Skip to content

Hol-Light: Add x86 AVX2 iNTT proof#943

Open
jakemas wants to merge 2 commits intomainfrom
mldsa-intt-proof
Open

Hol-Light: Add x86 AVX2 iNTT proof#943
jakemas wants to merge 2 commits intomainfrom
mldsa-intt-proof

Conversation

@jakemas
Copy link
Contributor

@jakemas jakemas commented Feb 3, 2026
edited
Loading

Proof takes ~2hrs:
HOL-Light / x86_64 HOL Light proof for mldsa_intt.S (pull_request) Successful in 117m

Also added CBMC proof:

  | Proof                                        | Status  | Duration (in s) |
  |----------------------------------------------|---------|-----------------|
  | intt_native_x86_64                           | Success | 4               |

@jakemas jakemas force-pushed the mldsa-intt-proof branch 2 times, most recently from 69faa1d to b0c1344 Compare February 3, 2026 22:09
@oqs-bot
Copy link
Contributor

oqs-bot commented Feb 3, 2026
edited
Loading

CBMC Results (ML-DSA-44)

Full Results (175 proofs)
Proof Status Current Previous Change
**TOTAL** 2008s 1991s +0.9%
mld_attempt_signature_generation 260s 260s +0%
polyvecl_pointwise_acc_montgomery_c 215s 214s +0%
sign_verify_internal 178s 178s +0%
poly_pointwise_montgomery_c 134s 133s +1%
rej_uniform_native 134s 131s +2%
mld_ct_memcmp 84s 81s +4%
mld_ntt_layer 56s 60s -7%
mld_invntt_layer 49s 49s +0%
keccak_squeezeblocks_x4 41s 42s -2%
sign_signature_internal 35s 36s -3%
polyvec_matrix_expand 31s 28s +11%
rej_uniform 22s 22s +0%
rej_uniform_c 21s 17s +24%
fqmul 20s 19s +5%
poly_chknorm_c 19s 17s +12%
poly_uniform_eta_4x 18s 16s +12%
polymat_permute_bitrev_to_custom 18s 15s +20%
poly_uniform_4x 17s 15s +13%
keccakf1600x4_permute_native 15s 15s +0%
mld_compute_t0_t1_tr_from_sk_components 15s 17s -12%
polyt0_unpack 14s 14s +0%
mld_ntt_butterfly_block 13s 13s +0%
polyeta_unpack 13s 12s +8%
keccak_absorb_once_x4 11s 12s -8%
polyz_unpack_c 11s 12s -8%
polyvec_matrix_expand_serial 10s 5s +100%
mld_polyvecl_permute_bitrev_to_custom_native 9s 8s +12%
poly_invntt_tomont_c 8s 7s +14%
polyveck_add 8s 12s -33%
sign_keypair_internal 8s 5s +60%
keccakf1600_permute 7s 7s +0%
