HOL-Light: Add x86 AVX2 nttunpack proof

[jakemas]

• Resolves HOL-Light: Prove AVX2 nttunpack #913

[oqs-bot]

CBMC Results (ML-DSA-87)

Full Results (176 proofs)

Proof	Status	Current	Previous	Change
**TOTAL**	✅	2448s	2583s	-5.2%
sign_verify_internal	✅	291s	316s	-8%
mld_attempt_signature_generation	✅	216s	230s	-6%
polyvecl_pointwise_acc_montgomery_c	✅	177s	186s	-5%
polyvec_matrix_expand	✅	159s	168s	-5%
rej_uniform_native	✅	141s	154s	-8%
poly_pointwise_montgomery_c	✅	133s	154s	-14%
mld_invntt_layer	✅	115s	125s	-8%
polyvec_matrix_expand_serial	✅	103s	111s	-7%
mld_ct_memcmp	✅	79s	86s	-8%
sign_signature_internal	✅	73s	75s	-3%
mld_ntt_layer	✅	44s	49s	-10%
keccak_squeezeblocks_x4	✅	41s	45s	-9%
mld_compute_t0_t1_tr_from_sk_components	✅	28s	25s	+12%
polymat_permute_bitrev_to_custom	✅	27s	24s	+12%
rej_uniform	✅	23s	26s	-12%
fqmul	✅	19s	21s	-10%
rej_uniform_c	✅	18s	18s	+0%
poly_chknorm_c	✅	17s	18s	-6%
poly_uniform_eta_4x	✅	16s	18s	-11%
polyt0_unpack	✅	16s	14s	+14%
polyveck_add	✅	16s	14s	+14%
keccak_absorb_once_x4	✅	13s	12s	+8%
poly_uniform_4x	✅	13s	16s	-19%
polyeta_unpack	✅	13s	13s	+0%
polyveck_power2round	✅	13s	13s	+0%
keccakf1600x4_permute_native	✅	12s	12s	+0%
mld_ntt_butterfly_block	✅	12s	13s	-8%
polyvec_matrix_pointwise_montgomery	✅	12s	12s	+0%
mld_check_pct	✅	11s	9s	+22%
mld_compute_pack_z	✅	10s	11s	-9%
poly_decompose_c	✅	10s	10s	+0%
polyveck_caddq	✅	9s	9s	+0%
polyveck_pointwise_poly_montgomery	✅	9s	7s	+29%
keccakf1600_permute_native	✅	8s	8s	+0%
mld_polyvecl_permute_bitrev_to_custom_native	✅	8s	9s	-11%
mld_sample_s1_s2	✅	8s	8s	+0%
poly_invntt_tomont_c	✅	8s	9s	-11%
polyveck_decompose	✅	8s	8s	+0%
polyveck_reduce	✅	8s	9s	-11%
polyveck_use_hint	✅	8s	10s	-20%
polyvecl_ntt	✅	8s	8s	+0%
polyvecl_unpack_eta	✅	8s	5s	+60%
sign	✅	8s	8s	+0%
sign_pk_from_sk	✅	8s	9s	-11%
keccak_absorb	✅	7s	5s	+40%
keccakf1600_permute	✅	7s	7s	+0%
poly_invntt_tomont_native	✅	7s	3s	+133%
polyveck_chknorm	✅	7s	8s	-12%
polyvecl_chknorm	✅	7s	6s	+17%
polyz_pack	✅	7s	4s	+75%
