Skip to content

HOL-Light: Add HOL Light proof for aarch64 polyz_unpack_{17,19}#971

Open
mkannwischer wants to merge 5 commits intomainfrom
hol-arm-zunpack
Open

HOL-Light: Add HOL Light proof for aarch64 polyz_unpack_{17,19}#971
mkannwischer wants to merge 5 commits intomainfrom
hol-arm-zunpack

Conversation

@mkannwischer
Copy link
Contributor

@mkannwischer mkannwischer commented Feb 14, 2026
edited
Loading

TODO

  • Merge back missing instructions into s2n-bignum, I opened a PR here.

mkannwischer and others added 3 commits February 14, 2026 17:23
@mkannwischer
Add HOL Light proof for aarch64 poly_chknorm
c5d7a1a 
Add a HOL Light functional correctness proof for the aarch64 ML-DSA
function poly_chknorm, which checks whether any polynomial coefficient
has absolute value >= a given bound.

This commit includes:
- Functional correctness proof showing the assembly computes
  `bitval(?i. i < 256 /\ abs(ival(x i)) >= ival bound)`
- autogen support for generating aarch64 HOL Light assembly
- Update of s2n-bignum

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
@mkannwischer
Add CBMC proof for aarch64 poly_chknorm_native
038fc0b 
This also fixes the contract of poly_chknorm_native - it was incorrectly
modelled as only returning -1 or 0, never 1.
This was actually a proof gap - CBMC was not happy with 0U - ret. This commit
changes it to use mld_ct_cmask_nonzero_u32 - which has exactly the behavior
we want here.

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
@hanno-becker @mkannwischer
HOL-Light/AArch64: Refactoring of poly_chknorm proof
dae2dff 
- Rewrite expressions during symbolic execution to keep
  system states readable
- Keep quantified propositions folded to the point where
  case-by-case analysis is needed
- Hoist all helper lemmas out of the main proof for
  better readability

Signed-off-by: Hanno Becker <beckphan@amazon.co.uk>
@mkannwischer mkannwischer changed the title HOL-Light: Add HOL Light proof for aarch64 polyz_unpack_17 HOL-Light: Add HOL Light proof for aarch64 polyz_unpack_{17,19} Feb 14, 2026
@mkannwischer
HOL-Light: Add HOL Light proof for aarch64 polyz_unpack_{17,19}
48ace3a 
Add functional correctness proofs for polyz_unpack_17 and polyz_unpack_19.
Closely following the decompress proofs from mlkem-native:
pq-code-package/mlkem-native#1543

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
@mkannwischer
CBMC: Add CBMC proof for aarch64 polyz_unpack
855dcd4 
Add CBMC contracts for native AArch64 polyz_unpack_17 and polyz_unpack_19
following corresponding HOL-Light specs.

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
@mkannwischer mkannwischer mentioned this pull request Feb 15, 2026
Open
@mkannwischer mkannwischer marked this pull request as ready for review February 15, 2026 05:35
@mkannwischer mkannwischer requested a review from a team as a code owner February 15, 2026 05:35
@oqs-bot
Copy link
Contributor

oqs-bot commented Feb 15, 2026

CBMC Results (ML-DSA-65)

