Skip to content

Armv8.1-M: Add native x1 Keccak with MVE bit-interleaving#1550

Open
bremoran wants to merge 7 commits intomainfrom
mve-keccak-x1-bitinterleave
Open

Armv8.1-M: Add native x1 Keccak with MVE bit-interleaving#1550
bremoran wants to merge 7 commits intomainfrom
mve-keccak-x1-bitinterleave

Conversation

@bremoran
Copy link
Contributor

@bremoran bremoran commented Feb 6, 2026
edited by mkannwischer
Loading

Benchmarking is needed to evaluate whether xor's up to 8 bytes are faster or slower than pure scalar code.

@bremoran bremoran requested a review from a team as a code owner February 6, 2026 15:38
@bremoran bremoran force-pushed the mve-keccak-x1-bitinterleave branch from ced77f3 to 32b7252 Compare February 6, 2026 15:39
@bremoran bremoran force-pushed the mve-keccak-x1-bitinterleave branch from ed6f7f0 to 7b867e7 Compare February 16, 2026 11:50
mkannwischer and others added 5 commits February 25, 2026 18:23
@mkannwischer @bremoran
Armv8.1-M: Add native x1 Keccak implementation
1265cf6 
Add a scalar x1 Keccak permutation to the Armv8.1-M FIPS202 backend,
complementing the existing x4 MVE implementation.

The assembly is derived from XKCP, with ARMv7-M optimizations by
Alexandre Adomnicai (ePrint 2023/773) and further optimizations in the
SLOTHY M7 paper by Abdulrahman, Kannwischer, and Lim (ePrint 2025/366).

The implementation uses bit-interleaved state representation internally,
with C wrapper functions handling the conversion to/from standard
representation for now. Optimized xorbytes, and extractbytes (including the
bitinterleaving) will be added at a later stage which will allow removing the
current bitinterleaving.

- Resolves #1506

Co-Authored-By: Brendan Moran <brendan.moran@arm.com>
Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
@bremoran @mkannwischer
Create x1 bit interleaving functions with MVE acceleration
3f3e38a 
Signed-off-by: Brendan Moran <brendan.moran@arm.com>
@bremoran @mkannwischer
Format files and switch from vshr to vqdmulh for better pipelining
4d0a127 
Signed-off-by: Brendan Moran <brendan.moran@arm.com>
@bremoran @mkannwischer
Do vqdmulh optimisation for extractbytes as well
278a9ac 
Signed-off-by: Brendan Moran <brendan.moran@arm.com>
@mkannwischer
Move MVE x1 bit-interleaving sources to dev/ and regenerate via autogen
25cc52f 
Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
@mkannwischer mkannwischer force-pushed the mve-keccak-x1-bitinterleave branch from 7b867e7 to 25cc52f Compare February 25, 2026 10:31
@mkannwischer mkannwischer changed the title Add support for native xor bytes & extract bytes on armv8.1m. Armv8.1-M: Add native x1 Keccak with MVE bit-interleaving Feb 25, 2026
@mkannwischer mkannwischer mentioned this pull request Feb 25, 2026
Closed
@oqs-bot
Copy link
Contributor

oqs-bot commented Feb 25, 2026
edited
Loading

CBMC Results (ML-KEM-512)

