Skip to content

Add configs to disable unused APIs [full CI]#1000

Merged
mkannwischer merged 9 commits intomainfrom
config-disable-apis
Apr 16, 2026
Merged

Add configs to disable unused APIs [full CI]#1000
mkannwischer merged 9 commits intomainfrom
config-disable-apis

Conversation

@mkannwischer
Copy link
Copy Markdown
Contributor

@mkannwischer mkannwischer commented Mar 21, 2026

Continuation of #960 by @flynd to run full CI.

@mkannwischer mkannwischer mentioned this pull request Mar 21, 2026
Closed
@oqs-bot
Copy link
Copy Markdown
Contributor

oqs-bot commented Mar 21, 2026
edited
Loading

CBMC Results (ML-DSA-65)

Full Results (186 proofs)
Proof Status Current Previous Change
**TOTAL** 2373s 2674s -11.3%
polyvecl_pointwise_acc_montgomery_c 520s 702s -26%
sign_verify_internal 257s 280s -8%
poly_pointwise_montgomery_c 146s 180s -19%
rej_uniform_native 134s 146s -8%
polyvec_matrix_expand 85s 91s -7%
mld_attempt_signature_generation 81s 86s -6%
mld_ct_memcmp 70s 79s -11%
mld_invntt_layer 62s 64s -3%
mld_ntt_layer 50s 53s -6%
polyvec_matrix_expand_serial 47s 54s -13%
polymat_permute_bitrev_to_custom 34s 37s -8%
mld_compute_t0_t1_tr_from_sk_components 29s 28s +4%
sign_signature_internal 26s 28s -7%
poly_chknorm_c 20s 21s -5%
rej_uniform 19s 24s -21%
fqmul 18s 19s -5%
polyveck_decompose 18s 18s +0%
poly_uniform_eta_4x 15s 17s -12%
polyt0_unpack 15s 15s +0%
rej_uniform_c 15s 16s -6%
keccakf1600x4_permute_native 14s 14s +0%
poly_uniform_4x 14s 16s -12%
mld_check_pct 12s 12s +0%
poly_add 11s 12s -8%
polyvec_matrix_pointwise_montgomery 11s 14s -21%
polyvecl_ntt 11s 9s +22%
keccak_absorb_once_x4 10s 9s +11%
mld_compute_pack_z 10s 6s +67%
mld_ntt_butterfly_block 10s 16s -38%
polyveck_power2round 10s 13s -23%
polyveck_add 9s 10s -10%
polyveck_use_hint 9s 8s +12%
keccak_absorb 8s 8s +0%
pointwise_acc_native_x86_64 8s 5s +60%
poly_decompose_c 8s 5s +60%
polyveck_caddq 8s 7s +14%
polyveck_sub 8s 9s -11%
keccakf1600_permute 7s 8s -12%
keccakf1600_permute_native 7s 7s +0%
mld_sample_s1_s2 7s 5s +40%
polyveck_ntt 7s 7s +0%
polyveck_reduce 7s 5s +40%
sign 7s 6s +17%
sign_open 7s 4s +75%
sign_signature 7s 3s +133%
unpack_sk 7s 8s -12%
keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid 6s 3s +100%
mld_sample_s1_s2_serial 6s 5s +20%
pointwise_acc_native_aarch64 6s 8s -25%
poly_caddq_c 6s 6s +0%
poly_uniform_eta 6s 5s +20%
polyveck_invntt_tomont 6s 5s +20%
polyveck_shiftl 6s 9s -33%
rej_eta_native 6s 4s +50%
shake256_release 6s 5s +20%
sign_pk_from_sk 6s 8s -25%
sign_verify_pre_hash_shake256 6s 4s +50%
decompose 5s 2s +150%
keccakf1600_extract_bytes (big endian) 5s 5s +0%
keccakf1600x4_xor_bytes 5s 5s +0%
make_hint 5s 4s +25%
mld_h 5s 6s -17%
mld_polyvecl_permute_bitrev_to_custom_native 5s 4s +25%
poly_challenge 5s 6s -17%
poly_chknorm_native 5s 3s +67%
poly_invntt_tomont_c 5s 7s -29%
poly_make_hint 5s 3s +67%
poly_pointwise_montgomery 5s 3s +67%
poly_use_hint 5s 2s +150%
poly_use_hint_native 5s 2s +150%
polyeta_pack 5s 4s +25%
polyveck_pointwise_poly_montgomery 5s 8s -38%
polyveck_unpack_t0 5s 5s +0%
polyvecl_pack_eta 5s 2s +150%
polyvecl_uniform_gamma1 5s 5s +0%
sign_keypair_internal 5s 6s -17%
sign_verify 5s 4s +25%
unpack_hints 5s 6s -17%
caddq 4s 2s +100%
keccak_squeezeblocks_x4 4s 6s -33%
mld_ct_cmask_nonzero_u8 4s 1s +300%
mld_ct_sel_int32 4s 2s +100%
mld_prepare_domain_separation_prefix 4s 4s +0%
ntt_native_aarch64 4s 3s +33%
ntt_native_x86_64 4s 2s +100%
pack_sig_c 4s 6s -33%
poly_chknorm 4s 3s +33%
poly_decompose 4s 4s +0%
poly_power2round 4s 3s +33%
poly_uniform 4s 3s +33%
poly_uniform_gamma1_4x 4s 4s +0%
poly_use_hint_c 4s 5s -20%
polyeta_unpack 4s 4s +0%
polyvecl_chknorm 4s 5s -20%
polyvecl_permute_bitrev_to_custom 4s 2s +100%
polyvecl_unpack_eta 4s 2s +100%
rej_eta 4s 4s +0%
rej_eta_c 4s 3s +33%
shake128_absorb 4s 3s +33%
shake256 4s 3s +33%
shake256x4_squeezeblocks 4s 3s +33%
sign_keypair 4s 3s +33%
sign_signature_extmu 4s 5s -20%
unpack_pk 4s 2s +100%
unpack_sig 4s 5s -20%
use_hint 4s 2s +100%
fqscale 3s 3s +0%
keccakf1600x4_permute 3s 2s +50%
mld_ct_cmask_nonzero_u32 3s 2s +50%
mld_ct_get_optblocker_i64 3s 2s +50%
mld_ct_get_optblocker_u8 3s 5s -40%
mld_value_barrier_u32 3s 1s +200%
pack_pk 3s 2s +50%
pack_sig_h_poly 3s 4s -25%
pack_sig_z 3s 4s -25%
pack_sk 3s 2s +50%
pointwise_native_aarch64 3s 3s +0%
pointwise_native_x86_64 3s 4s -25%
poly_caddq_native_aarch64 3s 4s -25%
poly_chknorm_native_aarch64 3s 2s +50%
poly_decompose_native 3s 4s -25%
poly_invntt_tomont 3s 4s -25%
poly_invntt_tomont_native 3s 3s +0%
poly_reduce 3s 3s +0%
poly_sub 3s 4s -25%
polyt0_pack 3s 2s +50%
polyveck_chknorm 3s 5s -40%
polyveck_pack_eta 3s 4s -25%
polyveck_pack_t0 3s 4s -25%
polyveck_unpack_eta 3s 2s +50%
polyvecl_pointwise_acc_montgomery 3s 3s +0%
polyvecl_pointwise_acc_montgomery_native 3s 5s -40%
polyvecl_uniform_gamma1_serial 3s 4s -25%
polyz_unpack 3s 5s -40%
polyz_unpack_native 3s 3s +0%
reduce32 3s 2s +50%
shake128_finalize 3s 5s -40%
shake128_init 3s 2s +50%
shake128x4_absorb_once 3s 2s +50%
shake256_squeeze 3s 2s +50%
sign_signature_pre_hash_internal 3s 2s +50%
sign_signature_pre_hash_shake256 3s 5s -40%
sign_verify_extmu 3s 5s -40%
sign_verify_pre_hash_internal 3s 5s -40%
sys_check_capability 3s 2s +50%
keccak_f1600_x1_native_aarch64 2s 3s -33%
keccak_f1600_x1_native_aarch64_v84a 2s 3s -33%
keccak_finalize 2s 3s -33%
keccak_init 2s 2s +0%
keccak_squeeze 2s 4s -50%
keccakf1600_xor_bytes (big endian) 2s 2s +0%
keccakf1600x4_extract_bytes 2s 2s +0%
mld_ct_abs_i32 2s 2s +0%
mld_ct_cmask_neg_i32 2s 2s +0%
mld_ct_get_optblocker_u32 2s 3s -33%
mld_keccakf1600_extract_bytes 2s 2s +0%
mld_value_barrier_i64 2s 3s -33%
mld_value_barrier_u8 2s 2s +0%
montgomery_reduce 2s 6s -67%
poly_caddq 2s 3s -33%
poly_caddq_native 2s 4s -50%
poly_ntt 2s 2s +0%
poly_ntt_c 2s 3s -33%
poly_ntt_native 2s 4s -50%
poly_pointwise_montgomery_native 2s 4s -50%
poly_shiftl 2s 2s +0%
poly_uniform_gamma1 2s 3s -33%
polyt1_pack 2s 4s -50%
polyt1_unpack 2s 3s -33%
polyveck_pack_w1 2s 4s -50%
polyvecl_unpack_z 2s 2s +0%
polyw1_pack 2s 2s +0%
polyz_pack 2s 2s +0%
polyz_unpack_c 2s 2s +0%
power2round 2s 4s -50%
shake128_release 2s 3s -33%
shake128_squeeze 2s 3s -33%
shake128x4_squeezeblocks 2s 2s +0%
shake256_absorb 2s 4s -50%
shake256_finalize 2s 2s +0%
shake256_init 2s 2s +0%
shake256x4_absorb_once 2s 4s -50%
intt_native_x86_64 1s 3s -67%
keccak_f1600_x4_native_aarch64_v84a 1s 2s -50%
keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid 1s 2s -50%
keccakf1600_xor_bytes 1s 1s +0%

@oqs-bot
Copy link
Copy Markdown
Contributor

oqs-bot commented Mar 21, 2026
edited
Loading

CBMC Results (ML-DSA-44)

Full Results (186 proofs)
Proof Status Current Previous Change
**TOTAL** 2017s 2014s +0.1%
sign_verify_internal 239s 230s +4%
polyvecl_pointwise_acc_montgomery_c 179s 181s -1%
poly_pointwise_montgomery_c 171s 177s -3%
rej_uniform_native 150s 147s +2%
mld_attempt_signature_generation 134s 131s +2%
mld_ct_memcmp 75s 80s -6%
mld_invntt_layer 71s 67s +6%
mld_ntt_layer 55s 55s +0%
polymat_permute_bitrev_to_custom 30s 29s +3%
polyvec_matrix_expand 28s 25s +12%
sign_signature_internal 27s 23s +17%
rej_uniform 23s 22s +5%
fqmul 22s 20s +10%
poly_chknorm_c 21s 23s -9%
poly_uniform_eta_4x 19s 18s +6%
keccakf1600x4_permute_native 15s 15s +0%
polyeta_unpack 15s 17s -12%
rej_uniform_c 15s 18s -17%
mld_check_pct 14s 10s +40%
poly_uniform_4x 14s 15s -7%
mld_compute_t0_t1_tr_from_sk_components 13s 12s +8%
polyt0_unpack 13s 14s -7%
polyz_unpack_c 13s 13s +0%
mld_ntt_butterfly_block 12s 13s -8%
polyveck_decompose 12s 10s +20%
keccak_absorb_once_x4 11s 13s -15%
polyvec_matrix_pointwise_montgomery 11s 8s +38%
mld_compute_pack_z 10s 8s +25%
poly_add 10s 13s -23%
keccak_absorb 9s 6s +50%
poly_decompose_c 9s 12s -25%
keccakf1600_permute 8s 8s +0%
keccakf1600_permute_native 8s 11s -27%
polyvec_matrix_expand_serial 8s 6s +33%
rej_eta_native 8s 8s +0%
mld_prepare_domain_separation_prefix 7s 5s +40%
polyveck_add 7s 7s +0%
polyveck_ntt 7s 4s +75%
polyvecl_ntt 7s 4s +75%
unpack_sk 7s 9s -22%
pack_pk 6s 5s +20%
pointwise_acc_native_x86_64 6s 5s +20%
poly_chknorm_native 6s 3s +100%
poly_invntt_tomont_c 6s 7s -14%
poly_ntt 6s 2s +200%
poly_pointwise_montgomery 6s 6s +0%
polyveck_pack_eta 6s 4s +50%
polyveck_shiftl 6s 7s -14%
polyveck_sub 6s 8s -25%
sign_pk_from_sk 6s 11s -45%
sign_signature 6s 3s +100%
sign_verify_pre_hash_internal 6s 5s +20%
sign_verify_pre_hash_shake256 6s 4s +50%
keccak_squeezeblocks_x4 5s 5s +0%
mld_h 5s 3s +67%
mld_polyvecl_permute_bitrev_to_custom_native 5s 4s +25%
mld_sample_s1_s2_serial 5s 7s -29%
mld_value_barrier_i64 5s 2s +150%
ntt_native_aarch64 5s 4s +25%
pointwise_acc_native_aarch64 5s 6s -17%
poly_challenge 5s 4s +25%
poly_pointwise_montgomery_native 5s 5s +0%
poly_uniform_gamma1 5s 2s +150%
poly_uniform_gamma1_4x 5s 5s +0%
poly_use_hint_c 5s 6s -17%
polyeta_pack 5s 3s +67%
polyt0_pack 5s 3s +67%
polyveck_invntt_tomont 5s 7s -29%
polyveck_pointwise_poly_montgomery 5s 6s -17%
polyvecl_pack_eta 5s 2s +150%
polyvecl_pointwise_acc_montgomery_native 5s 3s +67%
polyvecl_unpack_eta 5s 4s +25%
rej_eta_c 5s 3s +67%
sign 5s 7s -29%
sign_signature_extmu 5s 3s +67%
sign_verify 5s 4s +25%
unpack_hints 5s 4s +25%
caddq 4s 4s +0%
mld_keccakf1600_extract_bytes 4s 3s +33%
mld_sample_s1_s2 4s 4s +0%
pack_sig_c 4s 3s +33%
pack_sk 4s 3s +33%
pointwise_native_aarch64 4s 3s +33%
poly_caddq_c 4s 6s -33%
poly_decompose_native 4s 2s +100%
poly_invntt_tomont_native 4s 3s +33%
poly_power2round 4s 3s +33%
polyt1_pack 4s 3s +33%
polyveck_caddq 4s 5s -20%
polyveck_pack_t0 4s 5s -20%
polyveck_pack_w1 4s 6s -33%
polyveck_power2round 4s 5s -20%
polyveck_reduce 4s 3s +33%
polyvecl_chknorm 4s 3s +33%
polyvecl_uniform_gamma1 4s 3s +33%
polyvecl_uniform_gamma1_serial 4s 2s +100%
polyw1_pack 4s 4s +0%
polyz_unpack 4s 2s +100%
polyz_unpack_native 4s 5s -20%
shake128_init 4s 4s +0%
shake256 4s 4s +0%
shake256x4_absorb_once 4s 3s +33%
sign_open 4s 4s +0%
unpack_pk 4s 2s +100%
fqscale 3s 2s +50%
intt_native_x86_64 3s 3s +0%
keccak_f1600_x1_native_aarch64 3s 5s -40%
keccak_f1600_x4_native_aarch64_v84a 3s 3s +0%
keccak_squeeze 3s 3s +0%
keccakf1600_xor_bytes (big endian) 3s 2s +50%
keccakf1600x4_extract_bytes 3s 2s +50%
keccakf1600x4_xor_bytes 3s 2s +50%
mld_ct_abs_i32 3s 5s -40%
mld_ct_cmask_nonzero_u32 3s 2s +50%
mld_ct_cmask_nonzero_u8 3s 2s +50%
mld_ct_get_optblocker_i64 3s 4s -25%
mld_ct_sel_int32 3s 3s +0%
ntt_native_x86_64 3s 6s -50%
pack_sig_h_poly 3s 4s -25%
pack_sig_z 3s 4s -25%
pointwise_native_x86_64 3s 3s +0%
poly_caddq_native 3s 5s -40%
poly_caddq_native_aarch64 3s 2s +50%
poly_decompose 3s 3s +0%
poly_ntt_c 3s 4s -25%
poly_reduce 3s 3s +0%
poly_sub 3s 3s +0%
poly_uniform_eta 3s 4s -25%
poly_use_hint 3s 2s +50%
polyt1_unpack 3s 4s -25%
polyveck_chknorm 3s 4s -25%
polyveck_unpack_eta 3s 4s -25%
polyveck_use_hint 3s 6s -50%
polyvecl_permute_bitrev_to_custom 3s 4s -25%
polyvecl_unpack_z 3s 4s -25%
polyz_pack 3s 4s -25%
power2round 3s 3s +0%
reduce32 3s 2s +50%
shake128_release 3s 2s +50%
shake128x4_absorb_once 3s 3s +0%
shake128x4_squeezeblocks 3s 2s +50%
shake256_absorb 3s 2s +50%
shake256_init 3s 3s +0%
shake256_release 3s 5s -40%
sign_keypair 3s 5s -40%
sign_keypair_internal 3s 4s -25%
sign_signature_pre_hash_shake256 3s 4s -25%
use_hint 3s 2s +50%
decompose 2s 2s +0%
keccak_f1600_x1_native_aarch64_v84a 2s 2s +0%
keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid 2s 1s +100%
keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid 2s 4s -50%
keccak_finalize 2s 2s +0%
keccak_init 2s 2s +0%
keccakf1600_extract_bytes (big endian) 2s 4s -50%
keccakf1600_xor_bytes 2s 3s -33%
keccakf1600x4_permute 2s 2s +0%
make_hint 2s 3s -33%
mld_ct_cmask_neg_i32 2s 1s +100%
mld_ct_get_optblocker_u32 2s 2s +0%
mld_ct_get_optblocker_u8 2s 2s +0%
mld_value_barrier_u32 2s 3s -33%
montgomery_reduce 2s 3s -33%
poly_caddq 2s 2s +0%
poly_chknorm 2s 2s +0%
poly_chknorm_native_aarch64 2s 3s -33%
poly_invntt_tomont 2s 5s -60%
poly_make_hint 2s 6s -67%
poly_ntt_native 2s 3s -33%
poly_shiftl 2s 1s +100%
poly_uniform 2s 5s -60%
poly_use_hint_native 2s 4s -50%
polyveck_unpack_t0 2s 3s -33%
rej_eta 2s 5s -60%
shake128_absorb 2s 2s +0%
shake128_finalize 2s 1s +100%
shake128_squeeze 2s 5s -60%
shake256_finalize 2s 5s -60%
sign_signature_pre_hash_internal 2s 2s +0%
sign_verify_extmu 2s 4s -50%
sys_check_capability 2s 3s -33%
unpack_sig 2s 3s -33%
mld_value_barrier_u8 1s 2s -50%
polyvecl_pointwise_acc_montgomery 1s 4s -75%
shake256_squeeze 1s 2s -50%
shake256x4_squeezeblocks 1s 2s -50%

@oqs-bot
Copy link
Copy Markdown
Contributor

oqs-bot commented Mar 21, 2026
edited
Loading

CBMC Results (ML-DSA-87)

Full Results (186 proofs)
Proof Status Current Previous Change
**TOTAL** 3186s 3414s -6.7%
polyvecl_pointwise_acc_montgomery_c 1041s 1221s -15%
mld_attempt_signature_generation 227s 231s -2%
polyvec_matrix_expand 171s 181s -6%
sign_verify_internal 165s 166s -1%
poly_pointwise_montgomery_c 155s 167s -7%
rej_uniform_native 138s 140s -1%
polyvec_matrix_expand_serial 119s 129s -8%
mld_ct_memcmp 74s 79s -6%
mld_invntt_layer 60s 64s -6%
mld_ntt_layer 50s 54s -7%
sign_signature_internal 39s 35s +11%
polymat_permute_bitrev_to_custom 28s 28s +0%
polyveck_invntt_tomont 28s 27s +4%
mld_compute_t0_t1_tr_from_sk_components 24s 23s +4%
rej_uniform 23s 25s -8%
fqmul 21s 21s +0%
poly_chknorm_c 20s 21s -5%
poly_uniform_eta_4x 17s 17s +0%
poly_uniform_4x 16s 15s +7%
rej_uniform_c 16s 15s +7%
polyt0_unpack 15s 13s +15%
polyeta_unpack 14s 16s -12%
polyveck_decompose 14s 14s +0%
poly_add 13s 12s +8%
keccakf1600x4_permute_native 12s 15s -20%
polyveck_add 12s 12s +0%
keccak_absorb_once_x4 10s 12s -17%
keccakf1600_permute 10s 7s +43%
mld_ntt_butterfly_block 10s 11s -9%
polyveck_power2round 10s 11s -9%
polyvecl_ntt 10s 7s +43%
unpack_sk 10s 8s +25%
keccak_squeezeblocks_x4 9s 6s +50%
mld_polyvecl_permute_bitrev_to_custom_native 9s 11s -18%
polyveck_reduce 9s 10s -10%
polyveck_use_hint 9s 8s +12%
polyz_unpack_c 9s 10s -10%
sign_pk_from_sk 9s 9s +0%
keccakf1600_permute_native 8s 11s -27%
mld_check_pct 8s 9s -11%
poly_decompose_c 8s 7s +14%
polyvec_matrix_pointwise_montgomery 8s 8s +0%
polyveck_caddq 8s 10s -20%
polyveck_ntt 8s 7s +14%
polyveck_unpack_eta 8s 4s +100%
sign_signature_pre_hash_shake256 8s 6s +33%
keccak_absorb 7s 6s +17%
pointwise_acc_native_aarch64 7s 7s +0%
poly_caddq_c 7s 5s +40%
rej_eta_native 7s 6s +17%
sign 7s 9s -22%
mld_ct_get_optblocker_u8 6s 2s +200%
mld_sample_s1_s2 6s 7s -14%
ntt_native_aarch64 6s 2s +200%
pointwise_acc_native_x86_64 6s 7s -14%
poly_reduce 6s 4s +50%
polyveck_shiftl 6s 4s +50%
polyveck_sub 6s 5s +20%
polyvecl_pack_eta 6s 2s +200%
rej_eta_c 6s 6s +0%
sign_keypair_internal 6s 5s +20%
fqscale 5s 4s +25%
mld_sample_s1_s2_serial 5s 8s -38%
mld_value_barrier_u32 5s 2s +150%
poly_caddq 5s 4s +25%
poly_challenge 5s 5s +0%
poly_uniform_eta 5s 4s +25%
poly_use_hint_native 5s 4s +25%
polyt1_pack 5s 2s +150%
polyveck_chknorm 5s 8s -38%
polyveck_pack_t0 5s 3s +67%
polyveck_pack_w1 5s 4s +25%
polyveck_pointwise_poly_montgomery 5s 7s -29%
polyvecl_chknorm 5s 6s -17%
polyvecl_pointwise_acc_montgomery_native 5s 4s +25%
polyz_unpack_native 5s 4s +25%
sign_open 5s 7s -29%
sign_verify_extmu 5s 2s +150%
sys_check_capability 5s 3s +67%
unpack_hints 5s 5s +0%
decompose 4s 3s +33%
keccak_squeeze 4s 5s -20%
mld_compute_pack_z 4s 5s -20%
mld_h 4s 4s +0%
ntt_native_x86_64 4s 4s +0%
pack_sig_c 4s 2s +100%
pack_sig_h_poly 4s 5s -20%
pointwise_native_aarch64 4s 5s -20%
poly_chknorm 4s 4s +0%
poly_chknorm_native_aarch64 4s 4s +0%
poly_invntt_tomont_c 4s 7s -43%
poly_uniform_gamma1_4x 4s 2s +100%
polyt1_unpack 4s 3s +33%
polyveck_pack_eta 4s 4s +0%
polyvecl_unpack_z 4s 4s +0%
rej_eta 4s 6s -33%
shake128_init 4s 2s +100%
shake128_release 4s 2s +100%
shake128x4_squeezeblocks 4s 2s +100%
sign_keypair 4s 2s +100%
sign_signature 4s 5s -20%
sign_signature_extmu 4s 6s -33%
sign_signature_pre_hash_internal 4s 2s +100%
sign_verify 4s 4s +0%
caddq 3s 4s -25%
intt_native_x86_64 3s 3s +0%
keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid 3s 2s +50%
keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid 3s 4s -25%
keccak_init 3s 2s +50%
keccakf1600_extract_bytes (big endian) 3s 1s +200%
keccakf1600_xor_bytes 3s 4s -25%
keccakf1600_xor_bytes (big endian) 3s 4s -25%
keccakf1600x4_extract_bytes 3s 4s -25%
mld_ct_cmask_neg_i32 3s 3s +0%
mld_ct_cmask_nonzero_u32 3s 3s +0%
mld_ct_get_optblocker_u32 3s 5s -40%
mld_ct_sel_int32 3s 4s -25%
mld_keccakf1600_extract_bytes 3s 4s -25%
mld_prepare_domain_separation_prefix 3s 5s -40%
mld_value_barrier_i64 3s 3s +0%
montgomery_reduce 3s 3s +0%
pack_pk 3s 4s -25%
poly_caddq_native 3s 3s +0%
poly_caddq_native_aarch64 3s 2s +50%
poly_chknorm_native 3s 2s +50%
poly_decompose 3s 3s +0%
poly_invntt_tomont_native 3s 3s +0%
poly_ntt_native 3s 5s -40%
poly_pointwise_montgomery 3s 5s -40%
poly_pointwise_montgomery_native 3s 3s +0%
poly_power2round 3s 5s -40%
poly_shiftl 3s 2s +50%
poly_uniform 3s 5s -40%
poly_use_hint 3s 2s +50%
poly_use_hint_c 3s 3s +0%
polyeta_pack 3s 2s +50%
polyt0_pack 3s 3s +0%
polyveck_unpack_t0 3s 5s -40%
polyvecl_permute_bitrev_to_custom 3s 2s +50%
polyvecl_uniform_gamma1 3s 5s -40%
polyvecl_uniform_gamma1_serial 3s 3s +0%
polyvecl_unpack_eta 3s 4s -25%
polyw1_pack 3s 2s +50%
polyz_unpack 3s 2s +50%
power2round 3s 2s +50%
shake128_finalize 3s 3s +0%
shake128_squeeze 3s 2s +50%
shake128x4_absorb_once 3s 1s +200%
shake256_absorb 3s 4s -25%
shake256_finalize 3s 2s +50%
shake256_release 3s 3s +0%
shake256x4_absorb_once 3s 3s +0%
sign_verify_pre_hash_internal 3s 6s -50%
sign_verify_pre_hash_shake256 3s 3s +0%
unpack_sig 3s 2s +50%
use_hint 3s 3s +0%
keccak_f1600_x1_native_aarch64_v84a 2s 2s +0%
keccak_f1600_x4_native_aarch64_v84a 2s 4s -50%
keccak_finalize 2s 3s -33%
make_hint 2s 2s +0%
mld_ct_abs_i32 2s 4s -50%
mld_ct_cmask_nonzero_u8 2s 2s +0%
mld_ct_get_optblocker_i64 2s 3s -33%
mld_value_barrier_u8 2s 1s +100%
pack_sig_z 2s 4s -50%
pack_sk 2s 3s -33%
pointwise_native_x86_64 2s 4s -50%
poly_decompose_native 2s 4s -50%
poly_invntt_tomont 2s 1s +100%
poly_make_hint 2s 4s -50%
poly_ntt 2s 3s -33%
poly_ntt_c 2s 2s +0%
poly_sub 2s 4s -50%
poly_uniform_gamma1 2s 2s +0%
polyvecl_pointwise_acc_montgomery 2s 3s -33%
reduce32 2s 2s +0%
shake256 2s 2s +0%
shake256_init 2s 3s -33%
shake256_squeeze 2s 1s +100%
unpack_pk 2s 2s +0%
keccak_f1600_x1_native_aarch64 1s 2s -50%
keccakf1600x4_permute 1s 1s +0%
keccakf1600x4_xor_bytes 1s 4s -75%
polyz_pack 1s 2s -50%
shake128_absorb 1s 3s -67%
shake256x4_squeezeblocks 1s 2s -50%

@mkannwischer mkannwischer force-pushed the config-disable-apis branch 2 times, most recently from 0e7f1ba to 6b89fae Compare March 21, 2026 02:42
@mkannwischer mkannwischer marked this pull request as ready for review March 21, 2026 03:52
@mkannwischer mkannwischer requested a review from a team as a code owner March 21, 2026 03:52
hanno-becker
hanno-becker reviewed Mar 23, 2026
View reviewed changes
Comment thread dev/fips202/aarch64/auto.h Outdated
hanno-becker
hanno-becker reviewed Mar 23, 2026
View reviewed changes
Comment thread examples/disabled_apis_native/Makefile Outdated
@flynd flynd force-pushed the config-disable-apis branch 2 times, most recently from 54b3c74 to ec9c236 Compare March 23, 2026 13:17
@mkannwischer mkannwischer force-pushed the config-disable-apis branch 2 times, most recently from d868b27 to 70be886 Compare April 1, 2026 15:12
@flynd flynd force-pushed the config-disable-apis branch 4 times, most recently from 9ac9432 to dff98f0 Compare April 6, 2026 20:15
@flynd
Copy link
Copy Markdown
Contributor

flynd commented Apr 7, 2026

@hanno-becker : Any chance this can be approved soon? It's been almost 2 months since the first version of these changes and due to the size I need to do a lot of updates when rebasing onto other changes on main.
Also, we're very close to getting the final approval for the project where we will make use of mldsa-native so it would be good to have it on master so I can present a version that works without local patches.

hanno-becker
hanno-becker reviewed Apr 8, 2026
View reviewed changes
Comment thread examples/multilevel_build_native/mldsa_native/mldsa_native_config.h Outdated
hanno-becker
hanno-becker reviewed Apr 8, 2026
View reviewed changes
Comment thread examples/disabled_apis/main.c Outdated
hanno-becker
hanno-becker requested changes Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@hanno-becker hanno-becker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apologies for the long silence, and thank you very much for all the work on this, @flynd @mkannwischer!

I support the change in principle, but the build + test story needs more work:

  • A plain make test should work with any valid config -- right now, it doesn't. The existing tests and examples need adjusting to only exercise the API that is enabled in the config.
  • Testing the reduced configurations through examples introduces test gaps; e.g., we don't exercise them in monobuilds.

ISTM that we should test this through config variations rather than new examples; this would force/solve both issues above.

@flynd flynd force-pushed the config-disable-apis branch 2 times, most recently from 3be30c0 to 7449c47 Compare April 8, 2026 05:52
This was referenced Apr 8, 2026
Merged
Merged
@flynd flynd force-pushed the config-disable-apis branch from 7449c47 to aff3b9f Compare April 8, 2026 10:14
@flynd
Copy link
Copy Markdown
Contributor

flynd commented Apr 8, 2026

I support the change in principle, but the build + test story needs more work:

  • A plain make test should work with any valid config -- right now, it doesn't. The existing tests and examples need adjusting to only exercise the API that is enabled in the config.
  • Testing the reduced configurations through examples introduces test gaps; e.g., we don't exercise them in monobuilds.

ISTM that we should test this through config variations rather than new examples; this would force/solve both issues above.

I had a look at the tests and this looks like a big change since the pattern of creating key, signing, and then verifying the signature will no longer work. As I'm not at all familiar with these tests, I don't know how to contribute such a change. Do either of you have the time to help out with this? If not, could you give some clear hints on how the tests should be modified and maybe I can try to figure it out.

I did notice though that there were two commits in the stack that could be merged separately so they are now moved to PRs #1029 and #1032.

@flynd flynd force-pushed the config-disable-apis branch from bb5eafc to 6109d2d Compare April 12, 2026 13:33
@hanno-becker hanno-becker force-pushed the config-disable-apis branch 8 times, most recently from 42e289b to 1a28863 Compare April 13, 2026 13:26
@hanno-becker
Copy link
Copy Markdown
Contributor

hanno-becker commented Apr 13, 2026
edited
Loading

@flynd @mkannwischer I had a stab at adjusting the tests. Please have a look if you agree with the approach.

@flynd flynd force-pushed the config-disable-apis branch from 1a28863 to ef6577f Compare April 13, 2026 16:28
@flynd
Copy link
Copy Markdown
Contributor

flynd commented Apr 13, 2026

@flynd @mkannwischer I had a first stab at adjusting the tests. Please have a look if you agree with the approach. I still need to go over it in detail myself, though, so there may still be some low-hanging bugs in it.

Thank you.
I noticed you had fixed a few of the conditions that I had gotten wrong. I have pushed an update where my original commits are fixed instead.

@hanno-becker hanno-becker self-requested a review April 14, 2026 02:55
@flynd flynd force-pushed the config-disable-apis branch from 7acfdb3 to e1492c5 Compare April 15, 2026 06:27
mkannwischer
mkannwischer commented Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor Author

@mkannwischer mkannwischer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @hanno-becker for adjusting the tests. Looks great to me! Here are a couple of nits. WDYT?

Comment thread scripts/autogen
Comment thread scripts/autogen Outdated
Comment thread scripts/autogen
Comment thread META.sh
Comment thread scripts/autogen Outdated
flynd and others added 9 commits April 16, 2026 06:08
@flynd @hanno-becker
Add config to disable key generation API
f67164e 
Make it possible to exclude key generation when not needed, together
with all internal functions not needed for signature creation or
verification.

Signed-off-by: Anders Sonmark <Anders.Sonmark@axis.com>
@flynd @hanno-becker
Add config to disable signature creation API
6eb3b86 
Make it possible to exclude signature creation when not needed, together
with all internal functions not needed for key generation or signature
verification.

Signed-off-by: Anders Sonmark <Anders.Sonmark@axis.com>
@flynd @hanno-becker
Add config to disable signature verification API
3411824 
Make it possible to exclude signature verification when not needed,
together with all internal functions not needed for key generation or
signature creation.

Signed-off-by: Anders Sonmark <Anders.Sonmark@axis.com>
@flynd @hanno-becker
Disable functions not used for key generation
70a9db8 
Make it possible to exclude code only used for signature creation or
verification.

Signed-off-by: Anders Sonmark <Anders.Sonmark@axis.com>
@flynd @hanno-becker
Disable functions not used for signature creation
952207f 
Make it possible to exclude code only used for key generation or
verification.

Signed-off-by: Anders Sonmark <Anders.Sonmark@axis.com>
@flynd @hanno-becker
Disable functions not used for signature verification
2254b62 
Make it possible to exclude code only used for key generation or
signature creation.

Signed-off-by: Anders Sonmark <Anders.Sonmark@axis.com>
@flynd @hanno-becker
Add config to use only the internal API
c6f7f7e 
Make it possible to exclude the wrapper APIs if not needed and build
only the internal API functions.

Signed-off-by: Anders Sonmark <Anders.Sonmark@axis.com>
@mkannwischer @hanno-becker
Add config validation: MLD_CONFIG_KEYGEN_PCT requires sign and verify…
8ab4eca 
… APIs

The PCT implementation internally calls crypto_sign_signature() and
crypto_sign_verify(), so it is incompatible with MLD_CONFIG_NO_SIGN_API
and MLD_CONFIG_NO_VERIFY_API.

Signed-off-by: Matthias J. Kannwischer <matthias@zerorisc.com>
@hanno-becker
Make tests and examples compatible with reduced-API configurations
2334ea7 
The previous tests and examples assumed all APIs (keygen, sign, verify)
were always available: sign tests generated a keypair as setup, verify
tests generated a keypair and signature as setup, and the alloc test
required keygen for every test function. This made them incompatible
with reduced-API configurations where some APIs are disabled via
MLD_CONFIG_NO_KEYPAIR_API, MLD_CONFIG_NO_SIGN_API, or
MLD_CONFIG_NO_VERIFY_API. Additionally, signature test vector
comparisons depended on PRNG state flowing sequentially from keygen
into signing, which broke when PCT (Pairwise Consistency Test) consumed
extra PRNG bytes during keygen.

This commit introduces auto-generated test vectors and refactors all
tests and examples so that each operation (keygen, sign, verify) can
be tested independently using pre-computed test vectors.

scripts/notrandombytes:
- Add Python implementation of the SURF-based deterministic test PRNG,
  matching the C version in test/notrandombytes/
- Used by autogen --test-vectors to generate reproducible randomness
  for test vector generation

Test vector generation (scripts/autogen --test-vectors):
- Add --test-vectors flag to scripts/autogen that invokes the ACVP
  binaries with randomness from scripts/notrandombytes to generate
  test/test_vectors/expected_test_vectors.h and the multilevel variant
- Generate pk, sk, sig, sig_extmu, and sig_pre_hash_shake256 vectors
  for all three parameter sets (44, 65, 87)
- Include message, context, rnd, and mu in the header so consumers
  don't need to hardcode them
- Array dimensions are explicit in the generated header
- Rename all test vector arrays from expected_xxx to test_vector_xxx
- Add --test-vectors-msg and --test-vectors-ctx flags for custom
  message/context

Test changes (test_mldsa.c):
- The existing tests (test_sign, test_wrong_pk, etc.) require all
  three APIs and are left unchanged, guarded by
  !MLD_CONFIG_NO_KEYPAIR_API && !MLD_CONFIG_NO_SIGN_API &&
  !MLD_CONFIG_NO_VERIFY_API
- Add test_sign_expected() as a new minimal test that works in
  reduced-API configurations: each block (keygen, sign, verify) is
  independently guarded and uses test vectors directly, so e.g. the
  sign block can run without keygen by using test_vector_sk
- Reset PRNG before each independent test operation so signature
  vectors are deterministic regardless of PCT

test_alloc.c and test_rng_fail.c:
- Both files exercise the same 10 API entry points (keygen,
  pk_from_sk, sign, sign_combined, signature_extmu,
  signature_pre_hash_shake256, verify, verify_extmu,
  verify_pre_hash_shake256, open), each independently guarded by
  the minimal required API
- Sign tests use test_vector_sk directly (no keygen dependency)
- Verify tests use test_vector_sig/pk/sig_extmu/sig_pre_hash_shake256
  directly (no sign or keygen dependency)
- main() uses r |= pattern for error accumulation

Example refactoring:
- Hoist test logic into static example_xxx() functions with
  #if/#else/#endif guards and SKIPPED stubs for disabled APIs
- main() is a flat sequence of r |= example_xxx() calls
- Verify moved to independent block (not nested inside sign block)
- example_sign_message requires only sign+verify, not keygen
- Remove redundant duplicate signature verification
- Remove verbose printfs around bare memcmp checks
- Multilevel examples group functions by API guard to reduce
  #if/#endif repetition
- basic_deterministic uses test_vector_rnd from the header instead
  of hardcoded byte arrays

CI (config-variations):
- Add keygen-sign and keygen-verify test configurations, covering
  all 6 combinations of 1 or 2 enabled APIs from {keygen, sign,
  verify}

Signed-off-by: Hanno Becker <beckphan@amazon.co.uk>
@hanno-becker
Copy link
Copy Markdown
Contributor

hanno-becker commented Apr 16, 2026

@mkannwischer @flynd Ready to go from my perspective.

@mkannwischer mkannwischer merged commit eaa25dd into main Apr 16, 2026
403 checks passed
@mkannwischer mkannwischer deleted the config-disable-apis branch April 16, 2026 06:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@flynd flynd flynd left review comments

@hanno-becker hanno-becker hanno-becker approved these changes

Assignees

@hanno-becker hanno-becker

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mkannwischer @oqs-bot @flynd @hanno-becker