Full Results (178 proofs)
Proof Status Current Previous Change
**TOTAL** 2354s 2286s +3.0%
polyvecl_pointwise_acc_montgomery_c 247s 226s +9%
mld_attempt_signature_generation 204s 197s +4%
sign_verify_internal 181s 177s +2%
poly_pointwise_montgomery_c 147s 138s +7%
polyvec_matrix_expand 146s 145s +1%
rej_uniform_native 144s 144s +0%
mld_invntt_layer 117s 117s +0%
mld_ct_memcmp 83s 79s +5%
polyvec_matrix_expand_serial 68s 65s +5%
sign_signature_internal 51s 50s +2%
mld_ntt_layer 46s 44s +5%
keccak_squeezeblocks_x4 44s 42s +5%
mld_compute_t0_t1_tr_from_sk_components 26s 27s -4%
polymat_permute_bitrev_to_custom 23s 18s +28%
rej_uniform 21s 21s +0%
fqmul 20s 18s +11%
poly_uniform_eta_4x 20s 17s +18%
polyveck_decompose 20s 16s +25%
rej_uniform_c 20s 19s +5%
poly_chknorm_c 17s 16s +6%
poly_uniform_4x 16s 13s +23%
polyt0_unpack 16s 17s -6%
mld_ntt_butterfly_block 15s 13s +15%
mld_polyvecl_permute_bitrev_to_custom_native 14s 14s +0%
keccakf1600x4_permute_native 13s 14s -7%
polyvec_matrix_pointwise_montgomery 13s 14s -7%
polyveck_use_hint 13s 14s -7%
mld_check_pct 11s 9s +22%
polyveck_power2round 11s 11s +0%
sign 11s 9s +22%
keccak_absorb_once_x4 10s 10s +0%
poly_invntt_tomont_c 10s 8s +25%
polyveck_add 9s 9s +0%
polyveck_caddq 9s 8s +12%
polyvecl_ntt 9s 8s +12%
keccakf1600_permute 8s 9s -11%
keccakf1600_permute_native 8s 9s -11%
poly_decompose_c 8s 7s +14%
polyveck_invntt_tomont 8s 8s +0%
polyveck_ntt 8s 6s +33%
polyveck_reduce 8s 9s -11%
mld_h 7s 3s +133%
polyeta_unpack 7s 7s +0%
polyveck_shiftl 7s 8s -12%
decompose 6s 5s +20%
keccak_absorb 6s 5s +20%
mld_compute_pack_z 6s 7s -14%
poly_make_hint 6s 3s +100%
poly_uniform_gamma1_4x 6s 6s +0%
poly_use_hint_c 6s 7s -14%
polyveck_make_hint 6s 5s +20%
sign_open 6s 5s +20%
sign_pk_from_sk 6s 8s -25%
sign_verify_pre_hash_shake256 6s 6s +0%
use_hint 6s 2s +200%
fqscale 5s 4s +25%
mld_sample_s1_s2 5s 4s +25%
mld_sample_s1_s2_serial 5s 6s -17%
montgomery_reduce 5s 2s +150%
poly_challenge 5s 4s +25%
poly_decompose_native 5s 3s +67%
polyveck_pointwise_poly_montgomery 5s 6s -17%
polyveck_sub 5s 7s -29%
polyveck_unpack_t0 5s 3s +67%
polyvecl_chknorm 5s 5s +0%
polyvecl_pointwise_acc_montgomery_native 5s 5s +0%
rej_eta_native 5s 4s +25%
shake128_init 5s 1s +400%
sign_signature 5s 4s +25%
unpack_hints 5s 5s +0%
keccakf1600_xor_bytes (big endian) 4s 3s +33%
keccakf1600x4_permute 4s 1s +300%
mld_ct_sel_int32 4s 3s +33%
mld_value_barrier_u32 4s 3s +33%
mld_value_barrier_u8 4s 3s +33%
pack_pk 4s 3s +33%
pack_sig_c_h 4s 2s +100%
poly_caddq 4s 3s +33%
poly_chknorm_native 4s 4s +0%
poly_ntt_native 4s 3s +33%
poly_pointwise_montgomery 4s 5s -20%
poly_pointwise_montgomery_native 4s 2s +100%
poly_power2round 4s 5s -20%
poly_uniform 4s 4s +0%
poly_uniform_eta 4s 3s +33%
