3_native_aarch64`	✅	1s	4s	-75%
`polyvec_basemul_acc_montgomery_cached_k4_native_x86_64`	✅	1s	2s	-50%

hanno-becker

What's the purpose of 0a01cc4? Tests also serve as documentation, and using internal constants rather than public ones sets a wrong example.

If this is needed, can it be done in a preparatory PR? It seems unrelated to this PR.

mkannwischer · 2026-03-13T09:06:13Z

What's the purpose of 0a01cc4? Tests also serve as documentation, and using internal constants rather than public ones sets a wrong example.

If this is needed, can it be done in a preparatory PR? It seems unrelated to this PR.

The main question here is if we want to add the new API in mlkem_native.h or not. If we don't, we can't test the API in the standard test_mlkem.c, but we could add it in a separate test that includes kem.h, but not mlkem_native.h.
The purpose of 0a01cc4 was to get something to work first, so we can discuss how we want to proceed.

I agree with you that we don't want to keep it as is right now.

hanno-becker · 2026-03-13T09:09:46Z

Seeing that you also observed a slowdown on x86, I wonder if we should treat the incremental API as internal by default and only expose it in the public API if some new option MLK_CONFIG_ENABLE_MLKEM_BRAID it set?

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

Change mlk_kem_enc_derand_u and mlk_kem_enc_v from MLK_INTERNAL_API to MLK_EXTERNAL_API so they are not static in monolithic builds. Add -Wno-unused-function to the monolithic_build_multilevel_native example (matching mldsa-native) since those examples don't exercise the incremental API. Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

Signed-off-by: Hanno Becker <beckphan@amazon.co.uk>

oqs-bot

⚠️ Performance Alert ⚠️

Possible performance regression was detected for benchmark 'Intel Xeon 4th gen (c7i) (no-opt)'.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 1.03.

Benchmark suite	Current: `ec9a558`	Previous: `712709d`	Ratio
`ML-KEM-512 keypair`	`29373` cycles	`28131` cycles	`1.04`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

⚠️ Performance Alert ⚠️

Possible performance regression was detected for benchmark 'Graviton4 (no-opt)'.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 1.03.

Benchmark suite	Current: `0a0a167`	Previous: `712709d`	Ratio
`ML-KEM-512 encaps`	`41585` cycles	`40122` cycles	`1.04`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

⚠️ Performance Alert ⚠️

Possible performance regression was detected for benchmark 'Graviton3 (no-opt)'.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 1.03.

Benchmark suite	Current: `ebce63b`	Previous: `712709d`	Ratio
`ML-KEM-512 encaps`	`46759` cycles	`44596` cycles	`1.05`

This comment was automatically generated by workflow using github-action-benchmark.

Signed-off-by: Matthias J. Kannwischer <matthias@zerorisc.com>

oqs-bot

⚠️ Performance Alert ⚠️

Possible performance regression was detected for benchmark 'Intel Xeon 4th gen (c7i)'.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 1.03.

Benchmark suite	Current: `ec9a558`	Previous: `712709d`	Ratio
`ML-KEM-1024 decaps`	`41455` cycles	`39591` cycles	`1.05`

This comment was automatically generated by workflow using github-action-benchmark.

Signed-off-by: Hanno Becker <beckphan@amazon.co.uk>

mkannwischer force-pushed the incremental-enc-api branch 2 times, most recently from 325ab51 to 285fc8a Compare March 12, 2026 05:37

mkannwischer added the benchmark this PR should be benchmarked in CI label Mar 12, 2026

oqs-bot reviewed Mar 12, 2026

View reviewed changes

hanno-becker added benchmark this PR should be benchmarked in CI and removed benchmark this PR should be benchmarked in CI labels Mar 13, 2026