pack_sk	✅	6s	2s	+200%
polyveck_invntt_tomont	✅	6s	6s	+0%
polyveck_make_hint	✅	6s	7s	-14%
polyveck_ntt	✅	6s	7s	-14%
polyveck_shiftl	✅	6s	6s	+0%
shake128_squeeze	✅	6s	2s	+200%
sign_keypair_internal	✅	6s	6s	+0%
unpack_hints	✅	6s	6s	+0%
intt_native_x86_64	✅	5s	5s	+0%
keccakf1600_xor_bytes	✅	5s	2s	+150%
keccakf1600_xor_bytes (big endian)	✅	5s	2s	+150%
mld_prepare_domain_separation_prefix	✅	5s	4s	+25%
mld_sample_s1_s2_serial	✅	5s	10s	-50%
pack_pk	✅	5s	5s	+0%
pack_sig_c_h	✅	5s	5s	+0%
poly_ntt	✅	5s	3s	+67%
poly_ntt_native	✅	5s	2s	+150%
poly_pointwise_montgomery_native	✅	5s	2s	+150%
poly_uniform	✅	5s	6s	-17%
poly_uniform_eta	✅	5s	5s	+0%
polyveck_pack_eta	✅	5s	3s	+67%
polyveck_sub	✅	5s	7s	-29%
polyveck_unpack_t0	✅	5s	5s	+0%
polyz_unpack_c	✅	5s	6s	-17%
rej_eta	✅	5s	3s	+67%
caddq	✅	4s	3s	+33%
fqscale	✅	4s	3s	+33%
keccak_init	✅	4s	4s	+0%
make_hint	✅	4s	3s	+33%
mld_ct_cmask_neg_i32	✅	4s	2s	+100%
mld_h	✅	4s	3s	+33%
mld_value_barrier_i64	✅	4s	3s	+33%
poly_challenge	✅	4s	6s	-33%
poly_decompose_native	✅	4s	4s	+0%
poly_make_hint	✅	4s	5s	-20%
poly_power2round	✅	4s	2s	+100%
poly_reduce	✅	4s	2s	+100%
polyt0_pack	✅	4s	4s	+0%
polyt1_pack	✅	4s	4s	+0%
polyveck_pack_t0	✅	4s	2s	+100%
polyvecl_pointwise_acc_montgomery	✅	4s	4s	+0%
reduce32	✅	4s	5s	-20%
shake128_release	✅	4s	5s	-20%
shake256	✅	4s	3s	+33%
shake256_absorb	✅	4s	2s	+100%
shake256_init	✅	4s	2s	+100%
sign_keypair	✅	4s	5s	-20%
sign_open	✅	4s	2s	+100%
sign_signature_pre_hash_internal	✅	4s	5s	-20%
sign_signature_pre_hash_shake256	✅	4s	2s	+100%
sign_verify_extmu	✅	4s	7s	-43%
sign_verify_pre_hash_internal	✅	4s	5s	-20%
unpack_sk	✅	4s	5s	-20%
decompose	✅	3s	4s	-25%
keccakf1600x4_extract_bytes	✅	3s	1s	+200%
keccakf1600x4_permute	✅	3s	3s	+0%
mld_ct_cmask_nonzero_u32	✅	3s	1s	+200%
mld_ct_cmask_nonzero_u8	✅	3s	2s	+50%
mld_keccakf1600_extract_bytes	✅	3s	3s	+0%
mld_value_barrier_u32	✅	3s	2s	+50%
montgomery_reduce	✅	3s	3s	+0%
ntt_native_x86_64	✅	3s	2s	+50%
nttunpack_native_x86_64	✅	3s	-	new
