HOL Light: Prove correctness of AVX2 `poly_decompress_d{4,5,10,11}` by mkannwischer · Pull Request #1543 · pq-code-package/mlkem-native

mkannwischer · 2026-02-04T04:14:30Z

No description provided.

oqs-bot · 2026-02-04T04:57:57Z

CBMC Results (ML-KEM-768)

Full Results (169 proofs)

Proof	Status	Current	Previous	Change
`TOTAL`	✅	1488s	1312s	+13.4%
`mlk_indcpa_keypair_derand`	✅	254s	235s	+8%
`mlk_indcpa_enc`	✅	215s	186s	+16%
`mlk_keccak_squeezeblocks_x4`	✅	154s	145s	+6%
`mlk_rej_uniform_c`	✅	75s	65s	+15%
`polyvec_basemul_acc_montgomery_cached_native`	✅	59s	56s	+5%
`mlk_polyvec_basemul_acc_montgomery_cached_c`	✅	54s	48s	+12%
`poly_ntt_native`	✅	36s	27s	+33%
`mlk_poly_rej_uniform`	✅	33s	31s	+6%
`mlk_polyvec_add`	✅	29s	26s	+12%
`mlk_ntt_layer`	✅	21s	17s	+24%
`keccakf1600x4_permute_native_x4`	✅	19s	19s	+0%
`mlk_indcpa_dec`	✅	18s	15s	+20%
`mlk_poly_decompress_d10_native`	✅	14s	-	new
`mlk_poly_decompress_d4_native`	✅	14s	-	new
`mlk_poly_reduce_native`	✅	14s	12s	+17%
`mlk_keccak_absorb_once_x4`	✅	10s	9s	+11%
`mlk_poly_sub`	✅	10s	9s	+11%
`mlk_poly_frombytes_native`	✅	9s	8s	+12%
`mlk_invntt_layer`	✅	8s	3s	+167%
`mlk_ntt_butterfly_block`	✅	8s	7s	+14%
`mlk_poly_rej_uniform_x4`	✅	8s	7s	+14%
`keccakf1600_permute_native`	✅	7s	5s	+40%
`mlk_fqmul`	✅	7s	6s	+17%
`mlk_keccak_squeeze_once`	✅	7s	8s	-12%
`mlk_keccak_squeezeblocks`	✅	7s	10s	-30%
`mlk_poly_tomsg`	✅	7s	3s	+133%
`poly_frombytes_native_x86_64`	✅	7s	5s	+40%
`mlk_gen_matrix_serial`	✅	6s	3s	+100%
`mlk_poly_frommsg`	✅	6s	5s	+20%
`poly_decompress_d10_native_x86_64`	✅	6s	-	new
`poly_tomont_native_aarch64`	✅	6s	3s	+100%
`kem_dec`	✅	5s	8s	-38%
`mlk_keccak_absorb_once`	✅	5s	4s	+25%
`mlk_keccakf1600_permute`	✅	5s	3s	+67%
`mlk_keccakf1600x4_extract_bytes`	✅	5s	3s	+67%
`mlk_poly_compress_du`	✅	5s	3s	+67%
`mlk_poly_invntt_tomont`	✅	5s	3s	+67%
`mlk_polymat_permute_bitrev_to_custom`	✅	5s	5s	+0%
`mlk_polyvec_tomont`	✅	5s	3s	+67%
`intt_native_x86_64`	✅	4s	2s	+100%
`keccak_f1600_x1_native_aarch64`	✅	4s	2s	+100%
`mlk_check_pct`	✅	4s	4s	+0%
`mlk_ct_sel_uint8`	✅	4s	1s	+300%
`mlk_keccakf1600x4_permute`	✅	4s	3s	+33%
`mlk_montgomery_reduce`	✅	4s	2s	+100%
`mlk_poly_compress_dv`	✅	4s	3s	+33%
`mlk_poly_decompress_d11_native`	✅	4s	-	new
`mlk_poly_getnoise_eta1_4x`	✅	4s	5s	-20%
`mlk_poly_reduce`	✅	4s	2s	+100%
`mlk_poly_tomont`	✅	4s	4s	+0%
`mlk_polyvec_mulcache_compute`	✅	4s	3s	+33%
`mlk_polyvec_ntt`	✅	4s	4s	+0%
`mlk_scalar_decompress_d11`	✅	4s	3s	+33%
`mlk_sha3_256`	✅	4s	1s	+300%
`mlk_shake256x4`	✅	4s	5s	-20%
`mlk_value_barrier_u32`	✅	4s	3s	+33%
`poly_getnoise_eta1122_4x_native`	✅	4s	2s	+100%
`poly_mulcache_compute_native_aarch64`	✅	4s	2s	+100%
`intt_native_aarch64`	✅	3s	3s	+0%
`keccak_f1600_x1_native_aarch64_v84a`	✅	3s	2s	+50%
`keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid`	✅	3s	4s	-25%
`keccakf1600x4_xor_bytes_native`	✅	3s	4s	-25%
`kem_check_pk`	✅	3s	3s	+0%
`kem_check_sk`	✅	3s	1s	+200%
`kem_enc_derand`	✅	3s	3s	+0%
`kem_keypair`	✅	3s	2s	+50%
`kem_keypair_derand`	✅	3s	4s	-25%
`mlk_ct_cmask_neg_i16`	✅	3s	3s	+0%
`mlk_ct_cmask_nonzero_u16`	✅	3s	6s	-50%
`mlk_keccakf1600_extract_bytes`	✅	3s	2s	+50%
`mlk_keccakf1600_extract_bytes (big endian)`	✅	3s	2s	+50%
`mlk_keccakf1600_xor_bytes (big endian)`	✅	3s	3s	+0%
`mlk_matvec_mul`	✅	3s	2s	+50%
`mlk_poly_cbd_eta2`	✅	3s	4s	-25%
`mlk_poly_mulcache_compute`	✅	3s	4s	-25%
`mlk_poly_reduce_c`	✅	3s	4s	-25%
`mlk_poly_tobytes`	✅	3s	2s	+50%
`mlk_poly_tobytes_c`	✅	3s	1s	+200%
`mlk_poly_tobytes_native`	✅	3s	2s	+50%
`mlk_poly_tomont_native`	✅	3s	3s	+0%
`mlk_polyvec_permute_bitrev_to_custom_native`	✅	3s	2s	+50%
`mlk_scalar_compress_d10`	✅	3s	2s	+50%