⚠️ Attention Required

Proof Status Current Previous Change
mlk_keccakf1600_extract_bytes (big endian) - 2s -
mlk_keccakf1600_xor_bytes (big endian) - 2s -
Full Results (153 proofs)
Proof Status Current Previous Change
**TOTAL** 1195s 1308s -8.6%
mlk_indcpa_keypair_derand 182s 195s -7%
mlk_indcpa_enc 157s 174s -10%
mlk_keccak_squeezeblocks_x4 151s 170s -11%
mlk_rej_uniform_c 73s 92s -21%
mlk_polyvec_basemul_acc_montgomery_cached_c 43s 48s -10%
mlk_poly_rej_uniform 36s 44s -18%
mlk_polyvec_add 26s 26s +0%
keccakf1600x4_permute_native_x4 21s 21s +0%
poly_ntt_native 21s 31s -32%
polyvec_basemul_acc_montgomery_cached_native 21s 24s -12%
mlk_ntt_layer 19s 26s -27%
mlk_poly_reduce_native 15s 17s -12%
mlk_keccak_absorb_once_x4 10s 10s +0%
mlk_indcpa_dec 9s 12s -25%
mlk_ntt_butterfly_block 9s 11s -18%
mlk_poly_rej_uniform_x4 9s 7s +29%
mlk_poly_sub 9s 10s -10%
keccakf1600_permute_native 7s 6s +17%
mlk_fqmul 7s 8s -12%
mlk_keccak_squeeze_once 7s 8s -12%
mlk_keccak_squeezeblocks 7s 10s -30%
mlk_poly_frombytes_native 7s 10s -30%
mlk_poly_frommsg 6s 6s +0%
mlk_polymat_permute_bitrev_to_custom 6s 6s +0%
kem_dec 5s 7s -29%
mlk_keccak_absorb_once 5s 3s +67%
mlk_poly_cbd_eta1 5s 3s +67%
mlk_poly_tomsg 5s 4s +25%
mlk_polyvec_permute_bitrev_to_custom_native 5s 1s +400%
poly_frombytes_native_x86_64 5s 6s -17%
poly_mulcache_compute_native_x86_64 5s 1s +400%
kem_check_pk 4s 3s +33%
kem_enc_derand 4s 4s +0%
mlk_barrett_reduce 4s 2s +100%
mlk_matvec_mul 4s 4s +0%
mlk_poly_compress_du 4s 4s +0%
mlk_poly_getnoise_eta1122_4x 4s 2s +100%
mlk_poly_tobytes_c 4s 3s +33%
mlk_poly_tomont 4s 2s +100%
mlk_polyvec_ntt 4s 2s +100%
mlk_polyvec_tomont 4s 2s +100%
mlk_shake128_squeezeblocks 4s 3s +33%
mlk_shake256x4 4s 4s +0%
ntt_native_x86_64 4s 1s +300%
poly_invntt_tomont_native 4s 2s +100%
poly_reduce_native_x86_64 4s 4s +0%
poly_tomont_native_x86_64 4s 3s +33%
polyvec_basemul_acc_montgomery_cached_k2_native_x86_64 4s 2s +100%
polyvec_basemul_acc_montgomery_cached_k3_native_aarch64 4s 2s +100%
rej_uniform_native_x86_64 4s 3s +33%
intt_native_x86_64 3s 4s -25%
keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid 3s 4s -25%
kem_enc 3s 4s -25%
mlk_check_pct 3s 3s +0%
mlk_ct_cmask_neg_i16 3s 2s +50%
mlk_ct_cmask_nonzero_u8 3s 3s +0%
mlk_ct_get_optblocker_i32 3s 2s +50%
mlk_ct_memcmp 3s 4s -25%
mlk_invntt_layer 3s 4s -25%
mlk_keccakf1600_extract_bytes 3s 3s +0%
mlk_keccakf1600x4_extract_bytes 3s 3s +0%
mlk_keccakf1600x4_permute 3s 2s +50%
mlk_keccakf1600x4_xor_bytes 3s 2s +50%
mlk_poly_cbd_eta2 3s 2s +50%
mlk_poly_compress_dv 3s 1s +200%
mlk_poly_decompress_dv 3s 2s +50%
mlk_poly_frombytes 3s 1s +200%
mlk_poly_frombytes_c 3s 2s +50%
mlk_poly_getnoise_eta1_4x_native 3s 2s +50%
mlk_poly_getnoise_eta2 3s 4s -25%
mlk_poly_invntt_tomont 3s 1s +200%
mlk_poly_invntt_tomont_c 3s 1s +200%
mlk_poly_mulcache_compute_c 3s 1s +200%
mlk_poly_reduce 3s 2s +50%
mlk_poly_tobytes 3s 1s +200%