keccakf1600_permute_native 7s 9s -22%
mld_compute_pack_z 7s 8s -12%
sign_verify_pre_hash_internal 7s 3s +133%
keccak_absorb 6s 5s +20%
mld_sample_s1_s2 6s 4s +50%
poly_caddq_native 6s 2s +200%
poly_ntt 6s 3s +100%
poly_use_hint_c 6s 3s +100%
polyveck_decompose 6s 7s -14%
polyveck_ntt 6s 5s +20%
polyveck_pointwise_poly_montgomery 6s 6s +0%
polyveck_shiftl 6s 4s +50%
polyveck_sub 6s 6s +0%
polyveck_unpack_t0 6s 4s +50%
polyveck_use_hint 6s 4s +50%
polyvecl_chknorm 6s 4s +50%
sign 6s 7s -14%
sign_pk_from_sk 6s 6s +0%
unpack_hints 6s 3s +100%
mld_check_pct 5s 5s +0%
mld_ct_get_optblocker_u32 5s 2s +150%
poly_caddq_native_aarch64 5s 5s +0%
poly_decompose_c 5s 6s -17%
poly_invntt_tomont 5s 5s +0%
poly_shiftl 5s 3s +67%
poly_uniform_gamma1_4x 5s 6s -17%
poly_use_hint_native 5s 4s +25%
polyvec_matrix_pointwise_montgomery 5s 8s -38%
polyveck_chknorm 5s 4s +25%
polyveck_invntt_tomont 5s 7s -29%
polyveck_pack_eta 5s 3s +67%
polyw1_pack 5s 2s +150%
polyz_pack 5s 3s +67%
polyz_unpack 5s 4s +25%
rej_eta_native 5s 4s +25%
shake128_finalize 5s 3s +67%
sign_signature_extmu 5s 3s +67%
sign_signature_pre_hash_internal 5s 3s +67%
sign_signature_pre_hash_shake256 5s 6s -17%
sign_verify_extmu 5s 3s +67%
sign_verify_pre_hash_shake256 5s 5s +0%
keccak_squeeze 4s 5s -20%
mld_prepare_domain_separation_prefix 4s 4s +0%
pack_sig_c_h 4s 3s +33%
poly_add 4s 3s +33%
poly_challenge 4s 3s +33%
poly_chknorm 4s 3s +33%
poly_chknorm_native 4s 5s -20%
poly_ntt_c 4s 4s +0%
poly_pointwise_montgomery_native 4s 5s -20%
poly_uniform 4s 4s +0%
polyt0_pack 4s 3s +33%
polyveck_caddq 4s 5s -20%
polyveck_reduce 4s 7s -43%
polyvecl_ntt 4s 3s +33%
polyvecl_pack_eta 4s 4s +0%
polyvecl_uniform_gamma1 4s 5s -20%
polyvecl_uniform_gamma1_serial 4s 4s +0%
polyz_unpack_native 4s 4s +0%
shake256_squeeze 4s 2s +100%
shake256x4_squeezeblocks 4s 4s +0%
sign_open 4s 2s +100%
sign_signature 4s 4s +0%
unpack_sig 4s 3s +33%
unpack_sk 4s 4s +0%
keccak_init 3s 2s +50%
keccakf1600_xor_bytes (big endian) 3s 2s +50%
keccakf1600x4_permute 3s 1s +200%
mld_ct_get_optblocker_i64 3s 2s +50%
mld_ct_get_optblocker_u8 3s 3s +0%