`mlk_scalar_compress_d11`	✅	3s	3s	+0%
`mlk_scalar_compress_d4`	✅	3s	3s	+0%
`mlk_scalar_compress_d5`	✅	3s	2s	+50%
`ntt_native_x86_64`	✅	3s	3s	+0%
`poly_decompress_d4_native_x86_64`	✅	3s	-	new
`poly_reduce_native_aarch64`	✅	3s	1s	+200%
`poly_tobytes_native_aarch64`	✅	3s	3s	+0%
`poly_tobytes_native_x86_64`	✅	3s	1s	+200%
`poly_tomont_native_x86_64`	✅	3s	3s	+0%
`polyvec_basemul_acc_montgomery_cached_k2_native_x86_64`	✅	3s	4s	-25%
`polyvec_basemul_acc_montgomery_cached_k4_native_aarch64`	✅	3s	1s	+200%
`polyvec_basemul_acc_montgomery_cached_k4_native_x86_64`	✅	3s	2s	+50%
`rej_uniform_native`	✅	3s	3s	+0%
`rej_uniform_native_aarch64`	✅	3s	2s	+50%
`sys_check_capability`	✅	3s	1s	+200%
`keccak_f1600_x4_native_aarch64_v84a`	✅	2s	3s	-33%
`keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid`	✅	2s	3s	-33%
`keccakf1600x4_extract_bytes_native`	✅	2s	2s	+0%
`kem_enc`	✅	2s	3s	-33%
`mlk_barrett_reduce`	✅	2s	1s	+100%
`mlk_ct_cmask_nonzero_u8`	✅	2s	2s	+0%
`mlk_ct_cmov_zero`	✅	2s	2s	+0%
`mlk_ct_get_optblocker_i32`	✅	2s	2s	+0%
`mlk_gen_matrix`	✅	2s	5s	-60%
`mlk_keccakf1600x4_xor_bytes`	✅	2s	2s	+0%
`mlk_poly_add`	✅	2s	2s	+0%
`mlk_poly_cbd_eta1`	✅	2s	4s	-50%
`mlk_poly_decompress_d10_c`	✅	2s	-	new
`mlk_poly_decompress_d11_c`	✅	2s	-	new
`mlk_poly_decompress_d4_c`	✅	2s	-	new
`mlk_poly_decompress_d5`	✅	2s	-	new
`mlk_poly_decompress_d5_c`	✅	2s	-	new
`mlk_poly_decompress_d5_native`	✅	2s	-	new
`mlk_poly_decompress_du`	✅	2s	3s	-33%
`mlk_poly_decompress_dv`	✅	2s	2s	+0%
`mlk_poly_frombytes`	✅	2s	2s	+0%
`mlk_poly_frombytes_c`	✅	2s	1s	+100%
`mlk_poly_getnoise_eta1122_4x`	✅	2s	3s	-33%
`mlk_poly_getnoise_eta1_4x_native`	✅	2s	4s	-50%
`mlk_poly_getnoise_eta2`	✅	2s	2s	+0%
`mlk_poly_invntt_tomont_c`	✅	2s	2s	+0%
`mlk_poly_mulcache_compute_c`	✅	2s	3s	-33%
`mlk_poly_ntt`	✅	2s	3s	-33%
`mlk_poly_ntt_c`	✅	2s	5s	-60%
`mlk_poly_tomont_c`	✅	2s	3s	-33%
`mlk_polyvec_compress_du`	✅	2s	3s	-33%
`mlk_polyvec_decompress_du`	✅	2s	3s	-33%
`mlk_polyvec_frombytes`	✅	2s	3s	-33%
`mlk_polyvec_invntt_tomont`	✅	2s	5s	-60%
`mlk_polyvec_permute_bitrev_to_custom`	✅	2s	1s	+100%
`mlk_polyvec_reduce`	✅	2s	1s	+100%
`mlk_rej_uniform`	✅	2s	2s	+0%
`mlk_scalar_decompress_d10`	✅	2s	3s	-33%
`mlk_scalar_decompress_d4`	✅	2s	2s	+0%
`mlk_scalar_decompress_d5`	✅	2s	4s	-50%
`mlk_scalar_signed_to_unsigned_q`	✅	2s	1s	+100%
`mlk_sha3_512`	✅	2s	1s	+100%
`mlk_shake128_absorb_once`	✅	2s	3s	-33%
`mlk_shake128_squeezeblocks`	✅	2s	3s	-33%
`mlk_shake128x4_absorb_once`	✅	2s	3s	-33%
`mlk_shake128x4_squeezeblocks`	✅	2s	1s	+100%
`mlk_value_barrier_i32`	✅	2s	3s	-33%
`mlk_value_barrier_u8`	✅	2s	2s	+0%
`ntt_native_aarch64`	✅	2s	3s	-33%
`nttunpack_native_x86_64`	✅	2s	5s	-60%
`poly_decompress_d5_native_x86_64`	✅	2s	-	new
`poly_reduce_native_x86_64`	✅	2s	2s	+0%
`polyvec_basemul_acc_montgomery_cached_k3_native_aarch64`	✅	2s	3s	-33%
`polyvec_basemul_acc_montgomery_cached_k3_native_x86_64`	✅	2s	4s	-50%
`rej_uniform_native_x86_64`	✅	2s	3s	-33%
`mlk_ct_get_optblocker_u32`	✅	1s	2s	-50%
`mlk_ct_get_optblocker_u8`	✅	1s	1s	+0%
`mlk_ct_memcmp`	✅	1s	2s	-50%
`mlk_ct_sel_int16`	✅	1s	2s	-50%
`mlk_keccakf1600_xor_bytes`	✅	1s	3s	-67%
`mlk_poly_decompress_d10`	✅	1s	-	new
`mlk_poly_decompress_d11`	✅	1s	-	new
`mlk_poly_decompress_d4`	✅	1s	-	new
`mlk_poly_mulcache_compute_native`	✅	1s	2s	-50%
`mlk_polyvec_basemul_acc_montgomery_cached`	✅	1s	4s	-75%
`mlk_polyvec_tobytes`	✅	1s	3s	-67%
`mlk_scalar_compress_d1`	✅	1s	2s	-50%
`mlk_shake256`	✅	1s	1s	+0%
`poly_decompress_d11_native_x86_64`	✅	1s	-	new
`poly_invntt_tomont_native`	✅	1s	2s	-50%
`poly_mulcache_compute_native_x86_64`	✅	1s	1s	+0%
`polyvec_basemul_acc_montgomery_cached_k2_native_aarch64`	✅	1s	3s	-67%