poly_add	✅	3s	3s	+0%
poly_caddq_native_aarch64	✅	3s	3s	+0%
poly_chknorm	✅	3s	2s	+50%
poly_ntt_c	✅	3s	4s	-25%
poly_shiftl	✅	3s	4s	-25%
poly_uniform_gamma1	✅	3s	4s	-25%
poly_uniform_gamma1_4x	✅	3s	4s	-25%
poly_use_hint	✅	3s	2s	+50%
poly_use_hint_c	✅	3s	3s	+0%
poly_use_hint_native	✅	3s	4s	-25%
polyeta_pack	✅	3s	4s	-25%
polyt1_unpack	✅	3s	5s	-40%
polyveck_unpack_eta	✅	3s	3s	+0%
polyvecl_pointwise_acc_montgomery_native	✅	3s	3s	+0%
polyvecl_uniform_gamma1	✅	3s	4s	-25%
polyvecl_uniform_gamma1_serial	✅	3s	4s	-25%
polyvecl_unpack_z	✅	3s	5s	-40%
polyw1_pack	✅	3s	2s	+50%
polyz_unpack_native	✅	3s	3s	+0%
power2round	✅	3s	1s	+200%
rej_eta_native	✅	3s	4s	-25%
shake128_finalize	✅	3s	4s	-25%
shake128x4_squeezeblocks	✅	3s	3s	+0%
shake256_finalize	✅	3s	3s	+0%
shake256_release	✅	3s	3s	+0%
shake256x4_absorb_once	✅	3s	2s	+50%
shake256x4_squeezeblocks	✅	3s	2s	+50%
sign_signature	✅	3s	3s	+0%
sign_signature_extmu	✅	3s	5s	-40%
sign_verify	✅	3s	4s	-25%
sign_verify_pre_hash_shake256	✅	3s	5s	-40%
sys_check_capability	✅	3s	4s	-25%
unpack_pk	✅	3s	5s	-40%
use_hint	✅	3s	3s	+0%
keccak_squeeze	✅	2s	4s	-50%
keccakf1600_extract_bytes (big endian)	✅	2s	2s	+0%
keccakf1600x4_xor_bytes	✅	2s	2s	+0%
mld_ct_abs_i32	✅	2s	2s	+0%
mld_ct_get_optblocker_i64	✅	2s	3s	-33%
mld_ct_get_optblocker_u8	✅	2s	2s	+0%
mld_value_barrier_u8	✅	2s	2s	+0%
pack_sig_z	✅	2s	4s	-50%
poly_caddq	✅	2s	2s	+0%
poly_caddq_c	✅	2s	3s	-33%
poly_caddq_native	✅	2s	3s	-33%
poly_chknorm_native	✅	2s	3s	-33%
poly_decompose	✅	2s	4s	-50%
poly_pointwise_montgomery	✅	2s	3s	-33%
poly_sub	✅	2s	2s	+0%
polyveck_pack_w1	✅	2s	3s	-33%
polyvecl_pack_eta	✅	2s	4s	-50%
polyvecl_permute_bitrev_to_custom	✅	2s	2s	+0%
polyz_unpack	✅	2s	3s	-33%
rej_eta_c	✅	2s	4s	-50%
shake128_absorb	✅	2s	2s	+0%
shake128x4_absorb_once	✅	2s	3s	-33%
shake256_squeeze	✅	2s	3s	-33%
keccak_finalize	✅	1s	4s	-75%
mld_ct_get_optblocker_u32	✅	1s	3s	-67%
mld_ct_sel_int32	✅	1s	3s	-67%
poly_invntt_tomont	✅	1s	2s	-50%
shake128_init	✅	1s	3s	-67%
unpack_sig	✅	1s	8s	-88%