mld_sample_s1_s2_serial 3s 6s -50%
ntt_native_x86_64 3s 3s +0%
pack_pk 3s 4s -25%
pack_sig_z 3s 4s -25%
poly_caddq_c 3s 2s +50%
poly_invntt_tomont_native 3s 2s +50%
poly_ntt_native 3s 3s +0%
poly_pointwise_montgomery 3s 4s -25%
poly_reduce 3s 4s -25%
poly_uniform_eta 3s 4s -25%
poly_uniform_gamma1 3s 4s -25%
poly_use_hint 3s 2s +50%
polyt1_pack 3s 4s -25%
polyveck_make_hint 3s 6s -50%
polyveck_pack_w1 3s 3s +0%
polyveck_power2round 3s 3s +0%
polyvecl_permute_bitrev_to_custom 3s 3s +0%
polyvecl_pointwise_acc_montgomery 3s 3s +0%
polyvecl_pointwise_acc_montgomery_native 3s 4s -25%
polyvecl_unpack_eta 3s 3s +0%
reduce32 3s 3s +0%
rej_eta 3s 2s +50%
rej_eta_c 3s 4s -25%
shake128_release 3s 4s -25%
shake128_squeeze 3s 3s +0%
shake256 3s 3s +0%
shake256_absorb 3s 3s +0%
shake256_finalize 3s 3s +0%
shake256_release 3s 3s +0%
sign_keypair 3s 3s +0%
sign_verify 3s 5s -40%
sys_check_capability 3s 4s -25%
unpack_pk 3s 2s +50%
use_hint 3s 3s +0%
caddq 2s 3s -33%
decompose 2s 3s -33%
fqscale 2s 3s -33%
keccakf1600_extract_bytes (big endian) 2s 2s +0%
keccakf1600x4_extract_bytes 2s 5s -60%
keccakf1600x4_xor_bytes 2s 2s +0%
make_hint 2s 4s -50%
mld_ct_abs_i32 2s 2s +0%
mld_ct_cmask_neg_i32 2s 1s +100%
mld_ct_cmask_nonzero_u32 2s 4s -50%
mld_ct_cmask_nonzero_u8 2s 3s -33%
mld_ct_sel_int32 2s 3s -33%
mld_h 2s 3s -33%
mld_keccakf1600_extract_bytes 2s 2s +0%
mld_value_barrier_i64 2s 2s +0%
mld_value_barrier_u32 2s 3s -33%
montgomery_reduce 2s 4s -50%
pack_sk 2s 4s -50%
poly_caddq 2s 3s -33%
poly_decompose 2s 2s +0%
poly_decompose_native 2s 3s -33%
poly_make_hint 2s 2s +0%
poly_power2round 2s 6s -67%
polyeta_pack 2s 2s +0%
polyt1_unpack 2s 3s -33%
polyveck_pack_t0 2s 2s +0%
polyveck_unpack_eta 2s 3s -33%
polyvecl_unpack_z 2s 1s +100%
power2round 2s 3s -33%
shake128_absorb 2s 2s +0%
shake128x4_absorb_once 2s 2s +0%
shake128x4_squeezeblocks 2s 3s -33%
shake256_init 2s 2s +0%
shake256x4_absorb_once 2s 3s -33%
intt_native_x86_64 1s - new
keccak_finalize 1s 2s -50%
keccakf1600_xor_bytes 1s 3s -67%
mld_value_barrier_u8 1s 3s -67%
poly_sub 1s 4s -75%
shake128_init 1s 6s -83%