poly_uniform_gamma1 4s 5s -20%
poly_use_hint 4s 3s +33%
poly_use_hint_native 4s 4s +0%
polyt0_pack 4s 4s +0%
polyveck_chknorm 4s 5s -20%
polyvecl_unpack_eta 4s 5s -20%
polyvecl_unpack_z 4s 2s +100%
polyz_unpack_c 4s 5s -20%
polyz_unpack_native 4s 3s +33%
reduce32 4s 3s +33%
rej_eta 4s 4s +0%
rej_eta_c 4s 3s +33%
shake128_release 4s 3s +33%
shake256_init 4s 2s +100%
sign_keypair_internal 4s 6s -33%
sign_signature_extmu 4s 4s +0%
sign_signature_pre_hash_internal 4s 6s -33%
sign_signature_pre_hash_shake256 4s 4s +0%
sign_verify 4s 4s +0%
sign_verify_extmu 4s 4s +0%
unpack_sk 4s 5s -20%
caddq 3s 3s +0%
intt_native_x86_64 3s 3s +0%
keccakf1600_xor_bytes 3s 3s +0%
mld_ct_get_optblocker_u8 3s 2s +50%
mld_keccakf1600_extract_bytes 3s 2s +50%
mld_prepare_domain_separation_prefix 3s 5s -40%
ntt_native_x86_64 3s 3s +0%
pack_sig_z 3s 2s +50%
pack_sk 3s 2s +50%
poly_add 3s 4s -25%
poly_caddq_native 3s 4s -25%
poly_caddq_native_aarch64 3s 6s -50%
poly_chknorm 3s 3s +0%
poly_chknorm_native_aarch64 3s - new
poly_decompose 3s 3s +0%
poly_invntt_tomont_native 3s 7s -57%
poly_ntt 3s 5s -40%
poly_sub 3s 5s -40%
polyt1_pack 3s 2s +50%
polyt1_unpack 3s 6s -50%
polyveck_pack_eta 3s 4s -25%
polyveck_pack_t0 3s 3s +0%
polyveck_pack_w1 3s 6s -50%
polyveck_unpack_eta 3s 4s -25%
polyvecl_permute_bitrev_to_custom 3s 3s +0%
polyvecl_pointwise_acc_montgomery 3s 5s -40%
polyvecl_uniform_gamma1 3s 5s -40%
polyz_pack 3s 4s -25%
polyz_unpack_17_native_aarch64 3s - new
polyz_unpack_19_native_aarch64 3s - new
shake128_squeeze 3s 2s +50%
shake256_finalize 3s 5s -40%
shake256_release 3s 1s +200%
shake256x4_squeezeblocks 3s 3s +0%
sign_verify_pre_hash_internal 3s 3s +0%
sys_check_capability 3s 3s +0%
unpack_pk 3s 3s +0%
unpack_sig 3s 4s -25%
keccak_finalize 2s 2s +0%
keccak_squeeze 2s 2s +0%
keccakf1600_extract_bytes (big endian) 2s 3s -33%
keccakf1600x4_extract_bytes 2s 1s +100%
make_hint 2s 3s -33%
mld_ct_abs_i32 2s 4s -50%
mld_ct_cmask_neg_i32 2s 2s +0%
mld_ct_cmask_nonzero_u8 2s 2s +0%
mld_ct_get_optblocker_i64 2s 1s +100%
mld_ct_get_optblocker_u32 2s 4s -50%
mld_value_barrier_i64 2s 2s +0%
poly_caddq_c 2s 3s -33%
poly_invntt_tomont 2s 6s -67%
poly_ntt_c 2s 2s +0%
poly_reduce 2s 5s -60%
poly_shiftl 2s 2s +0%
polyeta_pack 2s 2s +0%
polyvecl_pack_eta 2s 4s -50%
polyvecl_uniform_gamma1_serial 2s 4s -50%
shake128_absorb 2s 2s +0%
shake128_finalize 2s 3s -33%
shake128x4_squeezeblocks 2s 1s +100%
shake256 2s 2s +0%
shake256_absorb 2s 5s -60%
shake256_squeeze 2s 2s +0%
shake256x4_absorb_once 2s 4s -50%
sign_keypair 2s 3s -33%
keccak_init 1s 3s -67%
keccakf1600x4_xor_bytes 1s 2s -50%
mld_ct_cmask_nonzero_u32 1s 2s -50%
polyw1_pack 1s 1s +0%
polyz_unpack 1s 2s -50%
power2round 1s 2s -50%
shake128x4_absorb_once 1s 4s -75%

