Skip to content

Armv8.1-M: Add MVE Keccak-f1600 x4 implementation #911

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mkannwischer wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Armv8.1-M: Add MVE Keccak-f1600 x4 implementation #911

mkannwischer wants to merge 6 commits into from

Conversation

@mkannwischer
Copy link
Contributor

@mkannwischer mkannwischer commented Jan 27, 2026

@mkannwischer
Unit tests: Guard i32 helper functions for tests with arithmetic back…
4aaf4a8 
…ends only

Unit tests for Backends not support arthmetic do not use various i32 helper
functions resulting in unused function warnings.
This commit fixes that by introducing appropriate guards.

chknorm is an outlier here - it only uses generate_i32_array_ranged, but not
the other functions.
We, hence, need 3 different guards that include/exclude chknorm accordingly.

- Port of pq-code-package/mlkem-native@33c4af5

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
@mkannwischer
CI: Enable optimized code testing for M55-AN547
2b47ae8 
Test both optimized and non-optimized builds on M55-AN547.

- Port of pq-code-package/mlkem-native@4215daf

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
@mkannwischer
Nix: Consolidate arm-embedded with other cross shells
c1d6f50 
The avr and arm-embedded cross-shells were deviating in terms of their name
from the other cross shells.
This commit renames them to ci-cross-avr and ci-cross-arm-embedded.
ci-cross-avr is not yet available for mldsa-native.

- Port of pq-code-package/mlkem-native@5248a2b

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
@mkannwischer
Nix: Remove ci- and ci_ prefix for numerous nix shells
dab7baa 
Numerous nix shells were prefixed with ci- and ci_. I don't think that prefix
serves any meaningful purpose other than signaling that at some point we set
them up for CI.
This commit removes the prefix from all nix shells and adjusts CI accordingly.

- Port of pq-code-package/mlkem-native@d9fb732

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
@oqs-bot
Copy link
Contributor

oqs-bot commented Jan 27, 2026
edited
Loading

CBMC Results (ML-DSA-65)