@oqs-bot
Copy link
Contributor

oqs-bot commented Feb 3, 2026
edited
Loading

CBMC Results (ML-DSA-87)

Full Results (175 proofs)
Proof Status Current Previous Change
**TOTAL** 2529s 2540s -0.4%
sign_verify_internal 317s 319s -1%
mld_attempt_signature_generation 232s 235s -1%
polyvecl_pointwise_acc_montgomery_c 172s 186s -8%
poly_pointwise_montgomery_c 148s 152s -3%
polyvec_matrix_expand 141s 141s +0%
rej_uniform_native 135s 129s +5%
mld_invntt_layer 119s 121s -2%
polyvec_matrix_expand_serial 107s 109s -2%
mld_ct_memcmp 89s 88s +1%
mld_ntt_layer 74s 72s +3%
poly_invntt_tomont_c 45s 50s -10%
sign_signature_internal 44s 42s +5%
keccak_squeezeblocks_x4 43s 42s +2%
mld_compute_t0_t1_tr_from_sk_components 28s 26s +8%
polymat_permute_bitrev_to_custom 25s 25s +0%
rej_uniform 22s 20s +10%
fqmul 21s 19s +11%
rej_uniform_c 18s 19s -5%
poly_chknorm_c 16s 20s -20%
poly_uniform_4x 16s 14s +14%
poly_uniform_eta_4x 16s 14s +14%
polyt0_unpack 16s 17s -6%
polyeta_unpack 15s 14s +7%
polyveck_add 15s 14s +7%
keccakf1600x4_permute_native 14s 16s -12%
poly_decompose_c 14s 8s +75%
polyvec_matrix_pointwise_montgomery 14s 13s +8%
polyveck_power2round 14s 13s +8%
mld_ntt_butterfly_block 13s 13s +0%
polyveck_reduce 11s 9s +22%
keccak_absorb_once_x4 10s 10s +0%
polyveck_caddq 10s 10s +0%
keccakf1600_permute 9s 7s +29%
mld_polyvecl_permute_bitrev_to_custom_native 9s 10s -10%
polyvecl_ntt 9s 8s +12%
sign 9s 8s +12%
keccakf1600_permute_native 8s 9s -11%
sign_pk_from_sk 8s 11s -27%
keccak_absorb 7s 7s +0%
mld_compute_pack_z 7s 6s +17%
mld_sample_s1_s2_serial 7s 7s +0%
polyveck_chknorm 7s 10s -30%
polyveck_invntt_tomont 7s 8s -12%
polyveck_pointwise_poly_montgomery 7s 8s -12%
polyveck_shiftl 7s 6s +17%
polyveck_use_hint 7s 5s +40%
polyz_unpack_c 7s 5s +40%
sign_keypair_internal 7s 9s -22%
unpack_hints 7s 6s +17%
unpack_sk 7s 5s +40%
mld_check_pct 6s 10s -40%
mld_sample_s1_s2 6s 6s +0%
poly_caddq 6s 5s +20%
poly_decompose_native 6s 4s +50%
polyveck_decompose 6s 6s +0%
polyveck_make_hint 6s 4s +50%
polyveck_sub 6s 7s -14%
polyvecl_unpack_z 6s 4s +50%
rej_eta_c 6s 5s +20%
rej_eta_native 6s 6s +0%
keccakf1600x4_xor_bytes 5s 2s +150%
poly_challenge 5s 5s +0%
poly_invntt_tomont 5s 3s +67%
polyveck_pack_eta 5s 2s +150%
polyveck_unpack_eta 5s 5s +0%
polyvecl_pointwise_acc_montgomery_native 5s 3s +67%
polyvecl_uniform_gamma1 5s 4s +25%
polyvecl_unpack_eta 5s 4s +25%
shake256_finalize 5s 3s +67%
sign_keypair 5s 4s +25%
sign_open 5s 2s +150%
sign_signature 5s 5s +0%
sign_signature_pre_hash_internal 5s 2s +150%
sign_verify_pre_hash_internal 5s 6s -17%
use_hint 5s 3s +67%
caddq 4s 4s +0%
keccakf1600_xor_bytes (big endian) 4s 4s +0%
keccakf1600x4_permute 4s 3s +33%
mld_ct_get_optblocker_u32 4s 3s +33%
mld_ct_get_optblocker_u8 4s 2s +100%
