Skip to content

Armv8.1-M: Add native x1 Keccak with MVE bit-interleaving#1550

Open
bremoran wants to merge 7 commits intomainfrom
mve-keccak-x1-bitinterleave
Open

Armv8.1-M: Add native x1 Keccak with MVE bit-interleaving#1550
bremoran wants to merge 7 commits intomainfrom
mve-keccak-x1-bitinterleave

Conversation

@bremoran
Copy link
Contributor

@bremoran bremoran commented Feb 6, 2026
edited by mkannwischer
Loading

Benchmarking is needed to evaluate whether xor's up to 8 bytes are faster or slower than pure scalar code.
@bremoran bremoran requested a review from a team as a code owner February 6, 2026 15:38
@bremoran bremoran force-pushed the mve-keccak-x1-bitinterleave branch from ced77f3 to 32b7252 Compare February 6, 2026 15:39
@bremoran bremoran force-pushed the mve-keccak-x1-bitinterleave branch from ed6f7f0 to 7b867e7 Compare February 16, 2026 11:50
mkannwischer and others added 5 commits February 25, 2026 18:23
@mkannwischer @bremoran
Armv8.1-M: Add native x1 Keccak implementation
1265cf6 
Add a scalar x1 Keccak permutation to the Armv8.1-M FIPS202 backend, complementing the existing x4 MVE implementation. The assembly is derived from XKCP, with ARMv7-M optimizations by Alexandre Adomnicai (ePrint 2023/773) and further optimizations in the SLOTHY M7 paper by Abdulrahman, Kannwischer, and Lim (ePrint 2025/366). The implementation uses bit-interleaved state representation internally, with C wrapper functions handling the conversion to/from standard representation for now. Optimized xorbytes, and extractbytes (including the bitinterleaving) will be added at a later stage which will allow removing the current bitinterleaving. - Resolves #1506 Co-Authored-By: Brendan Moran <brendan.moran@arm.com> Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
@bremoran @mkannwischer
Create x1 bit interleaving functions with MVE acceleration
3f3e38a 
Signed-off-by: Brendan Moran <brendan.moran@arm.com>
@bremoran @mkannwischer
Format files and switch from vshr to vqdmulh for better pipelining
4d0a127 
Signed-off-by: Brendan Moran <brendan.moran@arm.com>
@bremoran @mkannwischer
Do vqdmulh optimisation for extractbytes as well
278a9ac 
Signed-off-by: Brendan Moran <brendan.moran@arm.com>
@mkannwischer
Move MVE x1 bit-interleaving sources to dev/ and regenerate via autogen
25cc52f 
Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
@mkannwischer mkannwischer force-pushed the mve-keccak-x1-bitinterleave branch from 7b867e7 to 25cc52f Compare February 25, 2026 10:31
@mkannwischer mkannwischer changed the title Add support for native xor bytes & extract bytes on armv8.1m. Armv8.1-M: Add native x1 Keccak with MVE bit-interleaving Feb 25, 2026
@mkannwischer mkannwischer mentioned this pull request Feb 25, 2026
Closed
@oqs-bot
Copy link
Contributor

oqs-bot commented Feb 25, 2026
edited
Loading

CBMC Results (ML-KEM-512)