mlk_poly_tomont_c 3s 3s +0%
mlk_polyvec_basemul_acc_montgomery_cached 3s 2s +50%
mlk_polyvec_invntt_tomont 3s 4s -25%
mlk_polyvec_reduce 3s 3s +0%
mlk_rej_uniform 3s 4s -25%
mlk_scalar_decompress_d11 3s 2s +50%
mlk_scalar_decompress_d4 3s 4s -25%
mlk_scalar_signed_to_unsigned_q 3s 1s +200%
mlk_shake128_absorb_once 3s 4s -25%
mlk_shake128x4_absorb_once 3s 3s +0%
mlk_value_barrier_u8 3s 3s +0%
poly_getnoise_eta1122_4x_native 3s 3s +0%
polyvec_basemul_acc_montgomery_cached_k3_native_x86_64 3s 2s +50%
rej_uniform_native_aarch64 3s 3s +0%
intt_native_aarch64 2s 2s +0%
keccak_f1600_x1_native_aarch64 2s 3s -33%
keccak_f1600_x1_native_aarch64_v84a 2s 2s +0%
keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid 2s 2s +0%
keccakf1600x4_extract_bytes_native 2s 1s +100%
keccakf1600x4_xor_bytes_native 2s 3s -33%
kem_check_sk 2s 4s -50%
kem_keypair 2s 1s +100%
mlk_ct_cmask_nonzero_u16 2s 2s +0%
mlk_ct_cmov_zero 2s 3s -33%
mlk_ct_get_optblocker_u32 2s 3s -33%
mlk_ct_get_optblocker_u8 2s 3s -33%
mlk_ct_sel_int16 2s 2s +0%
mlk_gen_matrix 2s 3s -33%
mlk_gen_matrix_serial 2s 4s -50%
mlk_keccakf1600_permute 2s 3s -33%
mlk_keccakf1600_xor_bytes 2s 5s -60%
mlk_poly_decompress_du 2s 2s +0%
mlk_poly_mulcache_compute_native 2s 2s +0%
mlk_poly_ntt 2s 3s -33%
mlk_poly_ntt_c 2s 3s -33%
mlk_poly_reduce_c 2s 3s -33%
mlk_poly_tobytes_native 2s 3s -33%
mlk_poly_tomont_native 2s 3s -33%
mlk_polyvec_compress_du 2s 2s +0%
mlk_polyvec_decompress_du 2s 3s -33%
mlk_polyvec_frombytes 2s 5s -60%
mlk_polyvec_mulcache_compute 2s 2s +0%
mlk_scalar_compress_d1 2s 2s +0%
mlk_scalar_compress_d10 2s 2s +0%
mlk_scalar_compress_d4 2s 2s +0%
mlk_scalar_decompress_d5 2s 3s -33%
mlk_sha3_256 2s 2s +0%
mlk_sha3_512 2s 2s +0%
mlk_shake128x4_squeezeblocks 2s 1s +100%
mlk_shake256 2s 2s +0%
mlk_value_barrier_i32 2s 1s +100%
mlk_value_barrier_u32 2s 2s +0%
poly_mulcache_compute_native_aarch64 2s 3s -33%
poly_reduce_native_aarch64 2s 1s +100%
poly_tobytes_native_aarch64 2s 4s -50%
poly_tobytes_native_x86_64 2s 3s -33%
poly_tomont_native_aarch64 2s 2s +0%
polyvec_basemul_acc_montgomery_cached_k2_native_aarch64 2s 1s +100%
polyvec_basemul_acc_montgomery_cached_k4_native_aarch64 2s 1s +100%
polyvec_basemul_acc_montgomery_cached_k4_native_x86_64 2s 2s +0%
rej_uniform_native 2s 4s -50%
mlk_keccakf1600_extract_bytes (big endian) - 2s -
mlk_keccakf1600_xor_bytes (big endian) - 2s -
keccak_f1600_x4_native_aarch64_v84a 1s 2s -50%
kem_keypair_derand 1s 3s -67%
mlk_ct_sel_uint8 1s 3s -67%
mlk_montgomery_reduce 1s 1s +0%
mlk_poly_add 1s 2s -50%
mlk_poly_getnoise_eta1_4x 1s 2s -50%
mlk_poly_mulcache_compute 1s 3s -67%
mlk_polyvec_permute_bitrev_to_custom 1s 2s -50%
mlk_polyvec_tobytes 1s 2s -50%
mlk_scalar_compress_d11 1s 4s -75%
mlk_scalar_compress_d5 1s 4s -75%
mlk_scalar_decompress_d10 1s 1s +0%
ntt_native_aarch64 1s 5s -80%
nttunpack_native_x86_64 1s 2s -50%
sys_check_capability 1s 1s +0%