mld_ct_sel_int32 4s 3s +33%
mld_h 4s 4s +0%
mld_prepare_domain_separation_prefix 4s 3s +33%
ntt_native_x86_64 4s 3s +33%
pack_sk 4s 4s +0%
poly_add 4s 3s +33%
poly_ntt_native 4s 3s +33%
poly_pointwise_montgomery 4s 5s -20%
poly_reduce 4s 3s +33%
poly_uniform 4s 5s -20%
poly_uniform_eta 4s 5s -20%
poly_uniform_gamma1_4x 4s 4s +0%
polyveck_ntt 4s 8s -50%
polyvecl_chknorm 4s 3s +33%
polyvecl_uniform_gamma1_serial 4s 5s -20%
shake128_absorb 4s 1s +300%
shake256 4s 3s +33%
shake256_init 4s 3s +33%
shake256x4_absorb_once 4s 3s +33%
sign_verify_extmu 4s 4s +0%
sign_verify_pre_hash_shake256 4s 4s +0%
decompose 3s 5s -40%
fqscale 3s 3s +0%
keccak_finalize 3s 2s +50%
keccak_squeeze 3s 2s +50%
keccakf1600_extract_bytes (big endian) 3s 4s -25%
mld_keccakf1600_extract_bytes 3s 3s +0%
mld_value_barrier_u8 3s 2s +50%
pack_sig_c_h 3s 4s -25%
poly_caddq_c 3s 5s -40%
poly_caddq_native 3s 2s +50%
poly_caddq_native_aarch64 3s 2s +50%
poly_chknorm 3s 1s +200%
poly_chknorm_native 3s 2s +50%
poly_decompose 3s 4s -25%
poly_invntt_tomont_native 3s 3s +0%
poly_make_hint 3s 2s +50%
poly_ntt_c 3s 5s -40%
poly_pointwise_montgomery_native 3s 4s -25%
poly_power2round 3s 3s +0%
poly_shiftl 3s 1s +200%
poly_use_hint 3s 3s +0%
poly_use_hint_native 3s 3s +0%
polyeta_pack 3s 3s +0%
polyt0_pack 3s 3s +0%
polyveck_pack_w1 3s 5s -40%
polyveck_unpack_t0 3s 5s -40%
polyvecl_pack_eta 3s 3s +0%
polyvecl_permute_bitrev_to_custom 3s 4s -25%
polyvecl_pointwise_acc_montgomery 3s 1s +200%
polyw1_pack 3s 5s -40%
polyz_pack 3s 3s +0%
polyz_unpack_native 3s 3s +0%
shake128x4_squeezeblocks 3s 1s +200%
shake256_absorb 3s 1s +200%
shake256x4_squeezeblocks 3s 3s +0%
sign_signature_extmu 3s 3s +0%
sign_verify 3s 3s +0%
unpack_sig 3s 4s -25%
intt_native_x86_64 2s - new
keccak_init 2s 3s -33%
keccakf1600_xor_bytes 2s 3s -33%
keccakf1600x4_extract_bytes 2s 3s -33%
make_hint 2s 3s -33%
mld_ct_abs_i32 2s 3s -33%
mld_ct_get_optblocker_i64 2s 2s +0%
mld_value_barrier_i64 2s 3s -33%
mld_value_barrier_u32 2s 2s +0%
montgomery_reduce 2s 3s -33%
pack_pk 2s 5s -60%
pack_sig_z 2s 3s -33%
poly_ntt 2s 3s -33%
poly_sub 2s 4s -50%
poly_uniform_gamma1 2s 4s -50%
poly_use_hint_c 2s 3s -33%
polyt1_pack 2s 2s +0%
polyt1_unpack 2s 2s +0%
polyveck_pack_t0 2s 4s -50%
polyz_unpack 2s 3s -33%
reduce32 2s 2s +0%
rej_eta 2s 3s -33%
shake128_finalize 2s 2s +0%
shake128_init 2s 3s -33%
shake128_release 2s 4s -50%
shake128_squeeze 2s 4s -50%
shake256_release 2s 4s -50%
sign_signature_pre_hash_shake256 2s 2s +0%
sys_check_capability 2s 3s -33%
unpack_pk 2s 4s -50%
mld_ct_cmask_neg_i32 1s 2s -50%
mld_ct_cmask_nonzero_u32 1s 2s -50%
mld_ct_cmask_nonzero_u8 1s 3s -67%
power2round 1s 4s -75%
shake128x4_absorb_once 1s 2s -50%
shake256_squeeze 1s 3s -67%