[oqs-bot]

CBMC Results (ML-DSA-44)

Full Results (176 proofs)

Proof	Status	Current	Previous	Change
**TOTAL**	✅	2033s	2021s	+0.6%
mld_attempt_signature_generation	✅	303s	304s	-0%
polyvecl_pointwise_acc_montgomery_c	✅	193s	197s	-2%
sign_verify_internal	✅	182s	188s	-3%
rej_uniform_native	✅	137s	140s	-2%
poly_pointwise_montgomery_c	✅	135s	129s	+5%
mld_invntt_layer	✅	113s	115s	-2%
mld_ct_memcmp	✅	76s	78s	-3%
keccak_squeezeblocks_x4	✅	44s	42s	+5%
mld_ntt_layer	✅	43s	43s	+0%
sign_signature_internal	✅	23s	20s	+15%
rej_uniform	✅	20s	21s	-5%
fqmul	✅	19s	20s	-5%
poly_uniform_eta_4x	✅	17s	19s	-11%
polymat_permute_bitrev_to_custom	✅	17s	15s	+13%
poly_chknorm_c	✅	16s	14s	+14%
rej_uniform_c	✅	16s	16s	+0%
keccakf1600x4_permute_native	✅	15s	12s	+25%
keccak_absorb_once_x4	✅	14s	10s	+40%
mld_compute_t0_t1_tr_from_sk_components	✅	14s	15s	-7%
mld_ntt_butterfly_block	✅	14s	13s	+8%
mld_polyvecl_permute_bitrev_to_custom_native	✅	14s	13s	+8%
polyt0_unpack	✅	14s	13s	+8%
polyvec_matrix_expand	✅	14s	14s	+0%
poly_uniform_4x	✅	13s	12s	+8%
polyeta_unpack	✅	13s	12s	+8%
polyz_unpack_c	✅	10s	10s	+0%
keccakf1600_permute_native	✅	8s	11s	-27%
mld_compute_pack_z	✅	8s	7s	+14%
polyveck_add	✅	8s	7s	+14%
keccakf1600_permute	✅	7s	8s	-12%
polyvec_matrix_expand_serial	✅	7s	8s	-12%
polyveck_ntt	✅	7s	9s	-22%
sign_pk_from_sk	✅	7s	6s	+17%
mld_check_pct	✅	6s	8s	-25%
mld_sample_s1_s2	✅	6s	7s	-14%
poly_invntt_tomont_c	✅	6s	7s	-14%
poly_uniform_eta	✅	6s	4s	+50%
polyvec_matrix_pointwise_montgomery	✅	6s	5s	+20%
polyveck_caddq	✅	6s	4s	+50%
polyveck_power2round	✅	6s	5s	+20%
polyveck_reduce	✅	6s	8s	-25%
polyvecl_chknorm	✅	6s	5s	+20%
polyvecl_ntt	✅	6s	8s	-25%
polyvecl_uniform_gamma1_serial	✅	6s	2s	+200%
sign	✅	6s	6s	+0%
sign_signature	✅	6s	6s	+0%
keccakf1600_xor_bytes	✅	5s	2s	+150%
montgomery_reduce	✅	5s	2s	+150%
poly_challenge	✅	5s	3s	+67%
poly_invntt_tomont_native	✅	5s	2s	+150%
poly_ntt_c	✅	5s	5s	+0%
polyt0_pack	✅	5s	7s	-29%
polyt1_unpack	✅	5s	3s	+67%
polyveck_decompose	✅	5s	5s	+0%
polyveck_invntt_tomont	✅	5s	5s	+0%
polyveck_use_hint	✅	5s	6s	-17%
polyw1_pack	✅	5s	4s	+25%
polyz_pack	✅	5s	2s	+150%
shake128_finalize	✅	5s	1s	+400%
sign_keypair_internal	✅	5s	2s	+150%
sign_open	✅	5s	5s	+0%
sign_verify_pre_hash_internal	✅	5s	2s	+150%
unpack_hints	✅	5s	6s	-17%
use_hint	✅	5s	3s	+67%
decompose	✅	4s	3s	+33%
intt_native_x86_64	✅	4s	2s	+100%
keccak_absorb	✅	4s	5s	-20%
keccak_init	✅	4s	6s	-33%
keccakf1600x4_permute	✅	4s	1s	+300%
keccakf1600x4_xor_bytes	✅	4s	2s	+100%
make_hint	✅	4s	2s	+100%
mld_ct_cmask_nonzero_u8	✅	4s	4s	+0%
mld_h	✅	4s	4s	+0%
mld_prepare_domain_separation_prefix	✅	4s	4s	+0%
pack_sig_c_h	✅	4s	2s	+100%
poly_add	✅	4s	4s	+0%
poly_caddq	✅	4s	3s	+33%
poly_caddq_native	✅	4s	2s	+100%
poly_invntt_tomont	✅	4s	5s	-20%
poly_make_hint	✅	4s	3s	+33%
poly_pointwise_montgomery_native	✅	4s	2s	+100%
poly_use_hint_c	✅	4s	4s	+0%
polyt1_pack	✅	4s	3s	+33%
polyveck_chknorm	✅	4s	2s	+100%
polyveck_pack_t0	✅	4s	2s	+100%