@oqs-bot
Copy link
Contributor

oqs-bot commented Feb 15, 2026

CBMC Results (ML-DSA-44)

Full Results (178 proofs)
Proof Status Current Previous Change
**TOTAL** 2052s 2055s -0.1%
sign_verify_internal 238s 254s -6%
mld_attempt_signature_generation 220s 221s -0%
polyvecl_pointwise_acc_montgomery_c 196s 208s -6%
rej_uniform_native 139s 144s -3%
poly_pointwise_montgomery_c 130s 143s -9%
mld_ct_memcmp 80s 82s -2%
mld_invntt_layer 50s 50s +0%
keccak_squeezeblocks_x4 44s 44s +0%
mld_ntt_layer 44s 44s +0%
sign_signature_internal 44s 45s -2%
poly_invntt_tomont_c 40s 39s +3%
fqmul 19s 19s +0%
rej_uniform 19s 20s -5%
poly_uniform_eta_4x 18s 19s -5%
rej_uniform_c 18s 20s -10%
poly_chknorm_c 16s 12s +33%
polyt0_unpack 16s 15s +7%
keccakf1600x4_permute_native 15s 14s +7%
mld_compute_t0_t1_tr_from_sk_components 14s 15s -7%
poly_uniform_4x 14s 13s +8%
polyeta_unpack 14s 12s +17%
polymat_permute_bitrev_to_custom 14s 16s -12%
mld_polyvecl_permute_bitrev_to_custom_native 13s 14s -7%
polyvec_matrix_expand 13s 16s -19%
mld_ntt_butterfly_block 12s 13s -8%
keccak_absorb_once_x4 11s 9s +22%
polyveck_add 11s 7s +57%
polyz_unpack_c 11s 12s -8%
keccakf1600_permute_native 9s 6s +50%
keccakf1600_permute 8s 8s +0%
keccakf1600x4_permute 8s 3s +167%
poly_use_hint_c 8s 5s +60%
polyvecl_chknorm 8s 6s +33%
mld_compute_pack_z 7s 6s +17%
polyvec_matrix_expand_serial 7s 7s +0%
polyvec_matrix_pointwise_montgomery 7s 6s +17%
polyveck_decompose 7s 7s +0%
sign_pk_from_sk 7s 6s +17%
keccak_absorb 6s 8s -25%
mld_check_pct 6s 6s +0%
poly_challenge 6s 3s +100%
poly_decompose_c 6s 5s +20%
poly_power2round 6s 5s +20%
poly_uniform_gamma1 6s 4s +50%
polyveck_pointwise_poly_montgomery 6s 5s +20%
polyveck_reduce 6s 5s +20%
polyvecl_ntt 6s 6s +0%
sign_keypair_internal 6s 4s +50%
intt_native_x86_64 5s 3s +67%
keccakf1600_extract_bytes (big endian) 5s 3s +67%
mld_ct_get_optblocker_u32 5s 1s +400%
mld_h 5s 6s -17%
mld_prepare_domain_separation_prefix 5s 5s +0%
mld_sample_s1_s2 5s 4s +25%
mld_sample_s1_s2_serial 5s 3s +67%
poly_caddq_native 5s 2s +150%
polyeta_pack 5s 3s +67%
polyt0_pack 5s 4s +25%
polyt1_pack 5s 1s +400%
polyt1_unpack 5s 4s +25%
polyveck_ntt 5s 4s +25%
polyveck_shiftl 5s 5s +0%
polyveck_use_hint 5s 5s +0%
polyvecl_pack_eta 5s 3s +67%
polyvecl_pointwise_acc_montgomery_native 5s 3s +67%
polyvecl_unpack_z 5s 5s +0%
polyz_unpack 5s 5s +0%
shake256_absorb 5s 2s +150%
sign 5s 5s +0%
sign_signature_pre_hash_internal 5s 4s +25%
sign_verify_extmu 5s 2s +150%
unpack_hints 5s 5s +0%
fqscale 4s 1s +300%
keccak_squeeze 4s 5s -20%
keccakf1600_xor_bytes 4s 2s +100%
keccakf1600x4_xor_bytes 4s 2s +100%
make_hint 4s 3s +33%
ntt_native_x86_64 4s 3s +33%
pack_sig_c_h 4s 4s +0%
pack_sig_z 4s 2s +100%
poly_add 4s 4s +0%
poly_caddq 4s 3s +33%
poly_caddq_c 4s 3s +33%