@oqs-bot
Copy link
Contributor

oqs-bot commented Feb 3, 2026
edited
Loading

CBMC Results (ML-DSA-65)

Full Results (175 proofs)
Proof Status Current Previous Change
**TOTAL** 2332s 2200s +6.0%
polyvecl_pointwise_acc_montgomery_c 242s 211s +15%
sign_verify_internal 210s 206s +2%
mld_attempt_signature_generation 199s 195s +2%
poly_pointwise_montgomery_c 141s 127s +11%
rej_uniform_native 133s 126s +6%
mld_invntt_layer 122s 107s +14%
polyvec_matrix_expand 99s 95s +4%
mld_ct_memcmp 85s 77s +10%
mld_ntt_layer 73s 69s +6%
polyvec_matrix_expand_serial 67s 65s +3%
poly_invntt_tomont_c 48s 46s +4%
sign_signature_internal 44s 46s -4%
keccak_squeezeblocks_x4 41s 41s +0%
mld_compute_t0_t1_tr_from_sk_components 24s 25s -4%
fqmul 21s 20s +5%
rej_uniform 21s 20s +5%
poly_uniform_eta_4x 19s 19s +0%
polymat_permute_bitrev_to_custom 19s 17s +12%
poly_chknorm_c 18s 19s -5%
rej_uniform_c 18s 17s +6%
poly_uniform_4x 15s 14s +7%
polyt0_unpack 15s 13s +15%
polyveck_decompose 15s 15s +0%
polyvec_matrix_pointwise_montgomery 14s 15s -7%
keccakf1600x4_permute_native 13s 12s +8%
mld_ntt_butterfly_block 13s 13s +0%
sign_pk_from_sk 11s 5s +120%
keccak_absorb_once_x4 10s 10s +0%
polyveck_ntt 10s 8s +25%
keccakf1600_permute_native 9s 8s +12%
poly_decompose_c 9s 8s +12%
polyveck_add 9s 8s +12%
polyveck_caddq 9s 8s +12%
polyveck_pointwise_poly_montgomery 9s 6s +50%
polyveck_reduce 9s 6s +50%
sign_keypair_internal 9s 8s +12%
keccak_absorb 8s 5s +60%
keccakf1600_permute 8s 9s -11%
mld_check_pct 8s 7s +14%
polyveck_invntt_tomont 8s 8s +0%
polyveck_power2round 8s 10s -20%
polyveck_shiftl 8s 8s +0%
polyveck_unpack_t0 8s 4s +100%
polyveck_use_hint 8s 9s -11%
sign 8s 8s +0%
mld_compute_pack_z 7s 4s +75%
mld_polyvecl_permute_bitrev_to_custom_native 7s 10s -30%
polyeta_unpack 7s 4s +75%
polyveck_sub 7s 7s +0%
sign_signature 7s 4s +75%
polyvecl_chknorm 6s 4s +50%
polyvecl_ntt 6s 9s -33%
sign_verify 6s 5s +20%
sign_verify_extmu 6s 2s +200%
caddq 5s 3s +67%
intt_native_x86_64 5s - new
make_hint 5s 2s +150%
poly_invntt_tomont 5s 4s +25%
poly_uniform 5s 5s +0%
poly_use_hint_c 5s 6s -17%
polyveck_chknorm 5s 3s +67%
polyveck_unpack_eta 5s 4s +25%
polyvecl_pack_eta 5s 3s +67%
polyz_unpack_native 5s 3s +67%
rej_eta_c 5s 5s +0%
shake128x4_absorb_once 5s 3s +67%
sign_open 5s 4s +25%
decompose 4s 2s +100%
mld_ct_get_optblocker_u8 4s 2s +100%
mld_h 4s 4s +0%
mld_prepare_domain_separation_prefix 4s 4s +0%
mld_sample_s1_s2 4s 5s -20%
mld_sample_s1_s2_serial 4s 8s -50%
mld_value_barrier_i64 4s 2s +100%
pack_pk 4s 1s +300%
pack_sig_c_h 4s 6s -33%
poly_add 4s 4s +0%
poly_caddq 4s 2s +100%
poly_challenge 4s 3s +33%
poly_decompose 4s 3s +33%
poly_reduce 4s 3s +33%
poly_shiftl 4s 3s +33%
poly_uniform_eta 4s 6s -33%
poly_uniform_gamma1_4x 4s 2s +100%