@oqs-bot
Copy link
Contributor

oqs-bot commented Feb 25, 2026
edited
Loading

CBMC Results (ML-KEM-768)

⚠️ Attention Required

Proof Status Current Previous Change
mlk_keccakf1600_extract_bytes (big endian) - 2s -
mlk_keccakf1600_xor_bytes (big endian) - 3s -
Full Results (153 proofs)
Proof Status Current Previous Change
**TOTAL** 1322s 1312s +0.8%
mlk_indcpa_keypair_derand 241s 235s +3%
mlk_indcpa_enc 183s 186s -2%
mlk_keccak_squeezeblocks_x4 148s 145s +2%
mlk_rej_uniform_c 67s 65s +3%
polyvec_basemul_acc_montgomery_cached_native 60s 56s +7%
mlk_polyvec_basemul_acc_montgomery_cached_c 47s 48s -2%
mlk_poly_rej_uniform 32s 31s +3%
poly_ntt_native 31s 27s +15%
mlk_polyvec_add 27s 26s +4%
keccakf1600x4_permute_native_x4 19s 19s +0%
mlk_ntt_layer 19s 17s +12%
mlk_indcpa_dec 17s 15s +13%
mlk_poly_reduce_native 14s 12s +17%
mlk_ntt_butterfly_block 11s 7s +57%
mlk_keccak_absorb_once_x4 10s 9s +11%
mlk_keccak_squeeze_once 9s 8s +12%
mlk_poly_sub 9s 9s +0%
mlk_gen_matrix 7s 5s +40%
mlk_poly_frombytes_native 7s 8s -12%
mlk_poly_rej_uniform_x4 7s 7s +0%
keccakf1600_permute_native 6s 5s +20%
mlk_fqmul 6s 6s +0%
mlk_invntt_layer 6s 3s +100%
mlk_keccak_squeezeblocks 6s 10s -40%
mlk_poly_frommsg 6s 5s +20%
mlk_scalar_compress_d11 6s 3s +100%
kem_check_sk 5s 1s +400%
kem_dec 5s 8s -38%
kem_keypair 5s 2s +150%
mlk_ct_sel_int16 5s 2s +150%
mlk_gen_matrix_serial 5s 3s +67%
mlk_keccak_absorb_once 5s 4s +25%
mlk_polymat_permute_bitrev_to_custom 5s 5s +0%
mlk_shake256x4 5s 5s +0%
intt_native_x86_64 4s 2s +100%
kem_enc_derand 4s 3s +33%
mlk_ct_cmask_nonzero_u8 4s 2s +100%
mlk_poly_compress_du 4s 3s +33%
mlk_poly_compress_dv 4s 3s +33%
mlk_poly_invntt_tomont 4s 3s +33%
mlk_poly_ntt 4s 3s +33%
mlk_scalar_compress_d1 4s 2s +100%
mlk_shake128_squeezeblocks 4s 3s +33%
mlk_value_barrier_i32 4s 3s +33%
nttunpack_native_x86_64 4s 5s -20%
poly_reduce_native_aarch64 4s 1s +300%
keccakf1600x4_xor_bytes_native 3s 4s -25%
kem_check_pk 3s 3s +0%
kem_keypair_derand 3s 4s -25%
mlk_barrett_reduce 3s 1s +200%
mlk_ct_cmask_nonzero_u16 3s 6s -50%
mlk_ct_cmov_zero 3s 2s +50%
mlk_ct_get_optblocker_i32 3s 2s +50%
mlk_ct_get_optblocker_u8 3s 1s +200%
mlk_keccakf1600_permute 3s 3s +0%
mlk_keccakf1600x4_extract_bytes 3s 3s +0%
mlk_matvec_mul 3s 2s +50%
mlk_montgomery_reduce 3s 2s +50%
mlk_poly_frombytes_c 3s 1s +200%
mlk_poly_getnoise_eta1122_4x 3s 3s +0%
mlk_poly_getnoise_eta1_4x 3s 5s -40%
mlk_poly_mulcache_compute 3s 4s -25%
mlk_poly_mulcache_compute_c 3s 3s +0%
mlk_poly_tobytes_c 3s 1s +200%
mlk_poly_tomsg 3s 3s +0%
mlk_polyvec_basemul_acc_montgomery_cached 3s 4s -25%
mlk_polyvec_frombytes 3s 3s +0%
mlk_polyvec_ntt 3s 4s -25%
mlk_polyvec_permute_bitrev_to_custom_native 3s 2s +50%
mlk_polyvec_tomont 3s 3s +0%
mlk_scalar_compress_d10 3s 2s +50%
mlk_scalar_compress_d4 3s 3s +0%
mlk_scalar_signed_to_unsigned_q 3s 1s +200%
mlk_shake128x4_absorb_once 3s 3s +0%
ntt_native_x86_64 3s 3s +0%
poly_frombytes_native_x86_64 3s 5s -40%