oqs-bot · 2026-02-04T04:58:14Z

CBMC Results (ML-KEM-512)

Full Results (169 proofs)

Proof	Status	Current	Previous	Change
`TOTAL`	✅	1281s	1308s	-2.1%
`mlk_indcpa_keypair_derand`	✅	186s	195s	-5%
`mlk_indcpa_enc`	✅	160s	174s	-8%
`mlk_keccak_squeezeblocks_x4`	✅	156s	170s	-8%
`mlk_rej_uniform_c`	✅	78s	92s	-15%
`mlk_poly_rej_uniform`	✅	40s	44s	-9%
`mlk_polyvec_basemul_acc_montgomery_cached_c`	✅	40s	48s	-17%
`poly_ntt_native`	✅	31s	31s	+0%
`mlk_polyvec_add`	✅	24s	26s	-8%
`mlk_ntt_layer`	✅	20s	26s	-23%
`polyvec_basemul_acc_montgomery_cached_native`	✅	20s	24s	-17%
`keccakf1600x4_permute_native_x4`	✅	19s	21s	-10%
`mlk_poly_decompress_d10_native`	✅	15s	-	new
`mlk_poly_decompress_d4_native`	✅	13s	-	new
`mlk_poly_reduce_native`	✅	13s	17s	-24%
`mlk_indcpa_dec`	✅	11s	12s	-8%
`mlk_poly_sub`	✅	10s	10s	+0%
`mlk_ntt_butterfly_block`	✅	9s	11s	-18%
`mlk_keccak_absorb_once_x4`	✅	8s	10s	-20%
`mlk_poly_frombytes_native`	✅	8s	10s	-20%
`keccakf1600_permute_native`	✅	7s	6s	+17%
`mlk_invntt_layer`	✅	7s	4s	+75%
`mlk_keccak_squeeze_once`	✅	7s	8s	-12%
`mlk_poly_frommsg`	✅	7s	6s	+17%
`mlk_poly_rej_uniform_x4`	✅	7s	7s	+0%
`kem_dec`	✅	6s	7s	-14%
`mlk_ct_cmask_nonzero_u16`	✅	6s	2s	+200%
`mlk_polymat_permute_bitrev_to_custom`	✅	6s	6s	+0%
`kem_keypair`	✅	5s	1s	+400%
`mlk_fqmul`	✅	5s	8s	-38%
`mlk_keccak_squeezeblocks`	✅	5s	10s	-50%
`mlk_poly_compress_du`	✅	5s	4s	+25%
`mlk_poly_getnoise_eta1_4x_native`	✅	5s	2s	+150%
`mlk_poly_getnoise_eta2`	✅	5s	4s	+25%
`poly_frombytes_native_x86_64`	✅	5s	6s	-17%
`kem_check_pk`	✅	4s	3s	+33%
`kem_enc`	✅	4s	4s	+0%
`mlk_keccak_absorb_once`	✅	4s	3s	+33%
`mlk_poly_cbd_eta1`	✅	4s	3s	+33%
`mlk_poly_decompress_d4_c`	✅	4s	-	new
`mlk_poly_decompress_d5`	✅	4s	-	new
`mlk_poly_getnoise_eta1_4x`	✅	4s	2s	+100%
`mlk_poly_mulcache_compute`	✅	4s	3s	+33%
`mlk_poly_mulcache_compute_c`	✅	4s	1s	+300%
`mlk_poly_ntt`	✅	4s	3s	+33%
`mlk_poly_tomont`	✅	4s	2s	+100%
`mlk_scalar_decompress_d4`	✅	4s	4s	+0%
`mlk_shake128x4_absorb_once`	✅	4s	3s	+33%
`mlk_shake256x4`	✅	4s	4s	+0%
`poly_decompress_d10_native_x86_64`	✅	4s	-	new
`poly_decompress_d4_native_x86_64`	✅	4s	-	new
`polyvec_basemul_acc_montgomery_cached_k3_native_aarch64`	✅	4s	2s	+100%
`intt_native_x86_64`	✅	3s	4s	-25%
`keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid`	✅	3s	4s	-25%
`keccakf1600x4_xor_bytes_native`	✅	3s	3s	+0%
`kem_keypair_derand`	✅	3s	3s	+0%
`mlk_ct_cmask_neg_i16`	✅	3s	2s	+50%
`mlk_ct_get_optblocker_u32`	✅	3s	3s	+0%
`mlk_ct_sel_uint8`	✅	3s	3s	+0%
`mlk_gen_matrix`	✅	3s	3s	+0%
`mlk_keccakf1600_extract_bytes`	✅	3s	3s	+0%
`mlk_keccakf1600_xor_bytes`	✅	3s	5s	-40%
`mlk_keccakf1600x4_permute`	✅	3s	2s	+50%
`mlk_montgomery_reduce`	✅	3s	1s	+200%
`mlk_poly_decompress_d10_c`	✅	3s	-	new
`mlk_poly_decompress_d4`	✅	3s	-	new
`mlk_poly_frombytes`	✅	3s	1s	+200%
`mlk_poly_invntt_tomont`	✅	3s	1s	+200%
`mlk_poly_ntt_c`	✅	3s	3s	+0%
`mlk_poly_reduce_c`	✅	3s	3s	+0%
`mlk_poly_tobytes`	✅	3s	1s	+200%
`mlk_poly_tomsg`	✅	3s	4s	-25%
`mlk_polyvec_ntt`	✅	3s	2s	+50%
`mlk_polyvec_permute_bitrev_to_custom`	✅	3s	2s	+50%
`mlk_polyvec_reduce`	✅	3s	3s	+0%
`mlk_rej_uniform`	✅	3s	4s	-25%
`mlk_scalar_compress_d1`	✅	3s	2s	+50%
`mlk_scalar_compress_d11`	✅	3s	4s	-25%
`mlk_scalar_decompress_d10`	✅	3s	1s	+200%
`mlk_scalar_decompress_d11`	✅	3s	2s	+50%
`mlk_scalar_decompress_d5`	✅	3s	3s	+0%
`mlk_scalar_signed_to_unsigned_q`	✅	3s	1s	+200%
`mlk_sha3_256`	✅	3s	2s	+50%
`mlk_shake128x4_squeezeblocks`	✅	3s	1s	+200%
`mlk_value_barrier_u32`	✅	3s	2s	+50%
`mlk_value_barrier_u8`	✅	3s	3s	+0%
`ntt_native_aarch64`	✅	3s	5s	-40%
`ntt_native_x86_64`	✅	3s	1s	+200%
`nttunpack_native_x86_64`	✅	3s	2s	+50%
`poly_decompress_d11_native_x86_64`	✅	3s	-	new
`poly_getnoise_eta1122_4x_native`	✅	3s	3s	+0%
`poly_mulcache_compute_native_aarch64`	✅	3s	3s	+0%
`poly_tobytes_native_aarch64`	✅	3s	4s	-25%
`poly_tomont_native_aarch64`	✅	3s	2s	+50%
`poly_tomont_native_x86_64`	✅	3s	3s	+0%
`rej_uniform_native_x86_64`	✅	3s	3s	+0%
`intt_native_aarch64`	✅	2s	2s	+0%
`keccak_f1600_x1_native_aarch64`	✅	2s	3s	-33%
`keccak_f1600_x1_native_aarch64_v84a`	✅	2s	2s	+0%
`keccak_f1600_x4_native_aarch64_v84a`	✅	2s	2s	+0%
`keccakf1600x4_extract_bytes_native`	✅	2s	1s	+100%
`kem_check_sk`	✅	2s	4s	-50%
`kem_enc_derand`	✅	2s	4s	-50%
`mlk_barrett_reduce`	✅	2s	2s	+0%
`mlk_ct_cmask_nonzero_u8`	✅	2s	3s	-33%
`mlk_ct_get_optblocker_i32`	✅	2s	2s	+0%
`mlk_ct_memcmp`	✅	2s	4s	-50%
`mlk_ct_sel_int16`	✅	2s	2s	+0%
`mlk_keccakf1600_extract_bytes (big endian)`	✅	2s	2s	+0%
`mlk_keccakf1600_permute`	✅	2s	3s	-33%
`mlk_keccakf1600_xor_bytes (big endian)`	✅	2s	2s	+0%
`mlk_keccakf1600x4_extract_bytes`	✅	2s	3s	-33%
`mlk_keccakf1600x4_xor_bytes`	✅	2s	2s	+0%
`mlk_matvec_mul`	✅	2s	4s	-50%
`mlk_poly_add`	✅	2s	2s	+0%
`mlk_poly_cbd_eta2`	✅	2s	2s	+0%
`mlk_poly_compress_dv`	✅	2s	1s	+100%
`mlk_poly_decompress_d11`	✅	2s	-	new
`mlk_poly_decompress_d11_c`	✅	2s	-	new
`mlk_poly_decompress_d11_native`	✅	2s	-	new
`mlk_poly_decompress_d5_c`	✅	2s	-	new
`mlk_poly_decompress_d5_native`	✅	2s	-	new
`mlk_poly_decompress_du`	✅	2s	2s	+0%
`mlk_poly_decompress_dv`	✅	2s	2s	+0%
`mlk_poly_getnoise_eta1122_4x`	✅	2s	2s	+0%
`mlk_poly_mulcache_compute_native`	✅	2s	2s	+0%
`mlk_poly_reduce`	✅	2s	2s	+0%
`mlk_poly_tobytes_c`	✅	2s	3s	-33%
`mlk_poly_tobytes_native`	✅	2s	3s	-33%
`mlk_poly_tomont_native`	✅	2s	3s	-33%
`mlk_polyvec_basemul_acc_montgomery_cached`	✅	2s	2s	+0%
`mlk_polyvec_compress_du`	✅	2s	2s	+0%
`mlk_polyvec_decompress_du`	✅	2s	3s	-33%
`mlk_polyvec_frombytes`	✅	2s	5s	-60%
`mlk_polyvec_invntt_tomont`	✅	2s	4s	-50%
`mlk_polyvec_mulcache_compute`	✅	2s	2s	+0%
`mlk_polyvec_tobytes`	✅	2s	2s	+0%
`mlk_scalar_compress_d10`	✅	2s	2s	+0%
`mlk_sha3_512`	✅	2s	2s	+0%
`mlk_shake128_squeezeblocks`	✅	2s	3s	-33%
`mlk_shake256`	✅	2s	2s	+0%
`mlk_value_barrier_i32`	✅	2s	1s	+100%
`poly_decompress_d5_native_x86_64`	✅	2s	-	new
`poly_mulcache_compute_native_x86_64`	✅	2s	1s	+100%
`poly_reduce_native_aarch64`	✅	2s	1s	+100%
`poly_tobytes_native_x86_64`	✅	2s	3s	-33%
`polyvec_basemul_acc_montgomery_cached_k2_native_aarch64`	✅	2s	1s	+100%
`polyvec_basemul_acc_montgomery_cached_k2_native_x86_64`	✅	2s	2s	+0%
`polyvec_basemul_acc_montgomery_cached_k3_native_x86_64`	✅	2s	2s	+0%
`polyvec_basemul_acc_montgomery_cached_k4_native_aarch64`	✅	2s	1s	+100%
`polyvec_basemul_acc_montgomery_cached_k4_native_x86_64`	✅	2s	2s	+0%
`rej_uniform_native`	✅	2s	4s	-50%
`rej_uniform_native_aarch64`	✅	2s	3s	-33%
`sys_check_capability`	✅	2s	1s	+100%
`keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid`	✅	1s	2s	-50%
`mlk_check_pct`	✅	1s	3s	-67%
`mlk_ct_cmov_zero`	✅	1s	3s	-67%
`mlk_ct_get_optblocker_u8`	✅	1s	3s	-67%
`mlk_gen_matrix_serial`	✅	1s	4s	-75%
`mlk_poly_decompress_d10`	✅	1s	-	new
`mlk_poly_frombytes_c`	✅	1s	2s	-50%
`mlk_poly_invntt_tomont_c`	✅	1s	1s	+0%
`mlk_poly_tomont_c`	✅	1s	3s	-67%
`mlk_polyvec_permute_bitrev_to_custom_native`	✅	1s	1s	+0%
`mlk_polyvec_tomont`	✅	1s	2s	-50%
`mlk_scalar_compress_d4`	✅	1s	2s	-50%
`mlk_scalar_compress_d5`	✅	1s	4s	-75%
`mlk_shake128_absorb_once`	✅	1s	4s	-75%
`poly_invntt_tomont_native`	✅	1s	2s	-50%
`poly_reduce_native_x86_64`	✅	1s	4s	-75%

oqs-bot · 2026-02-04T04:59:50Z

CBMC Results (ML-KEM-1024)