polyveck_pack_w1	✅	4s	2s	+100%
polyveck_pointwise_poly_montgomery	✅	4s	5s	-20%
polyveck_shiftl	✅	4s	4s	+0%
polyveck_sub	✅	4s	3s	+33%
polyvecl_permute_bitrev_to_custom	✅	4s	3s	+33%
rej_eta_c	✅	4s	5s	-20%
rej_eta_native	✅	4s	4s	+0%
shake128x4_absorb_once	✅	4s	3s	+33%
shake256_squeeze	✅	4s	3s	+33%
sign_signature_extmu	✅	4s	3s	+33%
sign_signature_pre_hash_internal	✅	4s	3s	+33%
unpack_sig	✅	4s	3s	+33%
unpack_sk	✅	4s	3s	+33%
caddq	✅	3s	3s	+0%
fqscale	✅	3s	1s	+200%
keccakf1600x4_extract_bytes	✅	3s	2s	+50%
mld_ct_abs_i32	✅	3s	2s	+50%
mld_ct_get_optblocker_u32	✅	3s	2s	+50%
mld_ct_sel_int32	✅	3s	2s	+50%
mld_value_barrier_u8	✅	3s	2s	+50%
pack_pk	✅	3s	3s	+0%
pack_sig_z	✅	3s	5s	-40%
poly_chknorm	✅	3s	2s	+50%
poly_chknorm_native	✅	3s	3s	+0%
poly_decompose_c	✅	3s	3s	+0%
poly_decompose_native	✅	3s	2s	+50%
poly_ntt_native	✅	3s	4s	-25%
poly_pointwise_montgomery	✅	3s	1s	+200%
poly_power2round	✅	3s	2s	+50%
poly_reduce	✅	3s	4s	-25%
poly_sub	✅	3s	4s	-25%
poly_uniform	✅	3s	3s	+0%
poly_uniform_gamma1	✅	3s	3s	+0%
poly_uniform_gamma1_4x	✅	3s	4s	-25%
poly_use_hint	✅	3s	2s	+50%
polyveck_pack_eta	✅	3s	2s	+50%
polyveck_unpack_t0	✅	3s	3s	+0%
polyvecl_pack_eta	✅	3s	3s	+0%
polyvecl_unpack_eta	✅	3s	4s	-25%
polyvecl_unpack_z	✅	3s	4s	-25%
polyz_unpack_native	✅	3s	4s	-25%
power2round	✅	3s	2s	+50%
reduce32	✅	3s	2s	+50%
rej_eta	✅	3s	2s	+50%
shake128_absorb	✅	3s	3s	+0%
shake128_init	✅	3s	3s	+0%
shake128x4_squeezeblocks	✅	3s	2s	+50%
shake256_init	✅	3s	2s	+50%
sign_keypair	✅	3s	3s	+0%
sign_signature_pre_hash_shake256	✅	3s	5s	-40%
sign_verify	✅	3s	6s	-50%
sign_verify_extmu	✅	3s	6s	-50%
sign_verify_pre_hash_shake256	✅	3s	3s	+0%
sys_check_capability	✅	3s	4s	-25%
unpack_pk	✅	3s	3s	+0%
keccak_finalize	✅	2s	2s	+0%
keccak_squeeze	✅	2s	3s	-33%
keccakf1600_extract_bytes (big endian)	✅	2s	2s	+0%
mld_ct_cmask_neg_i32	✅	2s	3s	-33%
mld_ct_cmask_nonzero_u32	✅	2s	4s	-50%
mld_sample_s1_s2_serial	✅	2s	4s	-50%
mld_value_barrier_u32	✅	2s	2s	+0%
ntt_native_x86_64	✅	2s	3s	-33%
nttunpack_native_x86_64	✅	2s	-	new
pack_sk	✅	2s	2s	+0%
poly_decompose	✅	2s	3s	-33%
poly_ntt	✅	2s	2s	+0%
poly_shiftl	✅	2s	5s	-60%
poly_use_hint_native	✅	2s	4s	-50%
polyeta_pack	✅	2s	5s	-60%
polyveck_make_hint	✅	2s	5s	-60%
polyveck_unpack_eta	✅	2s	3s	-33%
polyvecl_pointwise_acc_montgomery_native	✅	2s	4s	-50%
polyvecl_uniform_gamma1	✅	2s	5s	-60%
polyz_unpack	✅	2s	3s	-33%
shake128_release	✅	2s	4s	-50%
shake128_squeeze	✅	2s	3s	-33%
shake256	✅	2s	1s	+100%
shake256_release	✅	2s	2s	+0%
shake256x4_absorb_once	✅	2s	3s	-33%
shake256x4_squeezeblocks	✅	2s	1s	+100%
keccakf1600_xor_bytes (big endian)	✅	1s	4s	-75%
mld_ct_get_optblocker_i64	✅	1s	2s	-50%
mld_ct_get_optblocker_u8	✅	1s	2s	-50%
mld_keccakf1600_extract_bytes	✅	1s	3s	-67%
mld_value_barrier_i64	✅	1s	2s	-50%
poly_caddq_c	✅	1s	3s	-67%
poly_caddq_native_aarch64	✅	1s	3s	-67%
polyvecl_pointwise_acc_montgomery	✅	1s	5s	-80%
shake256_absorb	✅	1s	2s	-50%
shake256_finalize	✅	1s	2s	-50%