Full Results (174 proofs)
Proof Status Current Previous Change
**TOTAL** 2407s 2432s -1.0%
polyvecl_pointwise_acc_montgomery_c 253s 247s +2%
sign_verify_internal 243s 171s +42%
mld_attempt_signature_generation 228s 409s -44%
polyvec_matrix_expand 179s 134s +34%
poly_pointwise_montgomery_c 145s 143s +1%
rej_uniform_native 140s 137s +2%
mld_ct_memcmp 84s 88s -5%
polyvec_matrix_expand_serial 66s 63s +5%
mld_invntt_layer 62s 63s -2%
mld_ntt_layer 55s 46s +20%
sign_signature_internal 46s 49s -6%
keccak_squeezeblocks_x4 44s 46s -4%
mld_compute_t0_t1_tr_from_sk_components 26s 27s -4%
polymat_permute_bitrev_to_custom 22s 20s +10%
rej_uniform 22s 22s +0%
fqmul 21s 20s +5%
poly_uniform_eta_4x 19s 17s +12%
rej_uniform_c 19s 18s +6%
poly_uniform_4x 18s 15s +20%
polyveck_decompose 18s 16s +12%
poly_chknorm_c 17s 13s +31%
polyvec_matrix_pointwise_montgomery 16s 14s +14%
polyt0_unpack 14s 15s -7%
keccakf1600x4_permute_native 13s 13s +0%
polyveck_use_hint 13s 13s +0%
mld_ntt_butterfly_block 12s 14s -14%
mld_polyvecl_permute_bitrev_to_custom_native 12s 9s +33%
keccak_absorb_once_x4 11s 15s -27%
polyveck_ntt 11s 9s +22%
sign 10s 10s +0%
mld_compute_pack_z 9s 7s +29%
poly_invntt_tomont_c 9s 10s -10%
polyveck_add 9s 10s -10%
polyveck_power2round 9s 10s -10%
sign_pk_from_sk 9s 8s +12%
keccakf1600_permute 8s 9s -11%
mld_check_pct 8s 11s -27%
polyveck_invntt_tomont 8s 7s +14%
polyveck_shiftl 8s 7s +14%
polyvecl_ntt 8s 6s +33%
keccakf1600_permute_native 7s 9s -22%
poly_decompose_c 7s 7s +0%
polyeta_unpack 7s 9s -22%
polyveck_caddq 7s 7s +0%
sign_verify_extmu 7s 3s +133%
use_hint 7s 3s +133%
caddq 6s 1s +500%
mld_ct_cmask_nonzero_u32 6s 1s +500%
mld_h 6s 5s +20%
poly_make_hint 6s 3s +100%
poly_use_hint_c 6s 5s +20%
polyveck_reduce 6s 4s +50%
polyveck_sub 6s 6s +0%
sign_signature 6s 6s +0%
keccak_absorb 5s 7s -29%
mld_prepare_domain_separation_prefix 5s 4s +25%
mld_sample_s1_s2 5s 5s +0%
poly_caddq_native_aarch64 5s 3s +67%
poly_decompose_native 5s 4s +25%
poly_ntt 5s 2s +150%
poly_ntt_c 5s 4s +25%
poly_power2round 5s 2s +150%
poly_use_hint 5s 3s +67%
polyveck_chknorm 5s 2s +150%
polyveck_make_hint 5s 5s +0%
polyveck_pointwise_poly_montgomery 5s 6s -17%
polyveck_unpack_t0 5s 5s +0%
polyvecl_chknorm 5s 6s -17%
polyvecl_unpack_eta 5s 4s +25%
polyz_unpack_c 5s 6s -17%
rej_eta_native 5s 3s +67%
sign_keypair 5s 4s +25%
sign_signature_pre_hash_internal 5s 2s +150%
unpack_hints 5s 4s +25%
mld_ct_get_optblocker_i64 4s 2s +100%
mld_keccakf1600_extract_bytes 4s 3s +33%
mld_sample_s1_s2_serial 4s 5s -20%
pack_pk 4s 3s +33%
pack_sk 4s 3s +33%
poly_add 4s 5s -20%
poly_caddq 4s 2s +100%
poly_caddq_c 4s 3s +33%
poly_challenge 4s 4s +0%
poly_decompose 4s 2s +100%
poly_invntt_tomont_native 4s 4s +0%
poly_pointwise_montgomery 4s 1s +300%
poly_reduce 4s 3s +33%
poly_sub 4s 3s +33%
poly_uniform 4s 4s +0%
poly_uniform_eta 4s 4s +0%
poly_use_hint_native 4s 6s -33%
polyveck_unpack_eta 4s 4s +0%
polyvecl_pointwise_acc_montgomery_native 4s 5s -20%
polyz_pack 4s 3s +33%
polyz_unpack 4s 3s +33%
polyz_unpack_native 4s 7s -43%
reduce32 4s 1s +300%
rej_eta_c 4s 6s -33%
shake256_finalize 4s 1s +300%
shake256x4_squeezeblocks 4s 2s +100%
sign_verify 4s 4s +0%
sign_verify_pre_hash_internal 4s 5s -20%
unpack_pk 4s 3s +33%
decompose 3s 2s +50%
keccak_finalize 3s 3s +0%
keccak_squeeze 3s 3s +0%
keccakf1600x4_permute 3s 3s +0%
mld_ct_cmask_neg_i32 3s 2s +50%
mld_ct_cmask_nonzero_u8 3s 5s -40%
mld_ct_get_optblocker_u32 3s 3s +0%
mld_value_barrier_i64 3s 2s +50%
mld_value_barrier_u32 3s 1s +200%
ntt_native_x86_64 3s 3s +0%
pack_sig_c_h 3s 3s +0%
poly_chknorm_native 3s 2s +50%
poly_pointwise_montgomery_native 3s 4s -25%
poly_shiftl 3s 4s -25%
polyt0_pack 3s 5s -40%
polyt1_unpack 3s 5s -40%
polyveck_pack_eta 3s 2s +50%
polyveck_pack_t0 3s 3s +0%
polyvecl_pack_eta 3s 4s -25%
polyvecl_permute_bitrev_to_custom 3s 3s +0%
polyvecl_uniform_gamma1 3s 5s -40%
polyvecl_unpack_z 3s 3s +0%
polyw1_pack 3s 1s +200%
rej_eta 3s 2s +50%
shake128_absorb 3s 4s -25%
shake128_finalize 3s 2s +50%
shake128x4_absorb_once 3s 5s -40%
shake128x4_squeezeblocks 3s 3s +0%
shake256 3s 3s +0%
shake256_release 3s 1s +200%
shake256_squeeze 3s 2s +50%
sign_keypair_internal 3s 4s -25%
sign_open 3s 3s +0%
sign_signature_pre_hash_shake256 3s 5s -40%
sign_verify_pre_hash_shake256 3s 3s +0%
unpack_sig 3s 4s -25%
unpack_sk 3s 5s -40%
fqscale 2s 3s -33%
keccakf1600_extract_bytes (big endian) 2s 3s -33%
keccakf1600_xor_bytes 2s 3s -33%
keccakf1600_xor_bytes (big endian) 2s 1s +100%
keccakf1600x4_extract_bytes 2s 2s +0%
keccakf1600x4_xor_bytes 2s 1s +100%
make_hint 2s 2s +0%
mld_ct_abs_i32 2s 3s -33%
mld_ct_get_optblocker_u8 2s 3s -33%
mld_value_barrier_u8 2s 4s -50%
montgomery_reduce 2s 3s -33%
pack_sig_z 2s 2s +0%
poly_caddq_native 2s 5s -60%
poly_chknorm 2s 4s -50%
poly_invntt_tomont 2s 3s -33%
poly_ntt_native 2s 4s -50%
poly_uniform_gamma1 2s 4s -50%
poly_uniform_gamma1_4x 2s 6s -67%
polyeta_pack 2s 3s -33%
polyt1_pack 2s 3s -33%
polyveck_pack_w1 2s 2s +0%
polyvecl_pointwise_acc_montgomery 2s 2s +0%
polyvecl_uniform_gamma1_serial 2s 5s -60%
power2round 2s 4s -50%
shake128_init 2s 1s +100%
shake128_release 2s 3s -33%
shake128_squeeze 2s 5s -60%
shake256_absorb 2s 2s +0%
shake256_init 2s 2s +0%
shake256x4_absorb_once 2s 3s -33%
sign_signature_extmu 2s 6s -67%
sys_check_capability 2s 2s +0%
keccak_init 1s 2s -50%
mld_ct_sel_int32 1s 2s -50%

@oqs-bot
Copy link
Contributor

oqs-bot commented Jan 27, 2026
edited
Loading

CBMC Results (ML-DSA-44)

Full Results (174 proofs)
Proof Status Current Previous Change
**TOTAL** 1862s 1873s -0.6%
mld_attempt_signature_generation 214s 235s -9%
polyvecl_pointwise_acc_montgomery_c 191s 196s -3%
sign_verify_internal 147s 126s +17%
poly_pointwise_montgomery_c 128s 135s -5%
rej_uniform_native 128s 130s -2%
mld_ct_memcmp 78s 81s -4%
mld_invntt_layer 70s 71s -1%
keccak_squeezeblocks_x4 43s 43s +0%
mld_ntt_layer 42s 45s -7%
sign_signature_internal 26s 38s -32%
fqmul 19s 22s -14%
rej_uniform 19s 20s -5%
poly_uniform_4x 18s 14s +29%
polyvec_matrix_expand 18s 16s +12%
rej_uniform_c 17s 17s +0%
poly_chknorm_c 16s 16s +0%
poly_uniform_eta_4x 16s 17s -6%
polymat_permute_bitrev_to_custom 16s 17s -6%
mld_compute_t0_t1_tr_from_sk_components 15s 15s +0%
polyt0_unpack 14s 16s -12%
keccakf1600x4_permute_native 13s 14s -7%
mld_ntt_butterfly_block 13s 13s +0%
keccak_absorb_once_x4 12s 11s +9%
polyeta_unpack 12s 12s +0%
polyvec_matrix_pointwise_montgomery 11s 7s +57%
polyz_unpack_c 10s 12s -17%
mld_check_pct 9s 7s +29%
poly_invntt_tomont_c 9s 11s -18%
keccakf1600_permute_native 8s 8s +0%
mld_polyvecl_permute_bitrev_to_custom_native 8s 9s -11%
polyveck_add 8s 8s +0%
polyveck_power2round 8s 7s +14%
sign 8s 7s +14%
keccak_absorb 7s 6s +17%
keccakf1600_permute 7s 8s -12%
polyveck_pointwise_poly_montgomery 7s 5s +40%
polyveck_use_hint 7s 6s +17%
poly_uniform_gamma1_4x 6s 3s +100%
polyvec_matrix_expand_serial 6s 7s -14%
polyveck_decompose 6s 7s -14%
polyveck_ntt 6s 5s +20%
sign_pk_from_sk 6s 6s +0%
sign_signature_pre_hash_shake256 6s 3s +100%
mld_h 5s 3s +67%
pack_sig_c_h 5s 2s +150%
poly_chknorm 5s 1s +400%
poly_decompose_native 5s 3s +67%
poly_pointwise_montgomery_native 5s 3s +67%
poly_uniform 5s 4s +25%
poly_use_hint_native 5s 3s +67%
polyveck_caddq 5s 5s +0%
polyveck_pack_eta 5s 7s -29%
polyveck_reduce 5s 3s +67%
polyvecl_chknorm 5s 6s -17%
polyvecl_pointwise_acc_montgomery 5s 3s +67%
rej_eta_c 5s 4s +25%
shake128x4_squeezeblocks 5s 2s +150%
sign_keypair_internal 5s 5s +0%
sign_signature 5s 6s -17%
sign_signature_extmu 5s 4s +25%
sign_verify 5s 6s -17%
keccakf1600_extract_bytes (big endian) 4s 2s +100%
mld_compute_pack_z 4s 5s -20%
mld_ct_abs_i32 4s 2s +100%
mld_prepare_domain_separation_prefix 4s 4s +0%
pack_pk 4s 2s +100%
poly_challenge 4s 4s +0%
poly_invntt_tomont_native 4s 3s +33%
poly_make_hint 4s 2s +100%
poly_ntt_native 4s 4s +0%
poly_pointwise_montgomery 4s 3s +33%
poly_uniform_eta 4s 3s +33%
poly_uniform_gamma1 4s 2s +100%
poly_use_hint 4s 4s +0%
poly_use_hint_c 4s 3s +33%
polyt0_pack 4s 3s +33%
polyt1_pack 4s 3s +33%
polyveck_invntt_tomont 4s 6s -33%
polyveck_make_hint 4s 4s +0%
polyveck_sub 4s 4s +0%
polyvecl_ntt 4s 4s +0%
polyvecl_pack_eta 4s 3s +33%
polyw1_pack 4s 2s +100%
polyz_unpack 4s 3s +33%
polyz_unpack_native 4s 3s +33%
power2round 4s 2s +100%
rej_eta 4s 4s +0%
rej_eta_native 4s 5s -20%
shake128_init 4s 2s +100%
shake128_release 4s 2s +100%
shake128_squeeze 4s 2s +100%
shake256_squeeze 4s 2s +100%
sign_signature_pre_hash_internal 4s 2s +100%
sign_verify_pre_hash_shake256 4s 4s +0%
unpack_hints 4s 5s -20%
unpack_sk 4s 3s +33%
fqscale 3s 2s +50%
keccak_finalize 3s 2s +50%
keccak_squeeze 3s 3s +0%
keccakf1600_xor_bytes (big endian) 3s 2s +50%
keccakf1600x4_permute 3s 5s -40%
make_hint 3s 5s -40%
mld_ct_cmask_nonzero_u32 3s 2s +50%
mld_ct_get_optblocker_u8 3s 3s +0%
mld_ct_sel_int32 3s 2s +50%
mld_keccakf1600_extract_bytes 3s 2s +50%
mld_sample_s1_s2 3s 4s -25%
mld_sample_s1_s2_serial 3s 4s -25%
mld_value_barrier_u8 3s 2s +50%
ntt_native_x86_64 3s 2s +50%
pack_sk 3s 3s +0%
poly_add 3s 3s +0%
poly_caddq_c 3s 2s +50%
poly_caddq_native 3s 7s -57%
poly_chknorm_native 3s 2s +50%
poly_decompose_c 3s 1s +200%
poly_invntt_tomont 3s 3s +0%
poly_ntt 3s 2s +50%
poly_ntt_c 3s 2s +50%
poly_shiftl 3s 3s +0%
polyeta_pack 3s 3s +0%
polyt1_unpack 3s 2s +50%
polyveck_pack_t0 3s 4s -25%
polyveck_pack_w1 3s 2s +50%
polyveck_shiftl 3s 7s -57%
polyveck_unpack_eta 3s 2s +50%
polyvecl_permute_bitrev_to_custom 3s 5s -40%
polyvecl_pointwise_acc_montgomery_native 3s 4s -25%
polyvecl_uniform_gamma1 3s 4s -25%
polyvecl_unpack_eta 3s 4s -25%
polyz_pack 3s 3s +0%
reduce32 3s 6s -50%
shake128_finalize 3s 1s +200%
shake128x4_absorb_once 3s 2s +50%
shake256_absorb 3s 3s +0%
shake256_init 3s 4s -25%
shake256_release 3s 3s +0%
shake256x4_absorb_once 3s 4s -25%
shake256x4_squeezeblocks 3s 2s +50%
sign_keypair 3s 3s +0%
sign_open 3s 4s -25%
sign_verify_extmu 3s 5s -40%
sign_verify_pre_hash_internal 3s 3s +0%
sys_check_capability 3s 3s +0%
unpack_pk 3s 5s -40%
use_hint 3s 4s -25%
caddq 2s 2s +0%
decompose 2s 5s -60%
keccak_init 2s 1s +100%
keccakf1600x4_extract_bytes 2s 1s +100%
keccakf1600x4_xor_bytes 2s 3s -33%
mld_ct_cmask_neg_i32 2s 2s +0%
mld_ct_cmask_nonzero_u8 2s 1s +100%
mld_ct_get_optblocker_i64 2s 1s +100%
mld_ct_get_optblocker_u32 2s 2s +0%
mld_value_barrier_i64 2s 3s -33%
mld_value_barrier_u32 2s 4s -50%
montgomery_reduce 2s 2s +0%
pack_sig_z 2s 3s -33%
poly_caddq 2s 2s +0%
poly_caddq_native_aarch64 2s 4s -50%
poly_decompose 2s 4s -50%
poly_power2round 2s 4s -50%
poly_reduce 2s 5s -60%
poly_sub 2s 5s -60%
polyveck_chknorm 2s 5s -60%
polyveck_unpack_t0 2s 3s -33%
polyvecl_uniform_gamma1_serial 2s 4s -50%
polyvecl_unpack_z 2s 3s -33%
shake128_absorb 2s 1s +100%
shake256_finalize 2s 3s -33%
unpack_sig 2s 4s -50%
keccakf1600_xor_bytes 1s 1s +0%
shake256 1s 2s -50%

@oqs-bot
Copy link
Contributor

oqs-bot commented Jan 27, 2026
edited
Loading

CBMC Results (ML-DSA-87)

⚠️ Attention Required

Proof Status Current Previous Change
**TOTAL** ⚠️ 2944s 2313s +27.3%
mld_attempt_signature_generation ⚠️ 358s 210s +70%
sign_verify_internal ⚠️ 416s 122s +241%
Full Results (174 proofs)
Proof Status Current Previous Change
**TOTAL** ⚠️ 2944s 2313s +27.3%
sign_verify_internal ⚠️ 416s 122s +241%
mld_attempt_signature_generation ⚠️ 358s 210s +70%
polyvec_matrix_expand 234s 203s +15%
polyvecl_pointwise_acc_montgomery_c 217s 196s +11%
poly_pointwise_montgomery_c 177s 152s +16%
rej_uniform_native 145s 136s +7%
polyvec_matrix_expand_serial 114s 107s +7%
mld_ct_memcmp 100s 89s +12%
mld_invntt_layer 70s 66s +6%
mld_ntt_layer 58s 46s +26%
sign_signature_internal 47s 60s -22%
keccak_squeezeblocks_x4 46s 46s +0%
polymat_permute_bitrev_to_custom 29s 25s +16%
mld_compute_t0_t1_tr_from_sk_components 28s 29s -3%
fqmul 23s 21s +10%
rej_uniform 22s 22s +0%
poly_uniform_eta_4x 21s 17s +24%
rej_uniform_c 21s 19s +11%
poly_chknorm_c 19s 17s +12%
polyveck_add 19s 15s +27%
polyveck_power2round 17s 15s +13%
poly_uniform_4x 15s 14s +7%
polyt0_unpack 15s 16s -6%
keccak_absorb_once_x4 14s 12s +17%
keccakf1600x4_permute_native 14s 12s +17%
mld_ntt_butterfly_block 14s 12s +17%
polyeta_unpack 14s 15s -7%
polyvec_matrix_pointwise_montgomery 14s 15s -7%
polyveck_use_hint 13s 8s +62%
sign 13s 8s +62%
polyveck_chknorm 11s 9s +22%
mld_check_pct 10s 8s +25%
mld_polyvecl_permute_bitrev_to_custom_native 10s 12s -17%
polyveck_reduce 10s 10s +0%
mld_compute_pack_z 9s 6s +50%
poly_invntt_tomont_c 9s 10s -10%
polyveck_invntt_tomont 9s 8s +12%
polyvecl_ntt 9s 10s -10%
rej_eta_native 9s 5s +80%
sign_pk_from_sk 9s 9s +0%
keccakf1600_permute 8s 6s +33%
poly_decompose_c 8s 11s -27%
polyveck_caddq 8s 6s +33%
polyveck_decompose 8s 7s +14%
polyveck_ntt 8s 9s -11%
polyveck_sub 8s 5s +60%
keccakf1600_permute_native 7s 8s -12%
mld_sample_s1_s2_serial 7s 7s +0%
poly_uniform_eta 7s 5s +40%
polyveck_pointwise_poly_montgomery 7s 8s -12%
polyveck_shiftl 7s 6s +17%
sign_signature_pre_hash_internal 7s 8s -12%
sign_verify_extmu 7s 3s +133%
unpack_hints 7s 4s +75%
keccak_absorb 6s 5s +20%
mld_sample_s1_s2 6s 7s -14%
ntt_native_x86_64 6s 3s +100%
poly_add 6s 7s -14%
poly_invntt_tomont 6s 4s +50%
polyt0_pack 6s 4s +50%
polyveck_make_hint 6s 6s +0%
polyvecl_unpack_z 6s 5s +20%
polyz_unpack_c 6s 4s +50%
rej_eta_c 6s 5s +20%
sign_keypair_internal 6s 5s +20%
sign_verify_pre_hash_internal 6s 4s +50%
sign_verify_pre_hash_shake256 6s 8s -25%
fqscale 5s 2s +150%
keccak_squeeze 5s 4s +25%
keccakf1600x4_extract_bytes 5s 4s +25%
mld_ct_abs_i32 5s 2s +150%
mld_ct_get_optblocker_u8 5s 1s +400%
mld_h 5s 2s +150%
mld_value_barrier_i64 5s 2s +150%
montgomery_reduce 5s 3s +67%
poly_challenge 5s 5s +0%
poly_ntt_c 5s 4s +25%