Full Results (169 proofs)

Proof	Status	Current	Previous	Change
`TOTAL`	✅	2513s	2467s	+1.9%
`mlk_indcpa_enc`	✅	1264s	1295s	-2%
`mlk_indcpa_keypair_derand`	✅	211s	205s	+3%
`mlk_keccak_squeezeblocks_x4`	✅	150s	147s	+2%
`polyvec_basemul_acc_montgomery_cached_native`	✅	114s	115s	-1%
`mlk_rej_uniform_c`	✅	67s	69s	-3%
`mlk_polyvec_basemul_acc_montgomery_cached_c`	✅	57s	56s	+2%
`mlk_poly_rej_uniform`	✅	32s	33s	-3%
`poly_ntt_native`	✅	30s	23s	+30%
`keccakf1600x4_permute_native_x4`	✅	22s	20s	+10%
`mlk_ntt_layer`	✅	19s	16s	+19%
`mlk_indcpa_dec`	✅	18s	15s	+20%
`mlk_poly_decompress_d5_native`	✅	14s	-	new
`mlk_polyvec_ntt`	✅	14s	13s	+8%
`mlk_poly_reduce_native`	✅	13s	13s	+0%
`mlk_poly_decompress_d11_native`	✅	12s	-	new
`mlk_keccak_absorb_once_x4`	✅	10s	10s	+0%
`mlk_poly_sub`	✅	10s	11s	-9%
`mlk_polyvec_add`	✅	10s	8s	+25%
`mlk_ntt_butterfly_block`	✅	9s	7s	+29%
`keccakf1600_permute_native`	✅	8s	4s	+100%
`mlk_poly_frombytes_native`	✅	8s	8s	+0%
`kem_dec`	✅	7s	7s	+0%
`mlk_fqmul`	✅	7s	6s	+17%
`mlk_gen_matrix`	✅	7s	7s	+0%
`mlk_keccak_squeeze_once`	✅	7s	6s	+17%
`mlk_keccak_squeezeblocks`	✅	7s	9s	-22%
`mlk_poly_compress_du`	✅	7s	8s	-12%
`mlk_poly_frommsg`	✅	7s	6s	+17%
`mlk_poly_rej_uniform_x4`	✅	7s	7s	+0%
`kem_check_pk`	✅	6s	4s	+50%
`mlk_gen_matrix_serial`	✅	6s	5s	+20%
`mlk_invntt_layer`	✅	6s	4s	+50%
`poly_decompress_d11_native_x86_64`	✅	5s	-	new
`poly_frombytes_native_x86_64`	✅	5s	4s	+25%
`intt_native_aarch64`	✅	4s	3s	+33%
`intt_native_x86_64`	✅	4s	2s	+100%
`kem_check_sk`	✅	4s	4s	+0%
`mlk_check_pct`	✅	4s	2s	+100%
`mlk_ct_get_optblocker_u32`	✅	4s	2s	+100%
`mlk_keccak_absorb_once`	✅	4s	4s	+0%
`mlk_keccakf1600_permute`	✅	4s	4s	+0%
`mlk_poly_decompress_d11`	✅	4s	-	new
`mlk_poly_decompress_d11_c`	✅	4s	-	new
`mlk_poly_decompress_dv`	✅	4s	18s	-78%
`mlk_poly_frombytes_c`	✅	4s	2s	+100%
`mlk_poly_getnoise_eta2`	✅	4s	1s	+300%
`mlk_poly_tobytes_native`	✅	4s	3s	+33%
`mlk_poly_tomont_native`	✅	4s	3s	+33%
`mlk_polymat_permute_bitrev_to_custom`	✅	4s	5s	-20%
`mlk_polyvec_decompress_du`	✅	4s	2s	+100%
`mlk_polyvec_permute_bitrev_to_custom`	✅	4s	1s	+300%
`mlk_polyvec_reduce`	✅	4s	2s	+100%
`mlk_polyvec_tobytes`	✅	4s	3s	+33%
`mlk_sha3_256`	✅	4s	1s	+300%
`nttunpack_native_x86_64`	✅	4s	2s	+100%
`poly_decompress_d5_native_x86_64`	✅	4s	-	new
`poly_tobytes_native_aarch64`	✅	4s	2s	+100%
`polyvec_basemul_acc_montgomery_cached_k4_native_aarch64`	✅	4s	3s	+33%
`polyvec_basemul_acc_montgomery_cached_k4_native_x86_64`	✅	4s	3s	+33%
`rej_uniform_native_x86_64`	✅	4s	1s	+300%
`keccak_f1600_x1_native_aarch64`	✅	3s	3s	+0%
`keccak_f1600_x1_native_aarch64_v84a`	✅	3s	4s	-25%
`keccakf1600x4_extract_bytes_native`	✅	3s	2s	+50%
`keccakf1600x4_xor_bytes_native`	✅	3s	4s	-25%
`kem_enc`	✅	3s	2s	+50%
`mlk_ct_cmask_neg_i16`	✅	3s	1s	+200%
`mlk_keccakf1600_extract_bytes (big endian)`	✅	3s	1s	+200%
`mlk_matvec_mul`	✅	3s	5s	-40%
`mlk_poly_cbd_eta1`	✅	3s	3s	+0%
`mlk_poly_decompress_d4`	✅	3s	-	new
`mlk_poly_decompress_d4_c`	✅	3s	-	new
`mlk_poly_getnoise_eta1122_4x`	✅	3s	4s	-25%
`mlk_poly_getnoise_eta1_4x_native`	✅	3s	3s	+0%
`mlk_poly_invntt_tomont`	✅	3s	2s	+50%
`mlk_poly_invntt_tomont_c`	✅	3s	2s	+50%
`mlk_poly_mulcache_compute_native`	✅	3s	1s	+200%
`mlk_poly_ntt`	✅	3s	3s	+0%
`mlk_poly_reduce`	✅	3s	2s	+50%
`mlk_poly_tomont_c`	✅	3s	2s	+50%
`mlk_polyvec_basemul_acc_montgomery_cached`	✅	3s	4s	-25%
`mlk_polyvec_invntt_tomont`	✅	3s	1s	+200%
`mlk_polyvec_permute_bitrev_to_custom_native`	✅	3s	3s	+0%
`mlk_scalar_compress_d11`	✅	3s	2s	+50%
`mlk_scalar_decompress_d4`	✅	3s	2s	+50%
`mlk_shake256`	✅	3s	3s	+0%
`mlk_shake256x4`	✅	3s	7s	-57%
`mlk_value_barrier_u32`	✅	3s	4s	-25%
`poly_getnoise_eta1122_4x_native`	✅	3s	3s	+0%
`poly_mulcache_compute_native_aarch64`	✅	3s	2s	+50%
`poly_mulcache_compute_native_x86_64`	✅	3s	2s	+50%
`poly_reduce_native_aarch64`	✅	3s	1s	+200%
`polyvec_basemul_acc_montgomery_cached_k2_native_aarch64`	✅	3s	2s	+50%
`polyvec_basemul_acc_montgomery_cached_k2_native_x86_64`	✅	3s	3s	+0%
`rej_uniform_native`	✅	3s	1s	+200%
`keccak_f1600_x4_native_aarch64_v84a`	✅	2s	2s	+0%
`keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid`	✅	2s	2s	+0%
`keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid`	✅	2s	2s	+0%
`kem_enc_derand`	✅	2s	2s	+0%
`kem_keypair`	✅	2s	2s	+0%
`mlk_barrett_reduce`	✅	2s	2s	+0%
`mlk_ct_cmask_nonzero_u16`	✅	2s	5s	-60%
`mlk_ct_get_optblocker_i32`	✅	2s	3s	-33%
`mlk_ct_get_optblocker_u8`	✅	2s	3s	-33%
`mlk_ct_memcmp`	✅	2s	3s	-33%
`mlk_ct_sel_uint8`	✅	2s	3s	-33%
`mlk_keccakf1600_xor_bytes`	✅	2s	2s	+0%
`mlk_montgomery_reduce`	✅	2s	1s	+100%
`mlk_poly_add`	✅	2s	3s	-33%
`mlk_poly_cbd_eta2`	✅	2s	3s	-33%
`mlk_poly_compress_dv`	✅	2s	3s	-33%
`mlk_poly_decompress_d10_c`	✅	2s	-	new
`mlk_poly_decompress_d10_native`	✅	2s	-	new
`mlk_poly_decompress_d4_native`	✅	2s	-	new
`mlk_poly_decompress_d5`	✅	2s	-	new
`mlk_poly_decompress_d5_c`	✅	2s	-	new
`mlk_poly_decompress_du`	✅	2s	2s	+0%
`mlk_poly_frombytes`	✅	2s	3s	-33%
`mlk_poly_getnoise_eta1_4x`	✅	2s	1s	+100%
`mlk_poly_mulcache_compute`	✅	2s	2s	+0%
`mlk_poly_mulcache_compute_c`	✅	2s	3s	-33%
`mlk_poly_ntt_c`	✅	2s	2s	+0%
`mlk_poly_reduce_c`	✅	2s	3s	-33%
`mlk_poly_tobytes`	✅	2s	2s	+0%
`mlk_poly_tobytes_c`	✅	2s	2s	+0%
`mlk_poly_tomont`	✅	2s	2s	+0%
`mlk_poly_tomsg`	✅	2s	7s	-71%
`mlk_polyvec_frombytes`	✅	2s	1s	+100%
`mlk_polyvec_mulcache_compute`	✅	2s	4s	-50%
`mlk_polyvec_tomont`	✅	2s	3s	-33%
`mlk_scalar_compress_d1`	✅	2s	2s	+0%
`mlk_scalar_compress_d10`	✅	2s	2s	+0%
`mlk_scalar_decompress_d10`	✅	2s	3s	-33%
`mlk_scalar_decompress_d11`	✅	2s	3s	-33%
`mlk_scalar_decompress_d5`	✅	2s	2s	+0%
`mlk_scalar_signed_to_unsigned_q`	✅	2s	3s	-33%
`mlk_sha3_512`	✅	2s	1s	+100%
`mlk_shake128_absorb_once`	✅	2s	2s	+0%
`mlk_shake128_squeezeblocks`	✅	2s	2s	+0%
`mlk_shake128x4_squeezeblocks`	✅	2s	4s	-50%
`mlk_value_barrier_i32`	✅	2s	2s	+0%
`mlk_value_barrier_u8`	✅	2s	2s	+0%
`ntt_native_x86_64`	✅	2s	4s	-50%
`poly_decompress_d4_native_x86_64`	✅	2s	-	new
`poly_invntt_tomont_native`	✅	2s	2s	+0%
`poly_reduce_native_x86_64`	✅	2s	3s	-33%
`poly_tobytes_native_x86_64`	✅	2s	2s	+0%
`poly_tomont_native_aarch64`	✅	2s	2s	+0%
`polyvec_basemul_acc_montgomery_cached_k3_native_aarch64`	✅	2s	2s	+0%
`polyvec_basemul_acc_montgomery_cached_k3_native_x86_64`	✅	2s	4s	-50%
`rej_uniform_native_aarch64`	✅	2s	3s	-33%
`kem_keypair_derand`	✅	1s	2s	-50%
`mlk_ct_cmask_nonzero_u8`	✅	1s	3s	-67%
`mlk_ct_cmov_zero`	✅	1s	3s	-67%
`mlk_ct_sel_int16`	✅	1s	1s	+0%
`mlk_keccakf1600_extract_bytes`	✅	1s	3s	-67%
`mlk_keccakf1600_xor_bytes (big endian)`	✅	1s	2s	-50%
`mlk_keccakf1600x4_extract_bytes`	✅	1s	1s	+0%
`mlk_keccakf1600x4_permute`	✅	1s	2s	-50%
`mlk_keccakf1600x4_xor_bytes`	✅	1s	4s	-75%
`mlk_poly_decompress_d10`	✅	1s	-	new
`mlk_polyvec_compress_du`	✅	1s	1s	+0%
`mlk_rej_uniform`	✅	1s	2s	-50%
`mlk_scalar_compress_d4`	✅	1s	3s	-67%
`mlk_scalar_compress_d5`	✅	1s	4s	-75%
`mlk_shake128x4_absorb_once`	✅	1s	1s	+0%
`ntt_native_aarch64`	✅	1s	4s	-75%
`poly_decompress_d10_native_x86_64`	✅	1s	-	new
`poly_tomont_native_x86_64`	✅	1s	3s	-67%
`sys_check_capability`	✅	1s	2s	-50%