[oqs-bot]

CBMC Results (ML-DSA-65)

Full Results (176 proofs)

Proof	Status	Current	Previous	Change
**TOTAL**	✅	2282s	2472s	-7.7%
mld_attempt_signature_generation	✅	225s	261s	-14%
polyvecl_pointwise_acc_montgomery_c	✅	225s	257s	-12%
sign_verify_internal	✅	198s	216s	-8%
rej_uniform_native	✅	143s	154s	-7%
poly_pointwise_montgomery_c	✅	124s	160s	-22%
mld_invntt_layer	✅	117s	131s	-11%
polyvec_matrix_expand	✅	113s	125s	-10%
mld_ct_memcmp	✅	83s	87s	-5%
polyvec_matrix_expand_serial	✅	65s	69s	-6%
keccak_squeezeblocks_x4	✅	43s	45s	-4%
mld_ntt_layer	✅	43s	50s	-14%
sign_signature_internal	✅	42s	45s	-7%
mld_compute_t0_t1_tr_from_sk_components	✅	26s	26s	+0%
fqmul	✅	19s	19s	+0%
polymat_permute_bitrev_to_custom	✅	19s	20s	-5%
polyveck_decompose	✅	19s	18s	+6%
rej_uniform	✅	19s	21s	-10%
poly_chknorm_c	✅	17s	18s	-6%
rej_uniform_c	✅	17s	19s	-11%
poly_uniform_4x	✅	16s	14s	+14%
poly_uniform_eta_4x	✅	16s	17s	-6%
polyvec_matrix_pointwise_montgomery	✅	16s	14s	+14%
polyt0_unpack	✅	15s	17s	-12%
mld_polyvecl_permute_bitrev_to_custom_native	✅	14s	19s	-26%
polyveck_use_hint	✅	13s	14s	-7%
mld_ntt_butterfly_block	✅	12s	12s	+0%
polyvecl_ntt	✅	12s	8s	+50%
keccak_absorb_once_x4	✅	11s	11s	+0%
keccakf1600x4_permute_native	✅	11s	13s	-15%
sign	✅	11s	12s	-8%
polyveck_add	✅	10s	9s	+11%
polyveck_invntt_tomont	✅	10s	12s	-17%
polyveck_sub	✅	10s	6s	+67%
keccakf1600_permute_native	✅	9s	9s	+0%
poly_invntt_tomont_c	✅	9s	9s	+0%
polyveck_power2round	✅	9s	7s	+29%
sign_pk_from_sk	✅	9s	10s	-10%
mld_compute_pack_z	✅	8s	7s	+14%
poly_decompose_c	✅	8s	7s	+14%
polyveck_caddq	✅	8s	9s	-11%
polyveck_ntt	✅	8s	10s	-20%
polyveck_shiftl	✅	8s	7s	+14%
mld_check_pct	✅	7s	9s	-22%
pack_pk	✅	7s	3s	+133%
poly_uniform	✅	7s	2s	+250%
keccak_absorb	✅	6s	7s	-14%
keccakf1600_permute	✅	6s	9s	-33%
keccakf1600x4_permute	✅	6s	3s	+100%
mld_sample_s1_s2	✅	6s	6s	+0%
poly_use_hint_native	✅	6s	3s	+100%
polyeta_unpack	✅	6s	8s	-25%
polyveck_reduce	✅	6s	8s	-25%
polyvecl_pointwise_acc_montgomery_native	✅	6s	4s	+50%
poly_uniform_gamma1_4x	✅	5s	4s	+25%
poly_use_hint_c	✅	5s	4s	+25%
polyveck_make_hint	✅	5s	5s	+0%
polyveck_pointwise_poly_montgomery	✅	5s	7s	-29%
polyveck_unpack_eta	✅	5s	4s	+25%
polyveck_unpack_t0	✅	5s	4s	+25%
polyvecl_permute_bitrev_to_custom	✅	5s	2s	+150%