poly_caddq_native_aarch64 4s 3s +33%
poly_decompose_native 4s 3s +33%
poly_ntt_native 4s 2s +100%
poly_pointwise_montgomery_native 4s 3s +33%
poly_shiftl 4s 4s +0%
poly_uniform_eta 4s 5s -20%
poly_uniform_gamma1_4x 4s 4s +0%
polyveck_caddq 4s 8s -50%
polyveck_chknorm 4s 3s +33%
polyveck_invntt_tomont 4s 6s -33%
polyveck_make_hint 4s 4s +0%
polyveck_pack_w1 4s 4s +0%
polyveck_power2round 4s 6s -33%
polyveck_sub 4s 4s +0%
polyveck_unpack_t0 4s 4s +0%
polyvecl_pointwise_acc_montgomery 4s 4s +0%
polyvecl_uniform_gamma1_serial 4s 3s +33%
polyvecl_unpack_eta 4s 2s +100%
polyz_unpack_17_native_aarch64 4s - new
polyz_unpack_native 4s 3s +33%
rej_eta 4s 1s +300%
rej_eta_c 4s 4s +0%
shake128_finalize 4s 2s +100%
shake128_release 4s 3s +33%
shake256_init 4s 3s +33%
sign_keypair 4s 2s +100%
sign_signature_pre_hash_shake256 4s 5s -20%
sign_verify_pre_hash_internal 4s 4s +0%
sys_check_capability 4s 4s +0%
unpack_sk 4s 4s +0%
caddq 3s 3s +0%
decompose 3s 3s +0%
keccak_finalize 3s 4s -25%
keccakf1600_xor_bytes (big endian) 3s 2s +50%
keccakf1600x4_extract_bytes 3s 3s +0%
mld_ct_cmask_nonzero_u8 3s 4s -25%
mld_ct_get_optblocker_u8 3s 1s +200%
mld_value_barrier_i64 3s 4s -25%
pack_pk 3s 3s +0%
pack_sk 3s 3s +0%
poly_decompose 3s 4s -25%
poly_invntt_tomont 3s 2s +50%
poly_make_hint 3s 4s -25%
poly_ntt 3s 3s +0%
poly_ntt_c 3s 2s +50%
poly_use_hint 3s 2s +50%
polyvecl_uniform_gamma1 3s 2s +50%
polyw1_pack 3s 2s +50%
polyz_pack 3s 2s +50%
polyz_unpack_19_native_aarch64 3s - new
power2round 3s 2s +50%
reduce32 3s 3s +0%
rej_eta_native 3s 4s -25%
shake128_squeeze 3s 2s +50%
shake128x4_squeezeblocks 3s 2s +50%
shake256 3s 3s +0%
shake256_squeeze 3s 5s -40%
sign_open 3s 6s -50%
sign_signature 3s 6s -50%
sign_signature_extmu 3s 7s -57%
sign_verify 3s 3s +0%
sign_verify_pre_hash_shake256 3s 3s +0%
unpack_pk 3s 3s +0%
mld_ct_abs_i32 2s 2s +0%
mld_ct_cmask_neg_i32 2s 2s +0%
mld_ct_get_optblocker_i64 2s 2s +0%
mld_ct_sel_int32 2s 4s -50%
mld_keccakf1600_extract_bytes 2s 6s -67%
mld_value_barrier_u32 2s 4s -50%
mld_value_barrier_u8 2s 1s +100%
montgomery_reduce 2s 2s +0%
poly_chknorm 2s 4s -50%
poly_chknorm_native 2s 6s -67%
poly_chknorm_native_aarch64 2s - new
poly_invntt_tomont_native 2s 4s -50%
poly_pointwise_montgomery 2s 2s +0%
poly_reduce 2s 4s -50%
poly_sub 2s 3s -33%
poly_uniform 2s 5s -60%
poly_use_hint_native 2s 3s -33%
polyveck_pack_eta 2s 3s -33%
polyveck_pack_t0 2s 3s -33%
polyveck_unpack_eta 2s 4s -50%
polyvecl_permute_bitrev_to_custom 2s 2s +0%
shake128_absorb 2s 1s +100%
shake128_init 2s 2s +0%
shake128x4_absorb_once 2s 4s -50%
shake256_finalize 2s 4s -50%
shake256x4_absorb_once 2s 4s -50%
shake256x4_squeezeblocks 2s 2s +0%
unpack_sig 2s 3s -33%
keccak_init 1s 3s -67%
mld_ct_cmask_nonzero_u32 1s 2s -50%
shake256_release 1s 3s -67%
use_hint 1s 2s -50%