oqs-bot

Mac Mini (M1, 2020) benchmarks

Details

Benchmark suite	Current: `09de6a8`	Previous: `0f1eef1`	Ratio
`ML-KEM-512 keypair`	`12328` cycles	`12326` cycles	`1.00`
`ML-KEM-512 encaps`	`15031` cycles	`15032` cycles	`1.00`
`ML-KEM-512 decaps`	`19610` cycles	`19610` cycles	`1`
`ML-KEM-768 keypair`	`21091` cycles	`21091` cycles	`1`
`ML-KEM-768 encaps`	`23870` cycles	`23864` cycles	`1.00`
`ML-KEM-768 decaps`	`30444` cycles	`30441` cycles	`1.00`
`ML-KEM-1024 keypair`	`30376` cycles	`30375` cycles	`1.00`
`ML-KEM-1024 encaps`	`34641` cycles	`34643` cycles	`1.00`
`ML-KEM-1024 decaps`	`44266` cycles	`44269` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

ppc64le (POWER10) benchmarks

Details

Benchmark suite	Current: `09de6a8`	Previous: `0f1eef1`	Ratio
`ML-KEM-512 keypair`	`59563` cycles	`59601` cycles	`1.00`
`ML-KEM-512 encaps`	`72400` cycles	`72269` cycles	`1.00`
`ML-KEM-512 decaps`	`92292` cycles	`92043` cycles	`1.00`
`ML-KEM-768 keypair`	`99096` cycles	`98222` cycles	`1.01`
`ML-KEM-768 encaps`	`115134` cycles	`114587` cycles	`1.00`
`ML-KEM-768 decaps`	`140908` cycles	`140493` cycles	`1.00`
`ML-KEM-1024 keypair`	`148577` cycles	`150521` cycles	`0.99`
`ML-KEM-1024 encaps`	`167329` cycles	`170000` cycles	`0.98`
`ML-KEM-1024 decaps`	`198290` cycles	`201569` cycles	`0.98`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Intel Xeon 4th gen (c7i)

Details

Benchmark suite	Current: `09de6a8`	Previous: `0f1eef1`	Ratio
`ML-KEM-512 keypair`	`9637` cycles	`9655` cycles	`1.00`
`ML-KEM-512 encaps`	`11477` cycles	`11461` cycles	`1.00`
`ML-KEM-512 decaps`	`15397` cycles	`15380` cycles	`1.00`
`ML-KEM-768 keypair`	`16385` cycles	`16412` cycles	`1.00`
`ML-KEM-768 encaps`	`17859` cycles	`17875` cycles	`1.00`
`ML-KEM-768 decaps`	`23553` cycles	`23514` cycles	`1.00`
`ML-KEM-1024 keypair`	`22214` cycles	`22320` cycles	`1.00`
`ML-KEM-1024 encaps`	`24666` cycles	`24603` cycles	`1.00`
`ML-KEM-1024 decaps`	`32174` cycles	`32287` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

AMD EPYC 3rd gen (c6a)