polyvecl_pointwise_acc_montgomery	✅	5s	3s	+67%
polyvecl_uniform_gamma1	✅	5s	4s	+25%
polyz_unpack_c	✅	5s	4s	+25%
power2round	✅	5s	2s	+150%
rej_eta_c	✅	5s	3s	+67%
sign_keypair	✅	5s	3s	+67%
sign_open	✅	5s	3s	+67%
unpack_hints	✅	5s	4s	+25%
caddq	✅	4s	3s	+33%
keccakf1600_xor_bytes	✅	4s	3s	+33%
keccakf1600x4_extract_bytes	✅	4s	1s	+300%
mld_prepare_domain_separation_prefix	✅	4s	4s	+0%
mld_sample_s1_s2_serial	✅	4s	6s	-33%
poly_caddq	✅	4s	3s	+33%
poly_caddq_c	✅	4s	3s	+33%
poly_challenge	✅	4s	4s	+0%
poly_chknorm	✅	4s	4s	+0%
poly_chknorm_native	✅	4s	2s	+100%
poly_power2round	✅	4s	3s	+33%
poly_uniform_eta	✅	4s	6s	-33%
poly_use_hint	✅	4s	4s	+0%
polyt0_pack	✅	4s	5s	-20%
polyveck_chknorm	✅	4s	7s	-43%
polyveck_pack_eta	✅	4s	3s	+33%
polyveck_pack_t0	✅	4s	3s	+33%
polyveck_pack_w1	✅	4s	4s	+0%
polyvecl_chknorm	✅	4s	5s	-20%
polyvecl_unpack_eta	✅	4s	2s	+100%
polyvecl_unpack_z	✅	4s	4s	+0%
polyz_unpack_native	✅	4s	2s	+100%
reduce32	✅	4s	3s	+33%
rej_eta	✅	4s	2s	+100%
shake128x4_absorb_once	✅	4s	3s	+33%
sign_keypair_internal	✅	4s	6s	-33%
sign_signature	✅	4s	5s	-20%
sign_signature_extmu	✅	4s	5s	-20%
sign_signature_pre_hash_internal	✅	4s	7s	-43%
sign_signature_pre_hash_shake256	✅	4s	2s	+100%
sign_verify_pre_hash_internal	✅	4s	5s	-20%
sign_verify_pre_hash_shake256	✅	4s	6s	-33%
unpack_pk	✅	4s	4s	+0%
unpack_sig	✅	4s	4s	+0%
use_hint	✅	4s	4s	+0%
fqscale	✅	3s	1s	+200%
keccak_finalize	✅	3s	2s	+50%
keccakf1600_extract_bytes (big endian)	✅	3s	1s	+200%
keccakf1600_xor_bytes (big endian)	✅	3s	4s	-25%
keccakf1600x4_xor_bytes	✅	3s	5s	-40%
make_hint	✅	3s	2s	+50%
mld_ct_get_optblocker_i64	✅	3s	2s	+50%
mld_ct_get_optblocker_u32	✅	3s	3s	+0%
mld_ct_sel_int32	✅	3s	3s	+0%
mld_h	✅	3s	4s	-25%
mld_value_barrier_u8	✅	3s	2s	+50%
nttunpack_native_x86_64	✅	3s	-	new
pack_sig_c_h	✅	3s	3s	+0%
pack_sig_z	✅	3s	5s	-40%
poly_add	✅	3s	3s	+0%
poly_caddq_native	✅	3s	4s	-25%
poly_decompose_native	✅	3s	4s	-25%
poly_invntt_tomont_native	✅	3s	2s	+50%
poly_make_hint	✅	3s	4s	-25%
poly_ntt	✅	3s	2s	+50%
poly_pointwise_montgomery_native	✅	3s	2s	+50%
poly_reduce	✅	3s	3s	+0%
poly_sub	✅	3s	5s	-40%
poly_uniform_gamma1	✅	3s	4s	-25%
polyeta_pack	✅	3s	5s	-40%
polyt1_pack	✅	3s	4s	-25%
polyt1_unpack	✅	3s	6s	-50%
polyvecl_pack_eta	✅	3s	4s	-25%