@oqs-bot
Copy link
Contributor

oqs-bot commented Feb 15, 2026

CBMC Results (ML-DSA-87)

Full Results (178 proofs)
Proof Status Current Previous Change
**TOTAL** 2528s 2449s +3.2%
sign_verify_internal 370s 353s +5%
mld_attempt_signature_generation 233s 227s +3%
polyvecl_pointwise_acc_montgomery_c 165s 165s +0%
polyvec_matrix_expand 159s 153s +4%
rej_uniform_native 142s 139s +2%
poly_pointwise_montgomery_c 135s 128s +5%
mld_invntt_layer 114s 114s +0%
polyvec_matrix_expand_serial 106s 110s -4%
mld_ct_memcmp 79s 74s +7%
sign_signature_internal 49s 46s +7%
mld_ntt_layer 46s 44s +5%
keccak_squeezeblocks_x4 43s 42s +2%
mld_compute_t0_t1_tr_from_sk_components 30s 25s +20%
polymat_permute_bitrev_to_custom 25s 24s +4%
rej_uniform 22s 21s +5%
fqmul 21s 18s +17%
rej_uniform_c 18s 16s +12%
poly_chknorm_c 17s 17s +0%
poly_uniform_eta_4x 15s 17s -12%
polyt0_unpack 15s 17s -12%
keccakf1600x4_permute_native 14s 12s +17%
poly_uniform_4x 14s 17s -18%
polyveck_power2round 14s 14s +0%
polyeta_unpack 13s 13s +0%
polyvec_matrix_pointwise_montgomery 13s 12s +8%
polyveck_add 13s 13s +0%
mld_ntt_butterfly_block 12s 13s -8%
polyveck_reduce 12s 13s -8%
sign_pk_from_sk 12s 9s +33%
keccak_absorb_once_x4 11s 10s +10%
keccak_absorb 10s 7s +43%
polyveck_chknorm 10s 6s +67%
poly_decompose_c 9s 7s +29%
poly_invntt_tomont_c 9s 9s +0%
polyveck_decompose 9s 6s +50%
polyveck_invntt_tomont 9s 10s -10%
polyveck_ntt 9s 8s +12%
polyveck_pointwise_poly_montgomery 9s 8s +12%
polyveck_use_hint 9s 9s +0%
polyvecl_ntt 9s 11s -18%
sign 9s 7s +29%
mld_sample_s1_s2_serial 8s 6s +33%
unpack_sk 8s 6s +33%
keccakf1600_permute_native 7s 10s -30%
mld_check_pct 7s 7s +0%
mld_polyvecl_permute_bitrev_to_custom_native 7s 8s -12%
mld_sample_s1_s2 7s 6s +17%
polyveck_caddq 7s 7s +0%
sign_verify_extmu 7s 3s +133%
keccakf1600_permute 6s 7s -14%
poly_add 6s 4s +50%
poly_make_hint 6s 2s +200%
polyveck_shiftl 6s 6s +0%
polyveck_sub 6s 7s -14%
polyvecl_uniform_gamma1 6s 4s +50%
polyz_pack 6s 2s +200%
sign_verify 6s 2s +200%
unpack_pk 6s 6s +0%
caddq 5s 4s +25%
mld_compute_pack_z 5s 7s -29%
mld_prepare_domain_separation_prefix 5s 3s +67%
ntt_native_x86_64 5s 4s +25%
poly_invntt_tomont 5s 2s +150%