Details

Benchmark suite	Current: `09de6a8`	Previous: `0f1eef1`	Ratio
`ML-KEM-512 keypair`	`16850` cycles	`16892` cycles	`1.00`
`ML-KEM-512 encaps`	`18564` cycles	`18612` cycles	`1.00`
`ML-KEM-512 decaps`	`23885` cycles	`24010` cycles	`0.99`
`ML-KEM-768 keypair`	`28522` cycles	`28467` cycles	`1.00`
`ML-KEM-768 encaps`	`29842` cycles	`29791` cycles	`1.00`
`ML-KEM-768 decaps`	`37748` cycles	`37640` cycles	`1.00`
`ML-KEM-1024 keypair`	`41071` cycles	`41279` cycles	`0.99`
`ML-KEM-1024 encaps`	`43340` cycles	`43477` cycles	`1.00`
`ML-KEM-1024 decaps`	`53674` cycles	`53973` cycles	`0.99`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Intel Xeon 4th gen (c7i) (no-opt)

Details

Benchmark suite	Current: `09de6a8`	Previous: `0f1eef1`	Ratio
`ML-KEM-512 keypair`	`28448` cycles	`28489` cycles	`1.00`
`ML-KEM-512 encaps`	`35802` cycles	`35778` cycles	`1.00`
`ML-KEM-512 decaps`	`45412` cycles	`45439` cycles	`1.00`
`ML-KEM-768 keypair`	`45970` cycles	`45959` cycles	`1.00`
`ML-KEM-768 encaps`	`56290` cycles	`56309` cycles	`1.00`
`ML-KEM-768 decaps`	`69460` cycles	`69447` cycles	`1.00`
`ML-KEM-1024 keypair`	`71624` cycles	`71608` cycles	`1.00`
`ML-KEM-1024 encaps`	`84491` cycles	`84550` cycles	`1.00`
`ML-KEM-1024 decaps`	`101600` cycles	`101570` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

AMD EPYC 4th gen (c7a)

Details

Benchmark suite	Current: `09de6a8`	Previous: `0f1eef1`	Ratio
`ML-KEM-512 keypair`	`11730` cycles	`11995` cycles	`0.98`
`ML-KEM-512 encaps`	`13450` cycles	`13179` cycles	`1.02`
`ML-KEM-512 decaps`	`18363` cycles	`18036` cycles	`1.02`
`ML-KEM-768 keypair`	`20527` cycles	`20303` cycles	`1.01`
`ML-KEM-768 encaps`	`21536` cycles	`21505` cycles	`1.00`
`ML-KEM-768 decaps`	`28652` cycles	`28642` cycles	`1.00`
`ML-KEM-1024 keypair`	`28052` cycles	`27797` cycles	`1.01`
`ML-KEM-1024 encaps`	`30152` cycles	`29923` cycles	`1.01`
`ML-KEM-1024 decaps`	`39449` cycles	`39325` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Intel Xeon 3rd gen (c6i)

Details

Benchmark suite	Current: `09de6a8`	Previous: `0f1eef1`	Ratio
`ML-KEM-512 keypair`	`16292` cycles	`16362` cycles	`1.00`
`ML-KEM-512 encaps`	`18510` cycles	`18692` cycles	`0.99`
`ML-KEM-512 decaps`	`25005` cycles	`25287` cycles	`0.99`
`ML-KEM-768 keypair`	`29269` cycles	`28835` cycles	`1.02`
`ML-KEM-768 encaps`	`29746` cycles	`30050` cycles	`0.99`
`ML-KEM-768 decaps`	`39257` cycles	`39303` cycles	`1.00`
`ML-KEM-1024 keypair`	`37577` cycles	`37694` cycles	`1.00`
`ML-KEM-1024 encaps`	`40671` cycles	`40688` cycles	`1.00`
`ML-KEM-1024 decaps`	`52833` cycles	`54420` cycles	`0.97`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Arm Cortex-A72 (Raspberry Pi 4) benchmarks

Details

Benchmark suite	Current: `09de6a8`	Previous: `0f1eef1`	Ratio
`ML-KEM-512 keypair`	`51009` cycles	`51107` cycles	`1.00`
`ML-KEM-512 encaps`	`59040` cycles	`58880` cycles	`1.00`
`ML-KEM-512 decaps`	`74787` cycles	`76137` cycles	`0.98`
`ML-KEM-768 keypair`	`86810` cycles	`86183` cycles	`1.01`
`ML-KEM-768 encaps`	`95747` cycles	`94505` cycles	`1.01`
`ML-KEM-768 decaps`	`118305` cycles	`117235` cycles	`1.01`
`ML-KEM-1024 keypair`	`130506` cycles	`130915` cycles	`1.00`
`ML-KEM-1024 encaps`	`142328` cycles	`142579` cycles	`1.00`
`ML-KEM-1024 decaps`	`173545` cycles	`174605` cycles	`0.99`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Graviton4

Details

Benchmark suite	Current: `09de6a8`	Previous: `0f1eef1`	Ratio
`ML-KEM-512 keypair`	`17686` cycles	`17703` cycles	`1.00`
`ML-KEM-512 encaps`	`20697` cycles	`20701` cycles	`1.00`
`ML-KEM-512 decaps`	`27110` cycles	`27136` cycles	`1.00`
`ML-KEM-768 keypair`	`30019` cycles	`29999` cycles	`1.00`
`ML-KEM-768 encaps`	`32857` cycles	`32786` cycles	`1.00`
`ML-KEM-768 decaps`	`42078` cycles	`42065` cycles	`1.00`
`ML-KEM-1024 keypair`	`43866` cycles	`43916` cycles	`1.00`
`ML-KEM-1024 encaps`	`48871` cycles	`48929` cycles	`1.00`
`ML-KEM-1024 decaps`	`61524` cycles	`61497` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

AMD EPYC 3rd gen (c6a) (no-opt)

Details

Benchmark suite	Current: `09de6a8`	Previous: `0f1eef1`	Ratio
`ML-KEM-512 keypair`	`40251` cycles	`40432` cycles	`1.00`
`ML-KEM-512 encaps`	`48322` cycles	`48281` cycles	`1.00`
`ML-KEM-512 decaps`	`62412` cycles	`62397` cycles	`1.00`
`ML-KEM-768 keypair`	`63698` cycles	`63581` cycles	`1.00`
`ML-KEM-768 encaps`	`75031` cycles	`75186` cycles	`1.00`
`ML-KEM-768 decaps`	`93404` cycles	`93134` cycles	`1.00`
`ML-KEM-1024 keypair`	`95699` cycles	`94912` cycles	`1.01`
`ML-KEM-1024 encaps`	`109738` cycles	`109125` cycles	`1.01`
`ML-KEM-1024 decaps`	`132681` cycles	`131848` cycles	`1.01`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

AMD EPYC 4th gen (c7a) (no-opt)

Details

Benchmark suite	Current: `09de6a8`	Previous: `0f1eef1`	Ratio
`ML-KEM-512 keypair`	`36508` cycles	`36488` cycles	`1.00`
`ML-KEM-512 encaps`	`42989` cycles	`42975` cycles	`1.00`
`ML-KEM-512 decaps`	`55669` cycles	`55626` cycles	`1.00`
`ML-KEM-768 keypair`	`58439` cycles	`58432` cycles	`1.00`
`ML-KEM-768 encaps`	`67381` cycles	`67478` cycles	`1.00`
`ML-KEM-768 decaps`	`84353` cycles	`84349` cycles	`1.00`
`ML-KEM-1024 keypair`	`88604` cycles	`88593` cycles	`1.00`
`ML-KEM-1024 encaps`	`98930` cycles	`98928` cycles	`1.00`
`ML-KEM-1024 decaps`	`120517` cycles	`120398` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Graviton3

Details

Benchmark suite	Current: `09de6a8`	Previous: `0f1eef1`	Ratio
`ML-KEM-512 keypair`	`18741` cycles	`18765` cycles	`1.00`
`ML-KEM-512 encaps`	`22031` cycles	`22038` cycles	`1.00`
`ML-KEM-512 decaps`	`29006` cycles	`29046` cycles	`1.00`
`ML-KEM-768 keypair`	`31806` cycles	`31797` cycles	`1.00`
`ML-KEM-768 encaps`	`35010` cycles	`34950` cycles	`1.00`
`ML-KEM-768 decaps`	`45036` cycles	`45043` cycles	`1.00`
`ML-KEM-1024 keypair`	`46346` cycles	`46353` cycles	`1.00`
`ML-KEM-1024 encaps`	`51695` cycles	`51755` cycles	`1.00`
`ML-KEM-1024 decaps`	`65260` cycles	`65265` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Intel Xeon 3rd gen (c6i) (no-opt)