poly_mulcache_compute_native_aarch64 3s 2s +50%
poly_mulcache_compute_native_x86_64 3s 1s +200%
poly_tomont_native_x86_64 3s 3s +0%
polyvec_basemul_acc_montgomery_cached_k2_native_x86_64 3s 4s -25%
polyvec_basemul_acc_montgomery_cached_k4_native_aarch64 3s 1s +200%
polyvec_basemul_acc_montgomery_cached_k4_native_x86_64 3s 2s +50%
rej_uniform_native 3s 3s +0%
rej_uniform_native_aarch64 3s 2s +50%
intt_native_aarch64 2s 3s -33%
keccak_f1600_x1_native_aarch64 2s 2s +0%
keccak_f1600_x4_native_aarch64_v84a 2s 3s -33%
keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid 2s 4s -50%
keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid 2s 3s -33%
kem_enc 2s 3s -33%
mlk_check_pct 2s 4s -50%
mlk_ct_cmask_neg_i16 2s 3s -33%
mlk_ct_get_optblocker_u32 2s 2s +0%
mlk_ct_memcmp 2s 2s +0%
mlk_ct_sel_uint8 2s 1s +100%
mlk_keccakf1600_extract_bytes 2s 2s +0%
mlk_keccakf1600_xor_bytes 2s 3s -33%
mlk_keccakf1600x4_permute 2s 3s -33%
mlk_poly_add 2s 2s +0%
mlk_poly_cbd_eta2 2s 4s -50%
mlk_poly_decompress_du 2s 3s -33%
mlk_poly_decompress_dv 2s 2s +0%
mlk_poly_frombytes 2s 2s +0%
mlk_poly_getnoise_eta1_4x_native 2s 4s -50%
mlk_poly_invntt_tomont_c 2s 2s +0%
mlk_poly_mulcache_compute_native 2s 2s +0%
mlk_poly_reduce 2s 2s +0%
mlk_poly_tobytes 2s 2s +0%
mlk_poly_tobytes_native 2s 2s +0%
mlk_poly_tomont_native 2s 3s -33%
mlk_polyvec_compress_du 2s 3s -33%
mlk_polyvec_decompress_du 2s 3s -33%
mlk_polyvec_invntt_tomont 2s 5s -60%
mlk_polyvec_mulcache_compute 2s 3s -33%
mlk_polyvec_permute_bitrev_to_custom 2s 1s +100%
mlk_polyvec_reduce 2s 1s +100%
mlk_scalar_compress_d5 2s 2s +0%
mlk_scalar_decompress_d10 2s 3s -33%
mlk_scalar_decompress_d11 2s 3s -33%
mlk_scalar_decompress_d4 2s 2s +0%
mlk_scalar_decompress_d5 2s 4s -50%
mlk_sha3_256 2s 1s +100%
mlk_sha3_512 2s 1s +100%
mlk_shake128_absorb_once 2s 3s -33%
mlk_shake128x4_squeezeblocks 2s 1s +100%
mlk_shake256 2s 1s +100%
mlk_value_barrier_u32 2s 3s -33%
ntt_native_aarch64 2s 3s -33%
poly_getnoise_eta1122_4x_native 2s 2s +0%
poly_invntt_tomont_native 2s 2s +0%
poly_tobytes_native_aarch64 2s 3s -33%
poly_tomont_native_aarch64 2s 3s -33%
polyvec_basemul_acc_montgomery_cached_k2_native_aarch64 2s 3s -33%
polyvec_basemul_acc_montgomery_cached_k3_native_aarch64 2s 3s -33%
polyvec_basemul_acc_montgomery_cached_k3_native_x86_64 2s 4s -50%
rej_uniform_native_x86_64 2s 3s -33%
mlk_keccakf1600_extract_bytes (big endian) - 2s -
mlk_keccakf1600_xor_bytes (big endian) - 3s -
keccak_f1600_x1_native_aarch64_v84a 1s 2s -50%
keccakf1600x4_extract_bytes_native 1s 2s -50%
mlk_keccakf1600x4_xor_bytes 1s 2s -50%
mlk_poly_cbd_eta1 1s 4s -75%
mlk_poly_getnoise_eta2 1s 2s -50%
mlk_poly_ntt_c 1s 5s -80%
mlk_poly_reduce_c 1s 4s -75%
mlk_poly_tomont 1s 4s -75%
mlk_poly_tomont_c 1s 3s -67%
mlk_polyvec_tobytes 1s 3s -67%
mlk_rej_uniform 1s 2s -50%
mlk_value_barrier_u8 1s 2s -50%
poly_reduce_native_x86_64 1s 2s -50%
poly_tobytes_native_x86_64 1s 1s +0%
sys_check_capability 1s 1s +0%