polyveck_make_hint 4s 4s +0%
polyveck_pack_t0 4s 3s +33%
polyvecl_pointwise_acc_montgomery 4s 4s +0%
polyvecl_pointwise_acc_montgomery_native 4s 6s -33%
polyvecl_uniform_gamma1 4s 2s +100%
polyw1_pack 4s 5s -20%
polyz_unpack_c 4s 4s +0%
rej_eta_native 4s 4s +0%
shake128_absorb 4s 3s +33%
shake128_init 4s 2s +100%
shake256_absorb 4s 3s +33%
sign_keypair 4s 5s -20%
sign_signature_pre_hash_shake256 4s 3s +33%
sign_verify_pre_hash_internal 4s 5s -20%
sign_verify_pre_hash_shake256 4s 4s +0%
unpack_sig 4s 1s +300%
unpack_sk 4s 3s +33%
fqscale 3s 3s +0%
keccak_init 3s 2s +50%
keccak_squeeze 3s 2s +50%
keccakf1600_extract_bytes (big endian) 3s 1s +200%
mld_ct_abs_i32 3s 2s +50%
mld_ct_cmask_nonzero_u32 3s 2s +50%
mld_ct_get_optblocker_i64 3s 2s +50%
mld_ct_sel_int32 3s 2s +50%
mld_keccakf1600_extract_bytes 3s 2s +50%
mld_value_barrier_u32 3s 2s +50%
montgomery_reduce 3s 4s -25%
ntt_native_x86_64 3s 3s +0%
poly_caddq_native 3s 3s +0%
poly_caddq_native_aarch64 3s 2s +50%
poly_chknorm 3s 2s +50%
poly_decompose_native 3s 3s +0%
poly_invntt_tomont_native 3s 3s +0%
poly_pointwise_montgomery 3s 4s -25%
poly_pointwise_montgomery_native 3s 6s -50%
poly_uniform_gamma1 3s 3s +0%
poly_use_hint 3s 3s +0%
polyt0_pack 3s 4s -25%
polyveck_pack_w1 3s 2s +50%
polyvecl_permute_bitrev_to_custom 3s 5s -40%
polyvecl_uniform_gamma1_serial 3s 3s +0%
polyvecl_unpack_z 3s 3s +0%
polyz_pack 3s 2s +50%
rej_eta 3s 5s -40%
shake128_squeeze 3s 4s -25%
shake128x4_squeezeblocks 3s 2s +50%
shake256 3s 3s +0%
shake256x4_absorb_once 3s 2s +50%
sign_signature_extmu 3s 4s -25%
sign_signature_pre_hash_internal 3s 4s -25%
unpack_hints 3s 5s -40%
keccak_finalize 2s 2s +0%
keccakf1600_xor_bytes 2s 2s +0%
keccakf1600_xor_bytes (big endian) 2s 6s -67%
keccakf1600x4_permute 2s 2s +0%
keccakf1600x4_xor_bytes 2s 1s +100%
mld_ct_cmask_nonzero_u8 2s 2s +0%
pack_sig_z 2s 4s -50%
pack_sk 2s 3s -33%
poly_caddq_c 2s 4s -50%
poly_chknorm_native 2s 4s -50%
poly_make_hint 2s 5s -60%
poly_ntt 2s 3s -33%
poly_ntt_c 2s 1s +100%
poly_ntt_native 2s 4s -50%
poly_power2round 2s 2s +0%
poly_sub 2s 4s -50%
poly_use_hint_native 2s 4s -50%
polyeta_pack 2s 4s -50%
polyt1_pack 2s 2s +0%
polyt1_unpack 2s 2s +0%
polyveck_pack_eta 2s 3s -33%
polyvecl_unpack_eta 2s 4s -50%
polyz_unpack 2s 3s -33%
power2round 2s 2s +0%
reduce32 2s 3s -33%
shake128_finalize 2s 3s -33%
shake128_release 2s 1s +100%
shake256_finalize 2s 2s +0%
shake256_release 2s 1s +100%
shake256_squeeze 2s 3s -33%
shake256x4_squeezeblocks 2s 2s +0%
sys_check_capability 2s 2s +0%
unpack_pk 2s 3s -33%
keccakf1600x4_extract_bytes 1s 2s -50%
mld_ct_cmask_neg_i32 1s 3s -67%
mld_ct_get_optblocker_u32 1s 2s -50%
mld_value_barrier_u8 1s 4s -75%
shake256_init 1s 1s +0%
use_hint 1s 3s -67%