Details

Benchmark suite	Current: `09de6a8`	Previous: `0f1eef1`	Ratio
`ML-KEM-512 keypair`	`45805` cycles	`45858` cycles	`1.00`
`ML-KEM-512 encaps`	`54750` cycles	`54826` cycles	`1.00`
`ML-KEM-512 decaps`	`70291` cycles	`70350` cycles	`1.00`
`ML-KEM-768 keypair`	`73835` cycles	`73878` cycles	`1.00`
`ML-KEM-768 encaps`	`85212` cycles	`85411` cycles	`1.00`
`ML-KEM-768 decaps`	`106292` cycles	`106322` cycles	`1.00`
`ML-KEM-1024 keypair`	`111746` cycles	`111833` cycles	`1.00`
`ML-KEM-1024 encaps`	`125932` cycles	`125999` cycles	`1.00`
`ML-KEM-1024 decaps`	`151756` cycles	`151810` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Graviton4 (no-opt)

Details

Benchmark suite	Current: `09de6a8`	Previous: `0f1eef1`	Ratio
`ML-KEM-512 keypair`	`35487` cycles	`35503` cycles	`1.00`
`ML-KEM-512 encaps`	`40236` cycles	`40236` cycles	`1`
`ML-KEM-512 decaps`	`51240` cycles	`51242` cycles	`1.00`
`ML-KEM-768 keypair`	`56780` cycles	`56811` cycles	`1.00`
`ML-KEM-768 encaps`	`64651` cycles	`64717` cycles	`1.00`
`ML-KEM-768 decaps`	`78978` cycles	`79032` cycles	`1.00`
`ML-KEM-1024 keypair`	`88040` cycles	`88026` cycles	`1.00`
`ML-KEM-1024 encaps`	`97182` cycles	`97179` cycles	`1.00`
`ML-KEM-1024 decaps`	`116090` cycles	`116093` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

SpacemiT K1 8 (Banana Pi F3) benchmarks

Details

Benchmark suite	Current: `09de6a8`	Previous: `0f1eef1`	Ratio
`ML-KEM-512 keypair`	`155097` cycles	`155137` cycles	`1.00`
`ML-KEM-512 encaps`	`163256` cycles	`163334` cycles	`1.00`
`ML-KEM-512 decaps`	`206454` cycles	`206576` cycles	`1.00`
`ML-KEM-768 keypair`	`249487` cycles	`249554` cycles	`1.00`
`ML-KEM-768 encaps`	`270228` cycles	`270312` cycles	`1.00`
`ML-KEM-768 decaps`	`332042` cycles	`332138` cycles	`1.00`
`ML-KEM-1024 keypair`	`395121` cycles	`395117` cycles	`1.00`
`ML-KEM-1024 encaps`	`422154` cycles	`423801` cycles	`1.00`
`ML-KEM-1024 decaps`	`506827` cycles	`505575` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Graviton2

Details

Benchmark suite	Current: `09de6a8`	Previous: `0f1eef1`	Ratio
`ML-KEM-512 keypair`	`28338` cycles	`28315` cycles	`1.00`
`ML-KEM-512 encaps`	`34249` cycles	`34298` cycles	`1.00`
`ML-KEM-512 decaps`	`44488` cycles	`44533` cycles	`1.00`
`ML-KEM-768 keypair`	`47890` cycles	`47843` cycles	`1.00`
`ML-KEM-768 encaps`	`54222` cycles	`54176` cycles	`1.00`
`ML-KEM-768 decaps`	`68733` cycles	`68665` cycles	`1.00`
`ML-KEM-1024 keypair`	`70489` cycles	`70571` cycles	`1.00`
`ML-KEM-1024 encaps`	`78996` cycles	`79163` cycles	`1.00`
`ML-KEM-1024 decaps`	`98759` cycles	`98878` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Graviton3 (no-opt)

Details

Benchmark suite	Current: `09de6a8`	Previous: `0f1eef1`	Ratio
`ML-KEM-512 keypair`	`39033` cycles	`39061` cycles	`1.00`
`ML-KEM-512 encaps`	`44635` cycles	`44643` cycles	`1.00`
`ML-KEM-512 decaps`	`56731` cycles	`56721` cycles	`1.00`
`ML-KEM-768 keypair`	`62391` cycles	`62438` cycles	`1.00`
`ML-KEM-768 encaps`	`70933` cycles	`70938` cycles	`1.00`
`ML-KEM-768 decaps`	`86871` cycles	`86876` cycles	`1.00`
`ML-KEM-1024 keypair`	`96267` cycles	`96262` cycles	`1.00`
`ML-KEM-1024 encaps`	`106332` cycles	`106323` cycles	`1.00`
`ML-KEM-1024 decaps`	`126780` cycles	`126791` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Arm Cortex-A76 (Raspberry Pi 5) benchmarks

Details

Benchmark suite	Current: `09de6a8`	Previous: `0f1eef1`	Ratio
`ML-KEM-512 keypair`	`28330` cycles	`28401` cycles	`1.00`
`ML-KEM-512 encaps`	`34303` cycles	`34333` cycles	`1.00`
`ML-KEM-512 decaps`	`44527` cycles	`44596` cycles	`1.00`
`ML-KEM-768 keypair`	`47855` cycles	`47798` cycles	`1.00`
`ML-KEM-768 encaps`	`54128` cycles	`54106` cycles	`1.00`
`ML-KEM-768 decaps`	`68680` cycles	`68613` cycles	`1.00`
`ML-KEM-1024 keypair`	`70561` cycles	`70519` cycles	`1.00`
`ML-KEM-1024 encaps`	`79121` cycles	`79084` cycles	`1.00`
`ML-KEM-1024 decaps`	`98819` cycles	`98772` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Graviton2 (no-opt)

Details

Benchmark suite	Current: `09de6a8`	Previous: `0f1eef1`	Ratio
`ML-KEM-512 keypair`	`59195` cycles	`59161` cycles	`1.00`
`ML-KEM-512 encaps`	`68697` cycles	`68645` cycles	`1.00`
`ML-KEM-512 decaps`	`87493` cycles	`87401` cycles	`1.00`
`ML-KEM-768 keypair`	`95500` cycles	`95753` cycles	`1.00`
`ML-KEM-768 encaps`	`109173` cycles	`109549` cycles	`1.00`
`ML-KEM-768 decaps`	`134016` cycles	`134449` cycles	`1.00`
`ML-KEM-1024 keypair`	`148464` cycles	`147712` cycles	`1.01`
`ML-KEM-1024 encaps`	`164469` cycles	`163618` cycles	`1.01`
`ML-KEM-1024 decaps`	`195768` cycles	`194696` cycles	`1.01`

This comment was automatically generated by workflow using github-action-benchmark.

oqs-bot

Arm Cortex-A55 (Snapdragon 888) benchmarks

Details

Benchmark suite	Current: `09de6a8`	Previous: `0f1eef1`	Ratio
`ML-KEM-512 keypair`	`59487` cycles	`59475` cycles	`1.00`
`ML-KEM-512 encaps`	`67159` cycles	`67256` cycles	`1.00`
`ML-KEM-512 decaps`	`85749` cycles	`85777` cycles	`1.00`
`ML-KEM-768 keypair`	`97027` cycles	`96990` cycles	`1.00`
`ML-KEM-768 encaps`	`110384` cycles	`110495` cycles	`1.00`
`ML-KEM-768 decaps`	`137459` cycles	`137617` cycles	`1.00`
`ML-KEM-1024 keypair`	`154203` cycles	`154227` cycles	`1.00`
`ML-KEM-1024 encaps`	`171921` cycles	`170446` cycles	`1.01`
`ML-KEM-1024 decaps`	`208359` cycles	`207852` cycles	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

Add HOL Light assembly, bytecode, constants, and proof skeleton for poly_decompress_d4_avx2. Update autogen, Makefile, and dump_bytecode accordingly. Proof itself is left a TODO. Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

Cherry-picked from #1499. Autogen is adjusted to generate the required constants in compress_consts.c. Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