@oqs-bot
Copy link
Contributor

oqs-bot commented Feb 25, 2026
edited
Loading

CBMC Results (ML-KEM-1024)

⚠️ Attention Required

Proof Status Current Previous Change
mlk_keccakf1600_extract_bytes (big endian) - 1s -
mlk_keccakf1600_xor_bytes (big endian) - 2s -
Full Results (153 proofs)
Proof Status Current Previous Change
**TOTAL** 2380s 2467s -3.5%
mlk_indcpa_enc 1211s 1295s -6%
mlk_indcpa_keypair_derand 203s 205s -1%
mlk_keccak_squeezeblocks_x4 142s 147s -3%
polyvec_basemul_acc_montgomery_cached_native 115s 115s +0%
mlk_rej_uniform_c 66s 69s -4%
mlk_polyvec_basemul_acc_montgomery_cached_c 55s 56s -2%
mlk_poly_rej_uniform 33s 33s +0%
poly_ntt_native 24s 23s +4%
mlk_poly_decompress_dv 20s 18s +11%
keccakf1600x4_permute_native_x4 19s 20s -5%
mlk_ntt_layer 19s 16s +19%
mlk_indcpa_dec 14s 15s -7%
mlk_poly_reduce_native 14s 13s +8%
mlk_polyvec_ntt 13s 13s +0%
mlk_ntt_butterfly_block 11s 7s +57%
mlk_poly_sub 10s 11s -9%
mlk_polyvec_add 10s 8s +25%
mlk_keccak_absorb_once_x4 9s 10s -10%
mlk_poly_compress_du 9s 8s +12%
mlk_poly_frombytes_native 9s 8s +12%
mlk_fqmul 8s 6s +33%
mlk_poly_frommsg 8s 6s +33%
kem_dec 7s 7s +0%
mlk_gen_matrix 7s 7s +0%
mlk_gen_matrix_serial 7s 5s +40%
mlk_keccak_squeezeblocks 7s 9s -22%
mlk_poly_rej_uniform_x4 7s 7s +0%
mlk_keccak_squeeze_once 6s 6s +0%
mlk_shake256x4 6s 7s -14%
keccakf1600_permute_native 5s 4s +25%
mlk_poly_cbd_eta1 5s 3s +67%
mlk_sha3_256 5s 1s +400%
poly_frombytes_native_x86_64 5s 4s +25%
kem_check_pk 4s 4s +0%
mlk_ct_sel_int16 4s 1s +300%
mlk_invntt_layer 4s 4s +0%
mlk_keccak_absorb_once 4s 4s +0%
mlk_poly_add 4s 3s +33%
mlk_poly_frombytes 4s 3s +33%
mlk_poly_mulcache_compute_c 4s 3s +33%
mlk_polymat_permute_bitrev_to_custom 4s 5s -20%
mlk_scalar_signed_to_unsigned_q 4s 3s +33%
mlk_shake128_absorb_once 4s 2s +100%
ntt_native_x86_64 4s 4s +0%
poly_invntt_tomont_native 4s 2s +100%
poly_tobytes_native_aarch64 4s 2s +100%
polyvec_basemul_acc_montgomery_cached_k4_native_aarch64 4s 3s +33%
intt_native_x86_64 3s 2s +50%
keccak_f1600_x1_native_aarch64 3s 3s +0%
keccakf1600x4_extract_bytes_native 3s 2s +50%
keccakf1600x4_xor_bytes_native 3s 4s -25%
kem_enc 3s 2s +50%
kem_enc_derand 3s 2s +50%
mlk_barrett_reduce 3s 2s +50%
mlk_ct_cmask_neg_i16 3s 1s +200%
mlk_ct_cmov_zero 3s 3s +0%
mlk_ct_get_optblocker_i32 3s 3s +0%
mlk_ct_get_optblocker_u8 3s 3s +0%
mlk_keccakf1600_extract_bytes 3s 3s +0%
mlk_keccakf1600_permute 3s 4s -25%
mlk_keccakf1600x4_extract_bytes 3s 1s +200%
mlk_matvec_mul 3s 5s -40%
mlk_poly_cbd_eta2 3s 3s +0%
mlk_poly_compress_dv 3s 3s +0%
mlk_poly_frombytes_c 3s 2s +50%
mlk_poly_getnoise_eta1122_4x 3s 4s -25%
mlk_poly_getnoise_eta1_4x_native 3s 3s +0%
mlk_poly_mulcache_compute 3s 2s +50%
mlk_poly_reduce 3s 2s +50%
mlk_poly_tobytes 3s 2s +50%
mlk_poly_tobytes_c 3s 2s +50%
mlk_poly_tobytes_native 3s 3s +0%
mlk_polyvec_frombytes 3s 1s +200%
mlk_polyvec_permute_bitrev_to_custom_native 3s 3s +0%
mlk_polyvec_tomont 3s 3s +0%
mlk_rej_uniform 3s 2s +50%
mlk_scalar_compress_d1 3s 2s +50%
mlk_scalar_compress_d4 3s 3s +0%
mlk_scalar_compress_d5 3s 4s -25%
mlk_scalar_decompress_d11 3s 3s +0%
mlk_scalar_decompress_d4 3s 2s +50%
mlk_sha3_512 3s 1s +200%
mlk_shake128_squeezeblocks 3s 2s +50%
mlk_value_barrier_u32 3s 4s -25%
nttunpack_native_x86_64 3s 2s +50%
poly_getnoise_eta1122_4x_native 3s 3s +0%
polyvec_basemul_acc_montgomery_cached_k2_native_aarch64 3s 2s +50%
polyvec_basemul_acc_montgomery_cached_k2_native_x86_64 3s 3s +0%
polyvec_basemul_acc_montgomery_cached_k3_native_aarch64 3s 2s +50%
polyvec_basemul_acc_montgomery_cached_k3_native_x86_64 3s 4s -25%
rej_uniform_native_aarch64 3s 3s +0%
intt_native_aarch64 2s 3s -33%
keccak_f1600_x1_native_aarch64_v84a 2s 4s -50%
keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid 2s 2s +0%
kem_check_sk 2s 4s -50%
kem_keypair 2s 2s +0%
mlk_check_pct 2s 2s +0%
mlk_ct_cmask_nonzero_u16 2s 5s -60%
mlk_ct_cmask_nonzero_u8 2s 3s -33%
mlk_ct_get_optblocker_u32 2s 2s +0%
mlk_ct_memcmp 2s 3s -33%
mlk_ct_sel_uint8 2s 3s -33%
mlk_keccakf1600x4_xor_bytes 2s 4s -50%
mlk_montgomery_reduce 2s 1s +100%
mlk_poly_decompress_du 2s 2s +0%
mlk_poly_getnoise_eta1_4x 2s 1s +100%
mlk_poly_getnoise_eta2 2s 1s +100%
mlk_poly_mulcache_compute_native 2s 1s +100%
mlk_poly_ntt_c 2s 2s +0%
mlk_poly_tomont_c 2s 2s +0%
mlk_poly_tomont_native 2s 3s -33%
mlk_poly_tomsg 2s 7s -71%
mlk_polyvec_basemul_acc_montgomery_cached 2s 4s -50%
mlk_polyvec_decompress_du 2s 2s +0%
mlk_polyvec_mulcache_compute 2s 4s -50%
mlk_polyvec_permute_bitrev_to_custom 2s 1s +100%
mlk_polyvec_reduce 2s 2s +0%
mlk_polyvec_tobytes 2s 3s -33%
mlk_scalar_compress_d10 2s 2s +0%
mlk_scalar_compress_d11 2s 2s +0%
mlk_scalar_decompress_d10 2s 3s -33%
mlk_scalar_decompress_d5 2s 2s +0%
mlk_shake128x4_absorb_once 2s 1s +100%
mlk_shake256 2s 3s -33%
mlk_value_barrier_i32 2s 2s +0%
mlk_value_barrier_u8 2s 2s +0%
ntt_native_aarch64 2s 4s -50%
poly_mulcache_compute_native_x86_64 2s 2s +0%
poly_reduce_native_x86_64 2s 3s -33%
poly_tobytes_native_x86_64 2s 2s +0%
poly_tomont_native_aarch64 2s 2s +0%
poly_tomont_native_x86_64 2s 3s -33%
rej_uniform_native 2s 1s +100%
rej_uniform_native_x86_64 2s 1s +100%
mlk_keccakf1600_extract_bytes (big endian) - 1s -
mlk_keccakf1600_xor_bytes (big endian) - 2s -
keccak_f1600_x4_native_aarch64_v84a 1s 2s -50%
keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid 1s 2s -50%
kem_keypair_derand 1s 2s -50%
mlk_keccakf1600_xor_bytes 1s 2s -50%
mlk_keccakf1600x4_permute 1s 2s -50%
mlk_poly_invntt_tomont 1s 2s -50%
mlk_poly_invntt_tomont_c 1s 2s -50%
mlk_poly_ntt 1s 3s -67%
mlk_poly_reduce_c 1s 3s -67%
mlk_poly_tomont 1s 2s -50%
mlk_polyvec_compress_du 1s 1s +0%
mlk_polyvec_invntt_tomont 1s 1s +0%
mlk_shake128x4_squeezeblocks 1s 4s -75%
poly_mulcache_compute_native_aarch64 1s 2s -50%
poly_reduce_native_aarch64 1s 1s +0%
polyvec_basemul_acc_montgomery_cached_k4_native_x86_64 1s 3s -67%
sys_check_capability 1s 2s -50%