poly_uniform 5s 5s +0%
polyeta_pack 5s 3s +67%
polyt1_unpack 5s 4s +25%
polyveck_pack_eta 5s 4s +25%
polyvecl_permute_bitrev_to_custom 5s 3s +67%
polyvecl_unpack_eta 5s 4s +25%
polyz_pack 5s 5s +0%
sign_signature_extmu 5s 6s -17%
unpack_sk 5s 6s -17%
caddq 4s 2s +100%
mld_ct_cmask_neg_i32 4s 3s +33%
mld_ct_cmask_nonzero_u32 4s 3s +33%
mld_value_barrier_u32 4s 2s +100%
pack_pk 4s 5s -20%
pack_sk 4s 3s +33%
poly_caddq_native 4s 2s +100%
poly_chknorm 4s 4s +0%
poly_ntt 4s 5s -20%
poly_pointwise_montgomery 4s 3s +33%
poly_power2round 4s 3s +33%
poly_sub 4s 3s +33%
poly_uniform_gamma1 4s 3s +33%
poly_uniform_gamma1_4x 4s 3s +33%
poly_use_hint_native 4s 4s +0%
polyt1_pack 4s 3s +33%
polyveck_unpack_eta 4s 4s +0%
polyveck_unpack_t0 4s 6s -33%
polyvecl_chknorm 4s 3s +33%
polyvecl_uniform_gamma1 4s 4s +0%
polyvecl_uniform_gamma1_serial 4s 5s -20%
polyw1_pack 4s 4s +0%
polyz_unpack 4s 2s +100%
reduce32 4s 3s +33%
rej_eta 4s 4s +0%
shake128_squeeze 4s 2s +100%
sign_keypair 4s 3s +33%
sign_open 4s 3s +33%
sign_signature_pre_hash_shake256 4s 7s -43%
sign_verify 4s 3s +33%
use_hint 4s 2s +100%
decompose 3s 2s +50%
keccak_init 3s 1s +200%
keccakf1600x4_xor_bytes 3s 3s +0%
make_hint 3s 2s +50%
mld_ct_cmask_nonzero_u8 3s 2s +50%
mld_prepare_domain_separation_prefix 3s 4s -25%
pack_sig_z 3s 2s +50%
poly_caddq 3s 4s -25%
poly_caddq_c 3s 3s +0%
poly_chknorm_native 3s 4s -25%
poly_decompose 3s 3s +0%
poly_invntt_tomont_native 3s 3s +0%
poly_ntt_native 3s 4s -25%
poly_pointwise_montgomery_native 3s 5s -40%
poly_shiftl 3s 1s +200%
poly_use_hint_c 3s 2s +50%
polyveck_pack_t0 3s 2s +50%
polyveck_pack_w1 3s 3s +0%
polyvecl_pack_eta 3s 3s +0%
polyvecl_pointwise_acc_montgomery_native 3s 2s +50%
polyz_unpack_native 3s 3s +0%
shake128_finalize 3s 2s +50%
shake128_release 3s 2s +50%
shake128x4_absorb_once 3s 2s +50%
shake128x4_squeezeblocks 3s 2s +50%
shake256_init 3s 3s +0%
shake256_release 3s 3s +0%
shake256x4_absorb_once 3s 4s -25%
sign_signature 3s 5s -40%
sys_check_capability 3s 2s +50%
unpack_pk 3s 4s -25%
keccak_finalize 2s 2s +0%
keccakf1600_extract_bytes (big endian) 2s 2s +0%
keccakf1600_xor_bytes 2s 3s -33%
keccakf1600_xor_bytes (big endian) 2s 2s +0%
keccakf1600x4_permute 2s 2s +0%
mld_ct_get_optblocker_i64 2s 2s +0%
mld_ct_sel_int32 2s 3s -33%
mld_keccakf1600_extract_bytes 2s 4s -50%
pack_sig_c_h 2s 5s -60%
poly_caddq_native_aarch64 2s 5s -60%
poly_decompose_native 2s 2s +0%
poly_reduce 2s 6s -67%
poly_use_hint 2s 3s -33%
polyvecl_pointwise_acc_montgomery 2s 3s -33%
power2round 2s 4s -50%
shake128_absorb 2s 1s +100%
shake128_init 2s 4s -50%
shake256 2s 3s -33%
shake256_finalize 2s 2s +0%
shake256_squeeze 2s 3s -33%
shake256x4_squeezeblocks 2s 4s -50%
unpack_sig 2s 4s -50%
mld_ct_get_optblocker_u32 1s 3s -67%
mld_value_barrier_u8 1s 1s +0%
poly_make_hint 1s 4s -75%
shake256_absorb 1s 2s -50%