⚠️ Attention Required

Proof Status Current Previous Change
mlk_keccakf1600_extract_bytes (big endian) - 2s -
mlk_keccakf1600_xor_bytes (big endian) - 2s -
Full Results (153 proofs)
Proof Status Current Previous Change
**TOTAL** 1195s 1308s -8.6%
mlk_indcpa_keypair_derand 182s 195s -7%
mlk_indcpa_enc 157s 174s -10%
mlk_keccak_squeezeblocks_x4 151s 170s -11%
mlk_rej_uniform_c 73s 92s -21%
mlk_polyvec_basemul_acc_montgomery_cached_c 43s 48s -10%
mlk_poly_rej_uniform 36s 44s -18%
mlk_polyvec_add 26s 26s +0%
keccakf1600x4_permute_native_x4 21s 21s +0%
poly_ntt_native 21s 31s -32%
polyvec_basemul_acc_montgomery_cached_native 21s 24s -12%
mlk_ntt_layer 19s 26s -27%
mlk_poly_reduce_native 15s 17s -12%
mlk_keccak_absorb_once_x4 10s 10s +0%
mlk_indcpa_dec 9s 12s -25%
mlk_ntt_butterfly_block 9s 11s -18%
mlk_poly_rej_uniform_x4 9s 7s +29%
mlk_poly_sub 9s 10s -10%
keccakf1600_permute_native 7s 6s +17%
mlk_fqmul 7s 8s -12%
mlk_keccak_squeeze_once 7s 8s -12%
mlk_keccak_squeezeblocks 7s 10s -30%
mlk_poly_frombytes_native 7s 10s -30%
mlk_poly_frommsg 6s 6s +0%
mlk_polymat_permute_bitrev_to_custom 6s 6s +0%
kem_dec 5s 7s -29%
mlk_keccak_absorb_once 5s 3s +67%
mlk_poly_cbd_eta1 5s 3s +67%
mlk_poly_tomsg 5s 4s +25%
mlk_polyvec_permute_bitrev_to_custom_native 5s 1s +400%
poly_frombytes_native_x86_64 5s 6s -17%
poly_mulcache_compute_native_x86_64 5s 1s +400%
kem_check_pk 4s 3s +33%
kem_enc_derand 4s 4s +0%
mlk_barrett_reduce 4s 2s +100%
mlk_matvec_mul 4s 4s +0%
mlk_poly_compress_du 4s 4s +0%
mlk_poly_getnoise_eta1122_4x 4s 2s +100%
mlk_poly_tobytes_c 4s 3s +33%
mlk_poly_tomont 4s 2s +100%
mlk_polyvec_ntt 4s 2s +100%
mlk_polyvec_tomont 4s 2s +100%
mlk_shake128_squeezeblocks 4s 3s +33%
mlk_shake256x4 4s 4s +0%
ntt_native_x86_64 4s 1s +300%
poly_invntt_tomont_native 4s 2s +100%
poly_reduce_native_x86_64 4s 4s +0%
poly_tomont_native_x86_64 4s 3s +33%
polyvec_basemul_acc_montgomery_cached_k2_native_x86_64 4s 2s +100%
polyvec_basemul_acc_montgomery_cached_k3_native_aarch64 4s 2s +100%
rej_uniform_native_x86_64 4s 3s +33%
intt_native_x86_64 3s 4s -25%
keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid 3s 4s -25%
kem_enc 3s 4s -25%
mlk_check_pct 3s 3s +0%
mlk_ct_cmask_neg_i16 3s 2s +50%
mlk_ct_cmask_nonzero_u8 3s 3s +0%
mlk_ct_get_optblocker_i32 3s 2s +50%
mlk_ct_memcmp 3s 4s -25%
mlk_invntt_layer 3s 4s -25%
mlk_keccakf1600_extract_bytes 3s 3s +0%
mlk_keccakf1600x4_extract_bytes 3s 3s +0%
mlk_keccakf1600x4_permute 3s 2s +50%
mlk_keccakf1600x4_xor_bytes 3s 2s +50%
mlk_poly_cbd_eta2 3s 2s +50%
mlk_poly_compress_dv 3s 1s +200%
mlk_poly_decompress_dv 3s 2s +50%
mlk_poly_frombytes 3s 1s +200%
mlk_poly_frombytes_c 3s 2s +50%
mlk_poly_getnoise_eta1_4x_native 3s 2s +50%
mlk_poly_getnoise_eta2 3s 4s -25%
mlk_poly_invntt_tomont 3s 1s +200%
mlk_poly_invntt_tomont_c 3s 1s +200%
mlk_poly_mulcache_compute_c 3s 1s +200%
mlk_poly_reduce 3s 2s +50%
mlk_poly_tobytes 3s 1s +200%