Add HOL Light assembly, bytecode, constants, and proof skeleton for poly_decompress_d5_avx2. Update autogen, Makefile, and dump_bytecode accordingly. Switch to s2n-bignum fork adding support for vpinsrw, see https://github.com/mkannwischer/s2n-bignum/tree/3ab626a8d78ff6e1cbdee5efaa030b09af847a7c Proof itself is left a TODO. Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

Signed-off-by: Hanno Becker <beckphan@amazon.co.uk>

Cherry-picked from #1499. Autogen is adjusted to generate the required constants in compress_consts.c. Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

Add HOL Light assembly, bytecode, constants, and proof skeleton for poly_decompress_d10_avx2. Update autogen, Makefile, and dump_bytecode accordingly. Switch to s2n-bignum fork adding support for vpsllvd, see https://github.com/mkannwischer/s2n-bignum/tree/9b0153c7b6fb7320942967f56e14fb5a7333a0b3 Proof itself is left a TODO. Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

Signed-off-by: Hanno Becker <beckphan@amazon.co.uk>

Cherry-picked from #1499. Autogen is adjusted to generate the required constants in compress_consts.c. Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

Add HOL Light assembly, bytecode, constants, and proof skeleton for poly_decompress_d11_avx2. Update autogen, Makefile, and dump_bytecode accordingly. Switch to s2n-bignum fork adding support for vpsrlvd and vpsrlvq, see https://github.com/mkannwischer/s2n-bignum/tree/13cb1dd13989db8b94a98e74cba26dda2a71d7de Proof itself is left a TODO. Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

Signed-off-by: Hanno Becker <beckphan@amazon.co.uk>

Previously, we only had CBMC proofs for the K-dependent poly_decompress_du and poly_decompress_du, not the underlying poly_decompress_d{4,5,10,11}_c functions. This commit adds CBMC proofs for ... - ... poly_decompress_d{4,5,10,11}_c - ... poly_decompress_d{4,5,10,11} - ... poly_decompress_d{4,5,10,11}_native - ... AVX2 backend implementations of poly_decompress_d{4,5,10,11}. Signed-off-by: Hanno Becker <beckphan@amazon.co.uk>

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

Add NOIBT_SUBROUTINE_SAFE and SUBROUTINE_SAFE proofs for all four decompression functions. Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

hanno-becker

I have reviewed the last 5 commits and LGTM. Thank you @mkannwischer.

It is difficult with the plethora of changes regarding the CT proofs to oversee whether we're fully consistent in the way the different variants are specified. I suggest that we do another review pass once all CT proofs are done.

hanno-becker · 2026-02-26T08:55:10Z

cf

HOL-Light: Review consistency of formulation of safety proofs #1581

Add functional correctness proofs for polyz_unpack_17 and polyz_unpack_19. Closely following the decompress proofs from mlkem-native: pq-code-package/mlkem-native#1543 Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

mkannwischer changed the title ~~WIP: HOL-Light: Prove correctness of AVX2 poly_decompress_d11~~ WIP: HOL-Light: Prove correctness of AVX2 poly_decompress_d11 Feb 4, 2026

hanno-becker added the benchmark this PR should be benchmarked in CI label Feb 4, 2026

oqs-bot reviewed Feb 4, 2026

View reviewed changes

hanno-becker force-pushed the prove-decompress-d11 branch from 3392df6 to c873e3f Compare February 5, 2026 04:52

mkannwischer mentioned this pull request Feb 5, 2026

x86: Add missing instructions for ML-KEM decompressions awslabs/s2n-bignum#346

Merged

mkannwischer changed the title ~~WIP: HOL-Light: Prove correctness of AVX2 poly_decompress_d11~~ HOL Light: Prove correctness of AVX2 poly_compress_d{4,5,10,11} Feb 5, 2026

mkannwischer changed the title ~~HOL Light: Prove correctness of AVX2 poly_compress_d{4,5,10,11}~~ HOL Light: Prove correctness of AVX2 poly_decompress_d{4,5,10,11} Feb 5, 2026

hanno-becker force-pushed the prove-decompress-d11 branch from c873e3f to e5c4c29 Compare February 5, 2026 05:27

mkannwischer and others added 18 commits February 25, 2026 20:20

x86_64: Convert poly_decompress_d5_avx2 from intrinsics to assembly

faea7b2

Cherry-picked from #1499. Autogen is adjusted to generate the required constants in compress_consts.c. Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

HOL-Light/x86: Add correctness proof for decompress_d4

56e887a

Signed-off-by: Hanno Becker <beckphan@amazon.co.uk>

HOL-Light/x86_64: Add proof for poly_decompress_d5

dbdf99a

Signed-off-by: Hanno Becker <beckphan@amazon.co.uk>

x86_64: Convert poly_decompress_d10_avx2 from intrinsics to assembly

9379e09

Cherry-picked from #1499. Autogen is adjusted to generate the required constants in compress_consts.c. Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

HOL-Light/x86_64: Add correctness proof for poly_decompress_d10

dcc59bc

Signed-off-by: Hanno Becker <beckphan@amazon.co.uk>

x86_64: Convert poly_decompress_d11_avx2 from intrinsics to assembly

ed54951

Cherry-picked from #1499. Autogen is adjusted to generate the required constants in compress_consts.c. Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

HOL-Light/x86_64: Add proof for poly_decompress_d11

cffd332

Signed-off-by: Hanno Becker <beckphan@amazon.co.uk>

HOL-Light/x86_64: Unify and simplify decompression proofs

b75a4c7

Signed-off-by: Hanno Becker <beckphan@amazon.co.uk>

HOL-Light: Add constant-time proofs for x86_64 decompression functions

883425f

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

x86_64: Add missing MLK_ASM_FN_SIZE for decompression functions

a4d87c5

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

Update s2n-bignum to upstream awslabs/s2n-bignum

15d4785

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

HOL-Light/x86_64: Add subroutine-level CT proofs for decompression

60e2b9d

Add NOIBT_SUBROUTINE_SAFE and SUBROUTINE_SAFE proofs for all four decompression functions. Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

HOL-Light: Add decompression functions to README

2095ebd

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

mkannwischer force-pushed the prove-decompress-d11 branch from 0d01d4e to 2095ebd Compare February 25, 2026 12:22

mkannwischer mentioned this pull request Feb 25, 2026

Format: Don't allow tabs #1573

Merged

hanno-becker approved these changes Feb 26, 2026

View reviewed changes

hanno-becker merged commit 4e44546 into main Feb 26, 2026
409 checks passed

hanno-becker deleted the prove-decompress-d11 branch February 26, 2026 09:00

mkannwischer mentioned this pull request Mar 14, 2026

Update mlkem-native to v1.1.0 open-quantum-safe/liboqs#2376

Merged

Conversation

mkannwischer commented Feb 4, 2026

Uh oh!

oqs-bot commented Feb 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

CBMC Results (ML-KEM-768)

Uh oh!

oqs-bot commented Feb 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

CBMC Results (ML-KEM-512)

Uh oh!

oqs-bot commented Feb 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

CBMC Results (ML-KEM-1024)

Uh oh!

oqs-bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Mac Mini (M1, 2020) benchmarks

Uh oh!

oqs-bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

ppc64le (POWER10) benchmarks

Uh oh!

oqs-bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Intel Xeon 4th gen (c7i)

Uh oh!

oqs-bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

AMD EPYC 3rd gen (c6a)

Uh oh!

oqs-bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Intel Xeon 4th gen (c7i) (no-opt)

Uh oh!

oqs-bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

AMD EPYC 4th gen (c7a)

Uh oh!

oqs-bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Intel Xeon 3rd gen (c6i)

Uh oh!

oqs-bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Arm Cortex-A72 (Raspberry Pi 4) benchmarks

Uh oh!

oqs-bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Graviton4

Uh oh!

oqs-bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

AMD EPYC 3rd gen (c6a) (no-opt)

Uh oh!

oqs-bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

AMD EPYC 4th gen (c7a) (no-opt)

Uh oh!

oqs-bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Graviton3

Uh oh!

oqs-bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Intel Xeon 3rd gen (c6i) (no-opt)

Uh oh!

oqs-bot commented Feb 4, 2026 •

edited

Loading

oqs-bot commented Feb 4, 2026 •

edited

Loading

oqs-bot commented Feb 4, 2026 •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

oqs-bot left a comment •

edited

Loading

hanno-becker commented Feb 26, 2026 •

edited

Loading