@jakemas jakemas marked this pull request as ready for review February 4, 2026 01:19
@jakemas jakemas requested a review from a team as a code owner February 4, 2026 01:19
mkannwischer
mkannwischer reviewed Feb 4, 2026
View reviewed changes
Copy link
Contributor

@mkannwischer mkannwischer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @jakemas. The pre- and post-conidtions look good to me except for the MAYCHANGE (see comment below).
Can we already add a CBMC proof to not risk forgetting it later?

proofs/hol_light/x86_64/proofs/mldsa_intt.ml
Comment on lines +4310 to +4311
MAYCHANGE [ZMM0; ZMM1; ZMM2; ZMM3; ZMM4; ZMM5; ZMM6; ZMM7; ZMM8; ZMM9; ZMM10; ZMM11; ZMM12; ZMM13; ZMM14; ZMM15] ,,
MAYCHANGE [RAX] ,, MAYCHANGE SOME_FLAGS ,,
Copy link
Contributor

@mkannwischer mkannwischer Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't those be covered by MAYCHANGE_REGS_AND_FLAGS_PERMITTED_BY_ABI? I don't see this stated explicitly for other proofs.

Copy link
Contributor Author

@jakemas jakemas Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've always had to include these in my proofs, here are other examples of this:

My understanding is that it is a consequence of this issue: awslabs/s2n-bignum#256

Copy link
Contributor

@hanno-becker hanno-becker Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the correctness of the function body (without ret) I think it's OK to be more specific as to what's actually being used.

proofs/hol_light/x86_64/proofs/mldsa_intt.ml
==> let zi =
read(memory :> bytes32(word_add a (word(4 * i)))) s in
(ival zi == mldsa_inverse_ntt (ival o x) i) (mod &8380417) /\
abs(ival zi) <= &8380416))
Copy link
Contributor

@mkannwischer mkannwischer Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One could try to prove a much smaller bound here. We know the bound is definitely smaller than 3/4*q in absolute value. Not necessary though, I think.

Copy link
Contributor

@hanno-becker hanno-becker Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Echoing that, it would be good to know for future changes what the actual bound is that comes out of the symbolic execution.

Copy link
Contributor Author

@jakemas jakemas Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I completely agree, I can do some follow up investigations as to the bound found within symbolic execution.

Copy link
Contributor Author

@jakemas jakemas Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe the actual bound that comes out of the symbolic execution is abs(ival zi) <= &4197972 (i.e., ~MLDSA_Q/2). I'm running some tests now to confirm.

proofs/hol_light/x86_64/proofs/mldsa_intt.ml
read (memory :> bytes64 stackpointer) s = returnaddress /\
C_ARGUMENTS [a; zetas] s /\
wordlist_from_memory(zetas,624) s = MAP (iword: int -> 32 word) mldsa_complete_qdata /\
(!i. i < 256 ==> abs(ival(x i)) <= &8380416) /\
Copy link
Contributor

@mkannwischer mkannwischer Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The bounds exactly match what's required by the CBMC contract.
Could you please add the corresponding proof (see #806)?

Copy link
Contributor Author

@jakemas jakemas Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, added CBMC proof contract.

@jakemas jakemas force-pushed the mldsa-intt-proof branch 2 times, most recently from 1091827 to 0377594 Compare February 7, 2026 03:57
mkannwischer
mkannwischer requested changes Feb 7, 2026
View reviewed changes
Copy link
Contributor

@mkannwischer mkannwischer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Somehow you have removed the intt proof and pushed the nttunpack proof. Can you please restore the intt proof?

@jakemas
Copy link
Contributor Author

jakemas commented Feb 7, 2026

Somehow you have removed the intt proof and pushed the nttunpack proof. Can you please restore the intt proof?

Thank you, I tried to rebase but pushed the wrong branch!

@jakemas
Hol-Light: Add x86 AVX2 iNTT proof
2c2a426 
Signed-off-by: Jake Massimo <jakemas@amazon.com>
@hanno-becker
HOL-Light/x86_64: Strengthen iNTT output bound to 3q/4
c79b831 
Signed-off-by: Hanno Becker <beckphan@amazon.co.uk>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hanno-becker hanno-becker hanno-becker left review comments

@mkannwischer mkannwischer mkannwischer requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

hol-light

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

HOL-Light: Prove AVX2 INTT

4 participants

@jakemas @oqs-bot @mkannwischer @hanno-becker