polyvecl_uniform_gamma1_serial	✅	3s	2s	+50%
polyw1_pack	✅	3s	4s	-25%
polyz_pack	✅	3s	3s	+0%
polyz_unpack	✅	3s	3s	+0%
rej_eta_native	✅	3s	4s	-25%
shake128_finalize	✅	3s	6s	-50%
shake128_init	✅	3s	4s	-25%
shake128_release	✅	3s	3s	+0%
shake256	✅	3s	3s	+0%
shake256_absorb	✅	3s	2s	+50%
shake256_finalize	✅	3s	1s	+200%
shake256_init	✅	3s	3s	+0%
shake256x4_absorb_once	✅	3s	3s	+0%
sign_verify	✅	3s	4s	-25%
unpack_sk	✅	3s	3s	+0%
decompose	✅	2s	2s	+0%
intt_native_x86_64	✅	2s	4s	-50%
keccak_init	✅	2s	3s	-33%
keccak_squeeze	✅	2s	3s	-33%
mld_ct_abs_i32	✅	2s	2s	+0%
mld_ct_cmask_neg_i32	✅	2s	3s	-33%
mld_ct_cmask_nonzero_u32	✅	2s	5s	-60%
mld_ct_cmask_nonzero_u8	✅	2s	3s	-33%
mld_ct_get_optblocker_u8	✅	2s	5s	-60%
mld_keccakf1600_extract_bytes	✅	2s	2s	+0%
mld_value_barrier_i64	✅	2s	3s	-33%
mld_value_barrier_u32	✅	2s	1s	+100%
montgomery_reduce	✅	2s	3s	-33%
ntt_native_x86_64	✅	2s	3s	-33%
pack_sk	✅	2s	2s	+0%
poly_caddq_native_aarch64	✅	2s	4s	-50%
poly_decompose	✅	2s	2s	+0%
poly_invntt_tomont	✅	2s	3s	-33%
poly_ntt_c	✅	2s	1s	+100%
poly_ntt_native	✅	2s	2s	+0%
poly_pointwise_montgomery	✅	2s	3s	-33%
poly_shiftl	✅	2s	5s	-60%
shake128_squeeze	✅	2s	3s	-33%
shake128x4_squeezeblocks	✅	2s	2s	+0%
shake256_release	✅	2s	3s	-33%
shake256_squeeze	✅	2s	2s	+0%
shake256x4_squeezeblocks	✅	2s	2s	+0%
sign_verify_extmu	✅	2s	3s	-33%
sys_check_capability	✅	2s	2s	+0%
shake128_absorb	✅	1s	5s	-80%

[hanno-becker]

Looks good, @jakemas, thank you! Can you please to the CBMC spec+proof at the same time? You can express in C that the output is a permutation of the input.

[jakemas]

Looks good, @jakemas, thank you! Can you please to the CBMC spec+proof at the same time? You can express in C that the output is a permutation of the input.

Thanks! Added CBMC contract.

[hanno-becker]

This reordering is the same as used for the specification of the [inv]NTT, or not? It determines how the custom NTT domain differs from the normal bitreversed one.

If I understand that correctly, we should reuse the same definition(s) as for the [inv]NTT proofs.

[hanno-becker]

As I understand, the permutation here should be the same as for the [inv]NTT, so we should have only one set of HOL definition for those in mlkem_specs.ml.