poly_ntt 5s 3s +67%
poly_uniform 5s 6s -17%
poly_uniform_eta 5s 4s +25%
poly_uniform_gamma1 5s 3s +67%
polyveck_make_hint 5s 5s +0%
polyveck_pack_t0 5s 2s +150%
polyveck_unpack_eta 5s 3s +67%
polyvecl_chknorm 5s 4s +25%
polyvecl_uniform_gamma1_serial 5s 7s -29%
polyvecl_unpack_eta 5s 3s +67%
polyz_unpack_c 5s 5s +0%
rej_eta_native 5s 5s +0%
sign_keypair_internal 5s 6s -17%
sign_signature_pre_hash_internal 5s 5s +0%
sign_signature_pre_hash_shake256 5s 4s +25%
sign_verify_pre_hash_shake256 5s 4s +25%
decompose 4s 4s +0%
mld_ct_get_optblocker_i64 4s 3s +33%
mld_h 4s 2s +100%
mld_value_barrier_u8 4s 2s +100%
pack_sig_z 4s 3s +33%
pack_sk 4s 3s +33%
poly_caddq_c 4s 3s +33%
poly_challenge 4s 5s -20%
poly_chknorm_native 4s 2s +100%
poly_chknorm_native_aarch64 4s - new
poly_ntt_c 4s 1s +300%
poly_pointwise_montgomery_native 4s 3s +33%
poly_uniform_gamma1_4x 4s 6s -33%
poly_use_hint 4s 3s +33%
polyt0_pack 4s 5s -20%
polyveck_unpack_t0 4s 6s -33%
polyz_unpack_19_native_aarch64 4s - new
polyz_unpack_native 4s 4s +0%
rej_eta_c 4s 4s +0%
sign_open 4s 6s -33%
sign_signature_extmu 4s 5s -20%
sys_check_capability 4s 3s +33%
unpack_hints 4s 4s +0%
fqscale 3s 5s -40%
intt_native_x86_64 3s 5s -40%
keccak_finalize 3s 2s +50%
keccak_init 3s 3s +0%
keccak_squeeze 3s 4s -25%
keccakf1600_xor_bytes (big endian) 3s 3s +0%
mld_ct_abs_i32 3s 2s +50%
mld_ct_cmask_nonzero_u32 3s 4s -25%
mld_ct_sel_int32 3s 2s +50%
mld_value_barrier_i64 3s 3s +0%
montgomery_reduce 3s 3s +0%
pack_pk 3s 4s -25%
poly_caddq 3s 2s +50%
poly_decompose_native 3s 5s -40%
poly_invntt_tomont_native 3s 2s +50%
poly_ntt_native 3s 6s -50%
poly_pointwise_montgomery 3s 4s -25%
poly_power2round 3s 3s +0%
poly_reduce 3s 4s -25%
poly_shiftl 3s 2s +50%
polyt1_pack 3s 2s +50%
polyveck_pack_w1 3s 4s -25%
polyvecl_pack_eta 3s 3s +0%
polyvecl_pointwise_acc_montgomery_native 3s 3s +0%
polyvecl_unpack_z 3s 3s +0%
power2round 3s 4s -25%
reduce32 3s 4s -25%
shake128_init 3s 2s +50%
shake128_squeeze 3s 5s -40%
shake128x4_squeezeblocks 3s 2s +50%
shake256_absorb 3s 3s +0%
shake256_init 3s 2s +50%
shake256x4_squeezeblocks 3s 1s +200%
sign_keypair 3s 3s +0%
sign_signature 3s 5s -40%
sign_verify_pre_hash_internal 3s 5s -40%