mlk_poly_tomont_c 3s 3s +0%
mlk_polyvec_basemul_acc_montgomery_cached 3s 2s +50%
mlk_polyvec_invntt_tomont 3s 4s -25%
mlk_polyvec_reduce 3s 3s +0%
mlk_rej_uniform 3s 4s -25%
mlk_scalar_decompress_d11 3s 2s +50%
mlk_scalar_decompress_d4 3s 4s -25%
mlk_scalar_signed_to_unsigned_q 3s 1s +200%
mlk_shake128_absorb_once 3s 4s -25%
mlk_shake128x4_absorb_once 3s 3s +0%
mlk_value_barrier_u8 3s 3s +0%
poly_getnoise_eta1122_4x_native 3s 3s +0%
polyvec_basemul_acc_montgomery_cached_k3_native_x86_64 3s 2s +50%
rej_uniform_native_aarch64 3s 3s +0%
intt_native_aarch64 2s 2s +0%
keccak_f1600_x1_native_aarch64 2s 3s -33%
keccak_f1600_x1_native_aarch64_v84a 2s 2s +0%
keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid 2s 2s +0%
keccakf1600x4_extract_bytes_native 2s 1s +100%
keccakf1600x4_xor_bytes_native 2s 3s -33%
kem_check_sk 2s 4s -50%
kem_keypair 2s 1s +100%
mlk_ct_cmask_nonzero_u16 2s 2s +0%
mlk_ct_cmov_zero 2s 3s -33%
mlk_ct_get_optblocker_u32 2s 3s -33%
mlk_ct_get_optblocker_u8 2s 3s -33%
mlk_ct_sel_int16 2s 2s +0%
mlk_gen_matrix 2s 3s -33%
mlk_gen_matrix_serial 2s 4s -50%
mlk_keccakf1600_permute 2s 3s -33%
mlk_keccakf1600_xor_bytes 2s 5s -60%
mlk_poly_decompress_du 2s 2s +0%
mlk_poly_mulcache_compute_native 2s 2s +0%
mlk_poly_ntt 2s 3s -33%
mlk_poly_ntt_c 2s 3s -33%
mlk_poly_reduce_c 2s 3s -33%
mlk_poly_tobytes_native 2s 3s -33%
mlk_poly_tomont_native 2s 3s -33%
mlk_polyvec_compress_du 2s 2s +0%
mlk_polyvec_decompress_du 2s 3s -33%
mlk_polyvec_frombytes 2s 5s -60%
mlk_polyvec_mulcache_compute 2s 2s +0%
mlk_scalar_compress_d1 2s 2s +0%
mlk_scalar_compress_d10 2s 2s +0%
mlk_scalar_compress_d4 2s 2s +0%
mlk_scalar_decompress_d5 2s 3s -33%
mlk_sha3_256 2s 2s +0%
mlk_sha3_512 2s 2s +0%
mlk_shake128x4_squeezeblocks 2s 1s +100%
mlk_shake256 2s 2s +0%
mlk_value_barrier_i32 2s 1s +100%
mlk_value_barrier_u32 2s 2s +0%
poly_mulcache_compute_native_aarch64 2s 3s -33%
poly_reduce_native_aarch64 2s 1s +100%
poly_tobytes_native_aarch64 2s 4s -50%
poly_tobytes_native_x86_64 2s 3s -33%
poly_tomont_native_aarch64 2s 2s +0%
polyvec_basemul_acc_montgomery_cached_k2_native_aarch64 2s 1s +100%
polyvec_basemul_acc_montgomery_cached_k4_native_aarch64 2s 1s +100%
polyvec_basemul_acc_montgomery_cached_k4_native_x86_64 2s 2s +0%
rej_uniform_native 2s 4s -50%
mlk_keccakf1600_extract_bytes (big endian) - 2s -
mlk_keccakf1600_xor_bytes (big endian) - 2s -
keccak_f1600_x4_native_aarch64_v84a 1s 2s -50%
kem_keypair_derand 1s 3s -67%
mlk_ct_sel_uint8 1s 3s -67%
mlk_montgomery_reduce 1s 1s +0%
mlk_poly_add 1s 2s -50%
mlk_poly_getnoise_eta1_4x 1s 2s -50%
mlk_poly_mulcache_compute 1s 3s -67%
mlk_polyvec_permute_bitrev_to_custom 1s 2s -50%
mlk_polyvec_tobytes 1s 2s -50%
mlk_scalar_compress_d11 1s 4s -75%
mlk_scalar_compress_d5 1s 4s -75%
mlk_scalar_decompress_d10 1s 1s +0%
ntt_native_aarch64 1s 5s -80%
nttunpack_native_x86_64 1s 2s -50%
sys_check_capability 1s 1s +0%
@oqs-bot
Copy link
Contributor

oqs-bot commented Feb 25, 2026
edited
Loading

CBMC Results (ML-KEM-768)

⚠️ Attention Required

Proof Status Current Previous Change
mlk_keccakf1600_extract_bytes (big endian) - 2s -
mlk_keccakf1600_xor_bytes (big endian) - 3s -
Full Results (153 proofs)
Proof Status Current Previous Change
**TOTAL** 1322s 1312s +0.8%
mlk_indcpa_keypair_derand 241s 235s +3%
mlk_indcpa_enc 183s 186s -2%
mlk_keccak_squeezeblocks_x4 148s 145s +2%
mlk_rej_uniform_c 67s 65s +3%
polyvec_basemul_acc_montgomery_cached_native 60s 56s +7%
mlk_polyvec_basemul_acc_montgomery_cached_c 47s 48s -2%
mlk_poly_rej_uniform 32s 31s +3%
poly_ntt_native 31s 27s +15%
mlk_polyvec_add 27s 26s +4%
keccakf1600x4_permute_native_x4 19s 19s +0%
mlk_ntt_layer 19s 17s +12%
mlk_indcpa_dec 17s 15s +13%
mlk_poly_reduce_native 14s 12s +17%
mlk_ntt_butterfly_block 11s 7s +57%
mlk_keccak_absorb_once_x4 10s 9s +11%
mlk_keccak_squeeze_once 9s 8s +12%
mlk_poly_sub 9s 9s +0%
mlk_gen_matrix 7s 5s +40%
mlk_poly_frombytes_native 7s 8s -12%
mlk_poly_rej_uniform_x4 7s 7s +0%
keccakf1600_permute_native 6s 5s +20%
mlk_fqmul 6s 6s +0%
mlk_invntt_layer 6s 3s +100%
mlk_keccak_squeezeblocks 6s 10s -40%
mlk_poly_frommsg 6s 5s +20%
mlk_scalar_compress_d11 6s 3s +100%
kem_check_sk 5s 1s +400%
kem_dec 5s 8s -38%
kem_keypair 5s 2s +150%
mlk_ct_sel_int16 5s 2s +150%
mlk_gen_matrix_serial 5s 3s +67%
mlk_keccak_absorb_once 5s 4s +25%
mlk_polymat_permute_bitrev_to_custom 5s 5s +0%
mlk_shake256x4 5s 5s +0%
intt_native_x86_64 4s 2s +100%
kem_enc_derand 4s 3s +33%
mlk_ct_cmask_nonzero_u8 4s 2s +100%
mlk_poly_compress_du 4s 3s +33%
mlk_poly_compress_dv 4s 3s +33%
mlk_poly_invntt_tomont 4s 3s +33%
mlk_poly_ntt 4s 3s +33%
mlk_scalar_compress_d1 4s 2s +100%
mlk_shake128_squeezeblocks 4s 3s +33%
mlk_value_barrier_i32 4s 3s +33%
nttunpack_native_x86_64 4s 5s -20%
poly_reduce_native_aarch64 4s 1s +300%
keccakf1600x4_xor_bytes_native 3s 4s -25%
kem_check_pk 3s 3s +0%
kem_keypair_derand 3s 4s -25%
mlk_barrett_reduce 3s 1s +200%
mlk_ct_cmask_nonzero_u16 3s 6s -50%
mlk_ct_cmov_zero 3s 2s +50%
mlk_ct_get_optblocker_i32 3s 2s +50%
mlk_ct_get_optblocker_u8 3s 1s +200%
mlk_keccakf1600_permute 3s 3s +0%
mlk_keccakf1600x4_extract_bytes 3s 3s +0%
mlk_matvec_mul 3s 2s +50%
mlk_montgomery_reduce 3s 2s +50%
mlk_poly_frombytes_c 3s 1s +200%
mlk_poly_getnoise_eta1122_4x 3s 3s +0%
mlk_poly_getnoise_eta1_4x 3s 5s -40%
mlk_poly_mulcache_compute 3s 4s -25%
mlk_poly_mulcache_compute_c 3s 3s +0%
mlk_poly_tobytes_c 3s 1s +200%
mlk_poly_tomsg 3s 3s +0%
mlk_polyvec_basemul_acc_montgomery_cached 3s 4s -25%
mlk_polyvec_frombytes 3s 3s +0%
mlk_polyvec_ntt 3s 4s -25%
mlk_polyvec_permute_bitrev_to_custom_native 3s 2s +50%
mlk_polyvec_tomont 3s 3s +0%
mlk_scalar_compress_d10 3s 2s +50%
mlk_scalar_compress_d4 3s 3s +0%
mlk_scalar_signed_to_unsigned_q 3s 1s +200%
mlk_shake128x4_absorb_once 3s 3s +0%
ntt_native_x86_64 3s 3s +0%
poly_frombytes_native_x86_64 3s 5s -40%
poly_mulcache_compute_native_aarch64 3s 2s +50%
poly_mulcache_compute_native_x86_64 3s 1s +200%
poly_tomont_native_x86_64 3s 3s +0%
polyvec_basemul_acc_montgomery_cached_k2_native_x86_64 3s 4s -25%
polyvec_basemul_acc_montgomery_cached_k4_native_aarch64 3s 1s +200%
polyvec_basemul_acc_montgomery_cached_k4_native_x86_64 3s 2s +50%
rej_uniform_native 3s 3s +0%
rej_uniform_native_aarch64 3s 2s +50%
intt_native_aarch64 2s 3s -33%
keccak_f1600_x1_native_aarch64 2s 2s +0%
keccak_f1600_x4_native_aarch64_v84a 2s 3s -33%
keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid 2s 4s -50%
keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid 2s 3s -33%
kem_enc 2s 3s -33%
mlk_check_pct 2s 4s -50%
mlk_ct_cmask_neg_i16 2s 3s -33%
mlk_ct_get_optblocker_u32 2s 2s +0%
mlk_ct_memcmp 2s 2s +0%
mlk_ct_sel_uint8 2s 1s +100%
mlk_keccakf1600_extract_bytes 2s 2s +0%
mlk_keccakf1600_xor_bytes 2s 3s -33%
mlk_keccakf1600x4_permute 2s 3s -33%
mlk_poly_add 2s 2s +0%
mlk_poly_cbd_eta2 2s 4s -50%
mlk_poly_decompress_du 2s 3s -33%
mlk_poly_decompress_dv 2s 2s +0%
mlk_poly_frombytes 2s 2s +0%
mlk_poly_getnoise_eta1_4x_native 2s 4s -50%
mlk_poly_invntt_tomont_c 2s 2s +0%
mlk_poly_mulcache_compute_native 2s 2s +0%
mlk_poly_reduce 2s 2s +0%
mlk_poly_tobytes 2s 2s +0%
mlk_poly_tobytes_native 2s 2s +0%
mlk_poly_tomont_native 2s 3s -33%
mlk_polyvec_compress_du 2s 3s -33%
mlk_polyvec_decompress_du 2s 3s -33%
mlk_polyvec_invntt_tomont 2s 5s -60%
mlk_polyvec_mulcache_compute 2s 3s -33%
mlk_polyvec_permute_bitrev_to_custom 2s 1s +100%
mlk_polyvec_reduce 2s 1s +100%
mlk_scalar_compress_d5 2s 2s +0%
mlk_scalar_decompress_d10 2s 3s -33%
mlk_scalar_decompress_d11 2s 3s -33%
mlk_scalar_decompress_d4 2s 2s +0%
mlk_scalar_decompress_d5 2s 4s -50%
mlk_sha3_256 2s 1s +100%
mlk_sha3_512 2s 1s +100%
mlk_shake128_absorb_once 2s 3s -33%
mlk_shake128x4_squeezeblocks 2s 1s +100%
mlk_shake256 2s 1s +100%
mlk_value_barrier_u32 2s 3s -33%
ntt_native_aarch64 2s 3s -33%
poly_getnoise_eta1122_4x_native 2s 2s +0%
poly_invntt_tomont_native 2s 2s +0%
poly_tobytes_native_aarch64 2s 3s -33%
poly_tomont_native_aarch64 2s 3s -33%
polyvec_basemul_acc_montgomery_cached_k2_native_aarch64 2s 3s -33%
polyvec_basemul_acc_montgomery_cached_k3_native_aarch64 2s 3s -33%
polyvec_basemul_acc_montgomery_cached_k3_native_x86_64 2s 4s -50%
rej_uniform_native_x86_64 2s 3s -33%
mlk_keccakf1600_extract_bytes (big endian) - 2s -
mlk_keccakf1600_xor_bytes (big endian) - 3s -
keccak_f1600_x1_native_aarch64_v84a 1s 2s -50%
keccakf1600x4_extract_bytes_native 1s 2s -50%
mlk_keccakf1600x4_xor_bytes 1s 2s -50%
mlk_poly_cbd_eta1 1s 4s -75%
mlk_poly_getnoise_eta2 1s 2s -50%
mlk_poly_ntt_c 1s 5s -80%
mlk_poly_reduce_c 1s 4s -75%
mlk_poly_tomont 1s 4s -75%
mlk_poly_tomont_c 1s 3s -67%
mlk_polyvec_tobytes 1s 3s -67%
mlk_rej_uniform 1s 2s -50%
mlk_value_barrier_u8 1s 2s -50%
poly_reduce_native_x86_64 1s 2s -50%
poly_tobytes_native_x86_64 1s 1s +0%
sys_check_capability 1s 1s +0%
@oqs-bot
Copy link
Contributor

oqs-bot commented Feb 25, 2026
edited
Loading

CBMC Results (ML-KEM-1024)

⚠️ Attention Required

Proof Status Current Previous Change
mlk_keccakf1600_extract_bytes (big endian) - 1s -
mlk_keccakf1600_xor_bytes (big endian) - 2s -
Full Results (153 proofs)
Proof Status Current Previous Change
**TOTAL** 2380s 2467s -3.5%
mlk_indcpa_enc 1211s 1295s -6%
mlk_indcpa_keypair_derand 203s 205s -1%
mlk_keccak_squeezeblocks_x4 142s 147s -3%
polyvec_basemul_acc_montgomery_cached_native 115s 115s +0%
mlk_rej_uniform_c 66s 69s -4%
mlk_polyvec_basemul_acc_montgomery_cached_c 55s 56s -2%
mlk_poly_rej_uniform 33s 33s +0%
poly_ntt_native 24s 23s +4%
mlk_poly_decompress_dv 20s 18s +11%
keccakf1600x4_permute_native_x4 19s 20s -5%
mlk_ntt_layer 19s 16s +19%
mlk_indcpa_dec 14s 15s -7%
mlk_poly_reduce_native 14s 13s +8%
mlk_polyvec_ntt 13s 13s +0%
mlk_ntt_butterfly_block 11s 7s +57%
mlk_poly_sub 10s 11s -9%
mlk_polyvec_add 10s 8s +25%
mlk_keccak_absorb_once_x4 9s 10s -10%
mlk_poly_compress_du 9s 8s +12%
mlk_poly_frombytes_native 9s 8s +12%
mlk_fqmul 8s 6s +33%
mlk_poly_frommsg 8s 6s +33%
kem_dec 7s 7s +0%
mlk_gen_matrix 7s 7s +0%
mlk_gen_matrix_serial 7s 5s +40%
mlk_keccak_squeezeblocks 7s 9s -22%
mlk_poly_rej_uniform_x4 7s 7s +0%
mlk_keccak_squeeze_once 6s 6s +0%
mlk_shake256x4 6s 7s -14%
keccakf1600_permute_native 5s 4s +25%
mlk_poly_cbd_eta1 5s 3s +67%
mlk_sha3_256 5s 1s +400%
poly_frombytes_native_x86_64 5s 4s +25%
kem_check_pk 4s 4s +0%
mlk_ct_sel_int16 4s 1s +300%
mlk_invntt_layer 4s 4s +0%
mlk_keccak_absorb_once 4s 4s +0%
mlk_poly_add 4s 3s +33%
mlk_poly_frombytes 4s 3s +33%
mlk_poly_mulcache_compute_c 4s 3s +33%
mlk_polymat_permute_bitrev_to_custom 4s 5s -20%
mlk_scalar_signed_to_unsigned_q 4s 3s +33%
mlk_shake128_absorb_once 4s 2s +100%
ntt_native_x86_64 4s 4s +0%
poly_invntt_tomont_native 4s 2s +100%
poly_tobytes_native_aarch64 4s 2s +100%
polyvec_basemul_acc_montgomery_cached_k4_native_aarch64 4s 3s +33%
intt_native_x86_64 3s 2s +50%
keccak_f1600_x1_native_aarch64 3s 3s +0%
keccakf1600x4_extract_bytes_native 3s 2s +50%
keccakf1600x4_xor_bytes_native 3s 4s -25%
kem_enc 3s 2s +50%
kem_enc_derand 3s 2s +50%
mlk_barrett_reduce 3s 2s +50%
mlk_ct_cmask_neg_i16 3s 1s +200%
mlk_ct_cmov_zero 3s 3s +0%
mlk_ct_get_optblocker_i32 3s 3s +0%
mlk_ct_get_optblocker_u8 3s 3s +0%
mlk_keccakf1600_extract_bytes 3s 3s +0%
mlk_keccakf1600_permute 3s 4s -25%
mlk_keccakf1600x4_extract_bytes 3s 1s +200%
mlk_matvec_mul 3s 5s -40%
mlk_poly_cbd_eta2 3s 3s +0%
mlk_poly_compress_dv 3s 3s +0%
mlk_poly_frombytes_c 3s 2s +50%
mlk_poly_getnoise_eta1122_4x 3s 4s -25%
mlk_poly_getnoise_eta1_4x_native 3s 3s +0%
mlk_poly_mulcache_compute 3s 2s +50%
mlk_poly_reduce 3s 2s +50%
mlk_poly_tobytes 3s 2s +50%
mlk_poly_tobytes_c 3s 2s +50%
mlk_poly_tobytes_native 3s 3s +0%
mlk_polyvec_frombytes 3s 1s +200%
mlk_polyvec_permute_bitrev_to_custom_native 3s 3s +0%
mlk_polyvec_tomont 3s 3s +0%
mlk_rej_uniform 3s 2s +50%
mlk_scalar_compress_d1 3s 2s +50%
mlk_scalar_compress_d4 3s 3s +0%
mlk_scalar_compress_d5 3s 4s -25%
mlk_scalar_decompress_d11 3s 3s +0%
mlk_scalar_decompress_d4 3s 2s +50%
mlk_sha3_512 3s 1s +200%
mlk_shake128_squeezeblocks 3s 2s +50%
mlk_value_barrier_u32 3s 4s -25%
nttunpack_native_x86_64 3s 2s +50%
poly_getnoise_eta1122_4x_native 3s 3s +0%
polyvec_basemul_acc_montgomery_cached_k2_native_aarch64 3s 2s +50%
polyvec_basemul_acc_montgomery_cached_k2_native_x86_64 3s 3s +0%
polyvec_basemul_acc_montgomery_cached_k3_native_aarch64 3s 2s +50%
polyvec_basemul_acc_montgomery_cached_k3_native_x86_64 3s 4s -25%
rej_uniform_native_aarch64 3s 3s +0%
intt_native_aarch64 2s 3s -33%
keccak_f1600_x1_native_aarch64_v84a 2s 4s -50%
keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid 2s 2s +0%
kem_check_sk 2s 4s -50%
kem_keypair 2s 2s +0%
mlk_check_pct 2s 2s +0%
mlk_ct_cmask_nonzero_u16 2s 5s -60%
mlk_ct_cmask_nonzero_u8 2s 3s -33%
mlk_ct_get_optblocker_u32 2s 2s +0%
mlk_ct_memcmp 2s 3s -33%
mlk_ct_sel_uint8 2s 3s -33%
mlk_keccakf1600x4_xor_bytes 2s 4s -50%
mlk_montgomery_reduce 2s 1s +100%
mlk_poly_decompress_du 2s 2s +0%
mlk_poly_getnoise_eta1_4x 2s 1s +100%
mlk_poly_getnoise_eta2 2s 1s +100%
mlk_poly_mulcache_compute_native 2s 1s +100%
mlk_poly_ntt_c 2s 2s +0%
mlk_poly_tomont_c 2s 2s +0%
mlk_poly_tomont_native 2s 3s -33%
mlk_poly_tomsg 2s 7s -71%
mlk_polyvec_basemul_acc_montgomery_cached 2s 4s -50%
mlk_polyvec_decompress_du 2s 2s +0%
mlk_polyvec_mulcache_compute 2s 4s -50%
mlk_polyvec_permute_bitrev_to_custom 2s 1s +100%
mlk_polyvec_reduce 2s 2s +0%
mlk_polyvec_tobytes 2s 3s -33%
mlk_scalar_compress_d10 2s 2s +0%
mlk_scalar_compress_d11 2s 2s +0%
mlk_scalar_decompress_d10 2s 3s -33%
mlk_scalar_decompress_d5 2s 2s +0%
mlk_shake128x4_absorb_once 2s 1s +100%
mlk_shake256 2s 3s -33%
mlk_value_barrier_i32 2s 2s +0%
mlk_value_barrier_u8 2s 2s +0%
ntt_native_aarch64 2s 4s -50%
poly_mulcache_compute_native_x86_64 2s 2s +0%
poly_reduce_native_x86_64 2s 3s -33%
poly_tobytes_native_x86_64 2s 2s +0%
poly_tomont_native_aarch64 2s 2s +0%
poly_tomont_native_x86_64 2s 3s -33%
rej_uniform_native 2s 1s +100%
rej_uniform_native_x86_64 2s 1s +100%
mlk_keccakf1600_extract_bytes (big endian) - 1s -
mlk_keccakf1600_xor_bytes (big endian) - 2s -
keccak_f1600_x4_native_aarch64_v84a 1s 2s -50%
keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid 1s 2s -50%
kem_keypair_derand 1s 2s -50%
mlk_keccakf1600_xor_bytes 1s 2s -50%
mlk_keccakf1600x4_permute 1s 2s -50%
mlk_poly_invntt_tomont 1s 2s -50%
mlk_poly_invntt_tomont_c 1s 2s -50%
mlk_poly_ntt 1s 3s -67%
mlk_poly_reduce_c 1s 3s -67%
mlk_poly_tomont 1s 2s -50%
mlk_polyvec_compress_du 1s 1s +0%
mlk_polyvec_invntt_tomont 1s 1s +0%
mlk_shake128x4_squeezeblocks 1s 4s -75%
poly_mulcache_compute_native_aarch64 1s 2s -50%
poly_reduce_native_aarch64 1s 1s +0%
polyvec_basemul_acc_montgomery_cached_k4_native_x86_64 1s 3s -67%
sys_check_capability 1s 2s -50%
@bremoran
Fix interleaving error
1a8e420 
Signed-off-by: Brendan Moran <brendan.moran@arm.com>
@bremoran
Run autogen on previous commit
27acc6f 
Signed-off-by: Brendan Moran <brendan.moran@arm.com>
mkannwischer
mkannwischer reviewed Feb 25, 2026
View reviewed changes
mlkem/src/fips202/keccakf1600.c
void mlk_keccakf1600_extract_bytes(uint64_t *state, unsigned char *data,
unsigned offset, unsigned length)
{
#if defined(MLK_USE_FIPS202_X1_EXTRACT_BYTES_NATIVE)
Copy link
Contributor

@mkannwischer mkannwischer Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We will need a CBMC proof for this branch
mkannwischer
mkannwischer reviewed Feb 25, 2026
View reviewed changes
mlkem/src/fips202/keccakf1600.c
void mlk_keccakf1600_xor_bytes(uint64_t *state, const unsigned char *data,
unsigned offset, unsigned length)
{
#if defined(MLK_USE_FIPS202_X1_XOR_BYTES_NATIVE)
Copy link
Contributor

@mkannwischer mkannwischer Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We will need a CBMC proof for this branch.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants

@bremoran @oqs-bot @mkannwischer