mkannwischer and others added 2 commits January 28, 2026 10:42
@mkannwischer @bremoran
Armv8.1-M: Add MVE Keccak-f1600 x4 implementation
8cd3971 
Add 4-way parallel Keccak-f1600 permutation for Armv8.1-M with MVE,
using bit-interleaved state representation.

- Add keccak_f1600_x4_mve.S: MVE assembly for 4-way Keccak
- Add keccak_f1600_x4_mve.c: C wrapper with temporary bit-interleaving
  (to be eliminated once we have XORBytes and ExtractBytes implementations
   handling the bitinterleaving)
- Adjust simpasm to support Armv8.1-M Thumb assembly simplification

- Resolves #908

- Port of pq-code-package/mlkem-native@065c735

Co-Authored-By: Brendan Moran <brendan.moran@arm.com>
Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
@mkannwischer
Armv8.1-M: Disable backend by default
d3bec89 
The Armv8.1-M + MVE backend is still in active development and has
not undergone the same level of audit as the rest of the code.

This commit extends the documentation to make this clear.

The commit also disables the Armv8.1-M + MVE backend by default,
and instead explicitly enables it in the an547 baremetal Makefile.

- Port of pq-code-package/mlkem-native@9d2f1c2

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
@mkannwischer mkannwischer marked this pull request as ready for review January 28, 2026 06:22
@mkannwischer mkannwischer requested a review from a team as a code owner January 28, 2026 06:22
@mkannwischer mkannwischer requested a review from bremoran January 28, 2026 06:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bremoran bremoran Awaiting requested review from bremoran

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Port: Armv8.1-M: Add MVE Keccak-f1600 x4 implementation

3 participants

@mkannwischer @oqs-bot