use_hint 3s 3s +0%
keccakf1600_extract_bytes (big endian) 2s 3s -33%
keccakf1600x4_extract_bytes 2s 2s +0%
keccakf1600x4_permute 2s 2s +0%
keccakf1600x4_xor_bytes 2s 2s +0%
make_hint 2s 5s -60%
mld_ct_cmask_neg_i32 2s 1s +100%
mld_ct_cmask_nonzero_u8 2s 3s -33%
mld_ct_get_optblocker_u8 2s 2s +0%
mld_keccakf1600_extract_bytes 2s 1s +100%
mld_value_barrier_u32 2s 2s +0%
pack_sig_c_h 2s 3s -33%
poly_caddq_native 2s 2s +0%
poly_caddq_native_aarch64 2s 3s -33%
poly_chknorm 2s 2s +0%
poly_decompose 2s 3s -33%
poly_sub 2s 3s -33%
poly_use_hint_c 2s 4s -50%
poly_use_hint_native 2s 4s -50%
polyeta_pack 2s 4s -50%
polyt1_unpack 2s 3s -33%
polyveck_pack_eta 2s 2s +0%
polyvecl_permute_bitrev_to_custom 2s 2s +0%
polyvecl_pointwise_acc_montgomery 2s 4s -50%
polyw1_pack 2s 2s +0%
polyz_unpack 2s 3s -33%
polyz_unpack_17_native_aarch64 2s - new
rej_eta 2s 2s +0%
shake128_absorb 2s 2s +0%
shake128_finalize 2s 3s -33%
shake128_release 2s 3s -33%
shake128x4_absorb_once 2s 4s -50%
shake256 2s 4s -50%
shake256_finalize 2s 3s -33%
shake256_release 2s 3s -33%
shake256_squeeze 2s 2s +0%
shake256x4_absorb_once 2s 2s +0%
keccakf1600_xor_bytes 1s 2s -50%
mld_ct_get_optblocker_u32 1s 2s -50%
unpack_sig 1s 5s -80%

hanno-becker
hanno-becker reviewed Feb 15, 2026
View reviewed changes
proofs/hol_light/aarch64/proofs/mldsa_polyz_unpack_17.ml
num_of_wordlist (MAP zunpack17 l) /\
(!i. i < 256 ==>
--(&(2 EXP 17) - &1) <= ival(EL i (MAP zunpack17 l)) /\
ival(EL i (MAP zunpack17 l)) <= &(2 EXP 17)))
Copy link
Contributor

@hanno-becker hanno-becker Feb 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Slight divergence from other proofs: This is a consequence of the

                  read(memory :> bytes(r,1024)) s =
                       num_of_wordlist (MAP zunpack17 l) /\

post-condition and could be derived as a corollary in the SUBROUTINE spec. This would leave XXX_CORRECT confined to the core argument, which I'd prefer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hanno-becker hanno-becker hanno-becker left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

HOL-Light: Prove AArch64 polyz_unpack

3 participants

@mkannwischer @oqs-bot @hanno-becker

Comments