hanno-becker requested changes Mar 13, 2026

View reviewed changes

mkannwischer and others added 9 commits March 16, 2026 14:53

Run autogen and format

54fafc7

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

test: Do not include kem.h and mlkem_native.h

8ffb4a1

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

Recompute peak stack consumption

76c4853

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

Fix -Wconversion errors and AWS-LC unused function warnings

1ede988

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

Update OpenTitan work buffer sizes for reduced stack usage

0a9b03b

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

Fix PCT keypair peak stack consumption values

46d023e

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

[WIP] Add configuration option enabling ML-KEM Braid API

0f852cf

Signed-off-by: Hanno Becker <beckphan@amazon.co.uk>

CBMC: Add loop termination clauses for ML-KEM Braid helpers

0a0a167

Signed-off-by: Hanno Becker <beckphan@amazon.co.uk>

hanno-becker force-pushed the incremental-enc-api branch from 907613d to 0a0a167 Compare March 16, 2026 14:54

hanno-becker added benchmark this PR should be benchmarked in CI and removed benchmark this PR should be benchmarked in CI labels Mar 16, 2026

oqs-bot reviewed Mar 16, 2026

View reviewed changes

Only compute sp mulcache once

01f04aa

Signed-off-by: Matthias J. Kannwischer <matthias@zerorisc.com>

mkannwischer added benchmark this PR should be benchmarked in CI and removed benchmark this PR should be benchmarked in CI labels Mar 17, 2026

x86_64: .balign 4 -> .balign 64

ebce63b

Signed-off-by: Matthias J. Kannwischer <matthias@zerorisc.com>

mkannwischer added benchmark this PR should be benchmarked in CI and removed benchmark this PR should be benchmarked in CI labels Mar 17, 2026

ALWAYS_INLINE -> NOINLINE

ee5cae4

Signed-off-by: Matthias J. Kannwischer <matthias@zerorisc.com>

mkannwischer added benchmark this PR should be benchmarked in CI and removed benchmark this PR should be benchmarked in CI labels Mar 17, 2026

oqs-bot reviewed Mar 17, 2026

View reviewed changes

hanno-becker added benchmark this PR should be benchmarked in CI and removed benchmark this PR should be benchmarked in CI labels Mar 17, 2026

[TEST] Benchmark c7a.8xlarge instead of c7a.medium

ec9a558

Signed-off-by: Hanno Becker <beckphan@amazon.co.uk>

hanno-becker added benchmark this PR should be benchmarked in CI and removed benchmark this PR should be benchmarked in CI labels Mar 17, 2026

Conversation

mkannwischer commented Mar 12, 2026

Uh oh!

oqs-bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Intel Xeon 4th gen (c7i)

Uh oh!

oqs-bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

ppc64le (POWER10) benchmarks

Uh oh!

oqs-bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

AMD EPYC 3rd gen (c6a)

Uh oh!

oqs-bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

⚠️ Performance Alert ⚠️

Uh oh!

oqs-bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Intel Xeon 4th gen (c7i) (no-opt)

Uh oh!

oqs-bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

AMD EPYC 4th gen (c7a)

Uh oh!

oqs-bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

⚠️ Performance Alert ⚠️

Uh oh!

oqs-bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Intel Xeon 3rd gen (c6i)

Uh oh!

oqs-bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

⚠️ Performance Alert ⚠️

Uh oh!

oqs-bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

AMD EPYC 3rd gen (c6a) (no-opt)

Uh oh!

oqs-bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

AMD EPYC 4th gen (c7a) (no-opt)

Uh oh!

oqs-bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Arm Cortex-A76 (Raspberry Pi 5) benchmarks

Uh oh!

oqs-bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Graviton4

Uh oh!

oqs-bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Intel Xeon 3rd gen (c6i) (no-opt)

Uh oh!

oqs-bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Graviton4 (no-opt)

Uh oh!

oqs-bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot commented Mar 12, 2026 •

edited

Loading

oqs-bot commented Mar 12, 2026 •

edited

Loading

oqs-bot commented Mar 12, 2026 •

edited

Loading

mkannwischer commented Mar 13, 2026 •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading