HOL-Light: Add x86 AVX2 nttunpack proof

Signed-off-by: Jake Massimo <jakemas@amazon.com>

Author: jakemas

.github/workflows/hol_light.yml

@@ -163,6 +163,8 @@ jobs:
           # Dependencies on {name}.{S,ml} are implicit
           - name: mldsa_ntt
             needs: ["mldsa_specs.ml", "mldsa_utils.ml", "mldsa_zetas.ml"]
+          - name: mldsa_nttunpack
+            needs: ["mldsa_specs.ml", "mldsa_utils.ml"]
     name: x86_64 HOL Light proof for ${{ matrix.proof.name }}.S
     runs-on: pqcp-x64
     if: github.repository_owner == 'pq-code-package' && !github.event.pull_request.head.repo.fork

BIBLIOGRAPHY.md

@@ -249,6 +249,7 @@ source code and documentation.
   - [mldsa/src/native/x86_64/src/rej_uniform_eta2_avx2.c](mldsa/src/native/x86_64/src/rej_uniform_eta2_avx2.c)
   - [mldsa/src/native/x86_64/src/rej_uniform_eta4_avx2.c](mldsa/src/native/x86_64/src/rej_uniform_eta4_avx2.c)
   - [proofs/hol_light/x86_64/mldsa/mldsa_ntt.S](proofs/hol_light/x86_64/mldsa/mldsa_ntt.S)
+  - [proofs/hol_light/x86_64/mldsa/mldsa_nttunpack.S](proofs/hol_light/x86_64/mldsa/mldsa_nttunpack.S)
 
 ### `Round3_Spec`
 

dev/x86_64/src/nttunpack.S

@@ -13,13 +13,12 @@
  *   https://github.com/pq-crystals/dilithium/tree/master/avx2
  */
 
- /*
+/*
  * This file is derived from the public domain
  * AVX2 Dilithium implementation @[REF_AVX2].
  */
 
- #include "../../../common.h"
-
+#include "../../../common.h"
 #if defined(MLD_ARITH_BACKEND_X86_64_DEFAULT) && \
     !defined(MLD_CONFIG_MULTILEVEL_NO_SHARED)
 /* simpasm: header-end */

mldsa/src/native/x86_64/src/nttunpack.S

@@ -13,13 +13,12 @@
  *   https://github.com/pq-crystals/dilithium/tree/master/avx2
  */
 
- /*
+/*
  * This file is derived from the public domain
  * AVX2 Dilithium implementation @[REF_AVX2].
  */
 
- #include "../../../common.h"
-
+#include "../../../common.h"
 #if defined(MLD_ARITH_BACKEND_X86_64_DEFAULT) && \
     !defined(MLD_CONFIG_MULTILEVEL_NO_SHARED)
 

proofs/hol_light/README.md

@@ -53,3 +53,4 @@ echo '1+1;;' | nc -w 5 127.0.0.1 2012
 
 - AArch64 poly_caddq: [mldsa_poly_caddq.S](aarch64/mldsa/mldsa_poly_caddq.S)
 - x86_64 forward NTT: [mldsa_ntt.S](x86_64/mldsa/mldsa_ntt.S)
+- x86_64 NTT unpack:  [mldsa_nttunpack.S](x86_64/mldsa/mldsa_nttunpack.S)

proofs/hol_light/x86_64/Makefile

@@ -50,7 +50,8 @@ endif
 
 SPLIT=tr ';' '\n'
 
-OBJ = mldsa/mldsa_ntt.o
+OBJ = mldsa/mldsa_ntt.o \
+      mldsa/mldsa_nttunpack.o
 
 # Build object files from assembly sources
 $(OBJ): %.o : %.S

proofs/hol_light/x86_64/README.md

@@ -104,5 +104,6 @@ Currently this includes:
 
 - ML-DSA Arithmetic:
   * x86_64 forward NTT: [mldsa_ntt.S](mldsa/mldsa_ntt.S)
+  * x86_64 NTT unpack:  [mldsa_nttunpack.S](mldsa/mldsa_nttunpack.S)
 
 The NTT function is optimized using AVX2 instructions and follows the s2n-bignum x86_64 assembly verification patterns.

proofs/hol_light/x86_64/mldsa/mldsa_nttunpack.S

@@ -0,0 +1,236 @@
+/*
+ * Copyright (c) The mlkem-native project authors
+ * Copyright (c) The mldsa-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+
+/* References
+ * ==========
+ *
+ * - [REF_AVX2]
+ *   CRYSTALS-Dilithium optimized AVX2 implementation
+ *   Bai, Ducas, Kiltz, Lepoint, Lyubashevsky, Schwabe, Seiler, Stehlé
+ *   https://github.com/pq-crystals/dilithium/tree/master/avx2
+ */
+
+/*
+ * This file is derived from the public domain
+ * AVX2 Dilithium implementation @[REF_AVX2].
+ */
+
+
+/*
+ * WARNING: This file is auto-derived from the mldsa-native source file
+ *   dev/x86_64/src/nttunpack.S using scripts/simpasm. Do not modify it directly.
+ */
+
+#if defined(__ELF__)
+.section .note.GNU-stack,"",@progbits
+#endif
+
+.text
+.balign 4
+#ifdef __APPLE__
+.global _PQCP_MLDSA_NATIVE_MLDSA44_nttunpack_avx2
+_PQCP_MLDSA_NATIVE_MLDSA44_nttunpack_avx2:
+#else
+.global PQCP_MLDSA_NATIVE_MLDSA44_nttunpack_avx2
+PQCP_MLDSA_NATIVE_MLDSA44_nttunpack_avx2:
+#endif
+
+        .cfi_startproc
+        endbr64
+        vmovdqa	(%rdi), %ymm4
+        vmovdqa	0x20(%rdi), %ymm5
+        vmovdqa	0x40(%rdi), %ymm6
+        vmovdqa	0x60(%rdi), %ymm7
+        vmovdqa	0x80(%rdi), %ymm8
+        vmovdqa	0xa0(%rdi), %ymm9
+        vmovdqa	0xc0(%rdi), %ymm10
+        vmovdqa	0xe0(%rdi), %ymm11
+        vperm2i128	$0x20, %ymm8, %ymm4, %ymm3 # ymm3 = ymm4[0,1],ymm8[0,1]
+        vperm2i128	$0x31, %ymm8, %ymm4, %ymm8 # ymm8 = ymm4[2,3],ymm8[2,3]
+        vperm2i128	$0x20, %ymm9, %ymm5, %ymm4 # ymm4 = ymm5[0,1],ymm9[0,1]
+        vperm2i128	$0x31, %ymm9, %ymm5, %ymm9 # ymm9 = ymm5[2,3],ymm9[2,3]
+        vperm2i128	$0x20, %ymm10, %ymm6, %ymm5 # ymm5 = ymm6[0,1],ymm10[0,1]
+        vperm2i128	$0x31, %ymm10, %ymm6, %ymm10 # ymm10 = ymm6[2,3],ymm10[2,3]
+        vperm2i128	$0x20, %ymm11, %ymm7, %ymm6 # ymm6 = ymm7[0,1],ymm11[0,1]
+        vperm2i128	$0x31, %ymm11, %ymm7, %ymm11 # ymm11 = ymm7[2,3],ymm11[2,3]
+        vpunpcklqdq	%ymm5, %ymm3, %ymm7 # ymm7 = ymm3[0],ymm5[0],ymm3[2],ymm5[2]
+        vpunpckhqdq	%ymm5, %ymm3, %ymm5 # ymm5 = ymm3[1],ymm5[1],ymm3[3],ymm5[3]
+        vpunpcklqdq	%ymm10, %ymm8, %ymm3 # ymm3 = ymm8[0],ymm10[0],ymm8[2],ymm10[2]
+        vpunpckhqdq	%ymm10, %ymm8, %ymm10 # ymm10 = ymm8[1],ymm10[1],ymm8[3],ymm10[3]
+        vpunpcklqdq	%ymm6, %ymm4, %ymm8 # ymm8 = ymm4[0],ymm6[0],ymm4[2],ymm6[2]
+        vpunpckhqdq	%ymm6, %ymm4, %ymm6 # ymm6 = ymm4[1],ymm6[1],ymm4[3],ymm6[3]
+        vpunpcklqdq	%ymm11, %ymm9, %ymm4 # ymm4 = ymm9[0],ymm11[0],ymm9[2],ymm11[2]
+        vpunpckhqdq	%ymm11, %ymm9, %ymm11 # ymm11 = ymm9[1],ymm11[1],ymm9[3],ymm11[3]
+        vmovsldup	%ymm8, %ymm9    # ymm9 = ymm8[0,0,2,2,4,4,6,6]
+        vpblendd	$0xaa, %ymm9, %ymm7, %ymm9 # ymm9 = ymm7[0],ymm9[1],ymm7[2],ymm9[3],ymm7[4],ymm9[5],ymm7[6],ymm9[7]
+        vpsrlq	$0x20, %ymm7, %ymm7
+        vpblendd	$0xaa, %ymm8, %ymm7, %ymm8 # ymm8 = ymm7[0],ymm8[1],ymm7[2],ymm8[3],ymm7[4],ymm8[5],ymm7[6],ymm8[7]
+        vmovsldup	%ymm6, %ymm7    # ymm7 = ymm6[0,0,2,2,4,4,6,6]
+        vpblendd	$0xaa, %ymm7, %ymm5, %ymm7 # ymm7 = ymm5[0],ymm7[1],ymm5[2],ymm7[3],ymm5[4],ymm7[5],ymm5[6],ymm7[7]
+        vpsrlq	$0x20, %ymm5, %ymm5
+        vpblendd	$0xaa, %ymm6, %ymm5, %ymm6 # ymm6 = ymm5[0],ymm6[1],ymm5[2],ymm6[3],ymm5[4],ymm6[5],ymm5[6],ymm6[7]
+        vmovsldup	%ymm4, %ymm5    # ymm5 = ymm4[0,0,2,2,4,4,6,6]
+        vpblendd	$0xaa, %ymm5, %ymm3, %ymm5 # ymm5 = ymm3[0],ymm5[1],ymm3[2],ymm5[3],ymm3[4],ymm5[5],ymm3[6],ymm5[7]
+        vpsrlq	$0x20, %ymm3, %ymm3
+        vpblendd	$0xaa, %ymm4, %ymm3, %ymm4 # ymm4 = ymm3[0],ymm4[1],ymm3[2],ymm4[3],ymm3[4],ymm4[5],ymm3[6],ymm4[7]
+        vmovsldup	%ymm11, %ymm3   # ymm3 = ymm11[0,0,2,2,4,4,6,6]
+        vpblendd	$0xaa, %ymm3, %ymm10, %ymm3 # ymm3 = ymm10[0],ymm3[1],ymm10[2],ymm3[3],ymm10[4],ymm3[5],ymm10[6],ymm3[7]
+        vpsrlq	$0x20, %ymm10, %ymm10
+        vpblendd	$0xaa, %ymm11, %ymm10, %ymm11 # ymm11 = ymm10[0],ymm11[1],ymm10[2],ymm11[3],ymm10[4],ymm11[5],ymm10[6],ymm11[7]
+        vmovdqa	%ymm9, (%rdi)
+        vmovdqa	%ymm8, 0x20(%rdi)
+        vmovdqa	%ymm7, 0x40(%rdi)
+        vmovdqa	%ymm6, 0x60(%rdi)
+        vmovdqa	%ymm5, 0x80(%rdi)
+        vmovdqa	%ymm4, 0xa0(%rdi)
+        vmovdqa	%ymm3, 0xc0(%rdi)
+        vmovdqa	%ymm11, 0xe0(%rdi)
+        vmovdqa	0x100(%rdi), %ymm4
+        vmovdqa	0x120(%rdi), %ymm5
+        vmovdqa	0x140(%rdi), %ymm6
+        vmovdqa	0x160(%rdi), %ymm7
+        vmovdqa	0x180(%rdi), %ymm8
+        vmovdqa	0x1a0(%rdi), %ymm9
+        vmovdqa	0x1c0(%rdi), %ymm10
+        vmovdqa	0x1e0(%rdi), %ymm11
+        vperm2i128	$0x20, %ymm8, %ymm4, %ymm3 # ymm3 = ymm4[0,1],ymm8[0,1]
+        vperm2i128	$0x31, %ymm8, %ymm4, %ymm8 # ymm8 = ymm4[2,3],ymm8[2,3]
+        vperm2i128	$0x20, %ymm9, %ymm5, %ymm4 # ymm4 = ymm5[0,1],ymm9[0,1]
+        vperm2i128	$0x31, %ymm9, %ymm5, %ymm9 # ymm9 = ymm5[2,3],ymm9[2,3]
+        vperm2i128	$0x20, %ymm10, %ymm6, %ymm5 # ymm5 = ymm6[0,1],ymm10[0,1]
+        vperm2i128	$0x31, %ymm10, %ymm6, %ymm10 # ymm10 = ymm6[2,3],ymm10[2,3]
+        vperm2i128	$0x20, %ymm11, %ymm7, %ymm6 # ymm6 = ymm7[0,1],ymm11[0,1]
+        vperm2i128	$0x31, %ymm11, %ymm7, %ymm11 # ymm11 = ymm7[2,3],ymm11[2,3]
+        vpunpcklqdq	%ymm5, %ymm3, %ymm7 # ymm7 = ymm3[0],ymm5[0],ymm3[2],ymm5[2]
+        vpunpckhqdq	%ymm5, %ymm3, %ymm5 # ymm5 = ymm3[1],ymm5[1],ymm3[3],ymm5[3]