@bremoran
Fix interleaving error
1a8e420 
Signed-off-by: Brendan Moran <brendan.moran@arm.com>
@bremoran
Run autogen on previous commit
27acc6f 
Signed-off-by: Brendan Moran <brendan.moran@arm.com>
mkannwischer
mkannwischer reviewed Feb 25, 2026
View reviewed changes
mlkem/src/fips202/keccakf1600.c
void mlk_keccakf1600_extract_bytes(uint64_t *state, unsigned char *data,
unsigned offset, unsigned length)
{
#if defined(MLK_USE_FIPS202_X1_EXTRACT_BYTES_NATIVE)
Copy link
Contributor

@mkannwischer mkannwischer Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We will need a CBMC proof for this branch

mkannwischer
mkannwischer reviewed Feb 25, 2026
View reviewed changes
mlkem/src/fips202/keccakf1600.c
void mlk_keccakf1600_xor_bytes(uint64_t *state, const unsigned char *data,
unsigned offset, unsigned length)
{
#if defined(MLK_USE_FIPS202_X1_XOR_BYTES_NATIVE)
Copy link
Contributor

@mkannwischer mkannwischer Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We will need a CBMC proof for this branch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mkannwischer mkannwischer mkannwischer left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Armv8.1-M: Add native bitinterleaving x1 Armv8.1-M: Add native Keccak x1

3 participants

@bremoran @oqs-bot @mkannwischer