+        vpunpcklqdq	%ymm10, %ymm8, %ymm3 # ymm3 = ymm8[0],ymm10[0],ymm8[2],ymm10[2]
+        vpunpckhqdq	%ymm10, %ymm8, %ymm10 # ymm10 = ymm8[1],ymm10[1],ymm8[3],ymm10[3]
+        vpunpcklqdq	%ymm6, %ymm4, %ymm8 # ymm8 = ymm4[0],ymm6[0],ymm4[2],ymm6[2]
+        vpunpckhqdq	%ymm6, %ymm4, %ymm6 # ymm6 = ymm4[1],ymm6[1],ymm4[3],ymm6[3]
+        vpunpcklqdq	%ymm11, %ymm9, %ymm4 # ymm4 = ymm9[0],ymm11[0],ymm9[2],ymm11[2]
+        vpunpckhqdq	%ymm11, %ymm9, %ymm11 # ymm11 = ymm9[1],ymm11[1],ymm9[3],ymm11[3]
+        vmovsldup	%ymm8, %ymm9    # ymm9 = ymm8[0,0,2,2,4,4,6,6]
+        vpblendd	$0xaa, %ymm9, %ymm7, %ymm9 # ymm9 = ymm7[0],ymm9[1],ymm7[2],ymm9[3],ymm7[4],ymm9[5],ymm7[6],ymm9[7]
+        vpsrlq	$0x20, %ymm7, %ymm7
+        vpblendd	$0xaa, %ymm8, %ymm7, %ymm8 # ymm8 = ymm7[0],ymm8[1],ymm7[2],ymm8[3],ymm7[4],ymm8[5],ymm7[6],ymm8[7]
+        vmovsldup	%ymm6, %ymm7    # ymm7 = ymm6[0,0,2,2,4,4,6,6]
+        vpblendd	$0xaa, %ymm7, %ymm5, %ymm7 # ymm7 = ymm5[0],ymm7[1],ymm5[2],ymm7[3],ymm5[4],ymm7[5],ymm5[6],ymm7[7]
+        vpsrlq	$0x20, %ymm5, %ymm5
+        vpblendd	$0xaa, %ymm6, %ymm5, %ymm6 # ymm6 = ymm5[0],ymm6[1],ymm5[2],ymm6[3],ymm5[4],ymm6[5],ymm5[6],ymm6[7]
+        vmovsldup	%ymm4, %ymm5    # ymm5 = ymm4[0,0,2,2,4,4,6,6]
+        vpblendd	$0xaa, %ymm5, %ymm3, %ymm5 # ymm5 = ymm3[0],ymm5[1],ymm3[2],ymm5[3],ymm3[4],ymm5[5],ymm3[6],ymm5[7]
+        vpsrlq	$0x20, %ymm3, %ymm3
+        vpblendd	$0xaa, %ymm4, %ymm3, %ymm4 # ymm4 = ymm3[0],ymm4[1],ymm3[2],ymm4[3],ymm3[4],ymm4[5],ymm3[6],ymm4[7]
+        vmovsldup	%ymm11, %ymm3   # ymm3 = ymm11[0,0,2,2,4,4,6,6]
+        vpblendd	$0xaa, %ymm3, %ymm10, %ymm3 # ymm3 = ymm10[0],ymm3[1],ymm10[2],ymm3[3],ymm10[4],ymm3[5],ymm10[6],ymm3[7]
+        vpsrlq	$0x20, %ymm10, %ymm10
+        vpblendd	$0xaa, %ymm11, %ymm10, %ymm11 # ymm11 = ymm10[0],ymm11[1],ymm10[2],ymm11[3],ymm10[4],ymm11[5],ymm10[6],ymm11[7]
+        vmovdqa	%ymm9, 0x100(%rdi)
+        vmovdqa	%ymm8, 0x120(%rdi)
+        vmovdqa	%ymm7, 0x140(%rdi)
+        vmovdqa	%ymm6, 0x160(%rdi)
+        vmovdqa	%ymm5, 0x180(%rdi)
+        vmovdqa	%ymm4, 0x1a0(%rdi)
+        vmovdqa	%ymm3, 0x1c0(%rdi)
+        vmovdqa	%ymm11, 0x1e0(%rdi)
+        vmovdqa	0x200(%rdi), %ymm4
+        vmovdqa	0x220(%rdi), %ymm5
+        vmovdqa	0x240(%rdi), %ymm6
+        vmovdqa	0x260(%rdi), %ymm7
+        vmovdqa	0x280(%rdi), %ymm8
+        vmovdqa	0x2a0(%rdi), %ymm9
+        vmovdqa	0x2c0(%rdi), %ymm10
+        vmovdqa	0x2e0(%rdi), %ymm11
+        vperm2i128	$0x20, %ymm8, %ymm4, %ymm3 # ymm3 = ymm4[0,1],ymm8[0,1]
+        vperm2i128	$0x31, %ymm8, %ymm4, %ymm8 # ymm8 = ymm4[2,3],ymm8[2,3]
+        vperm2i128	$0x20, %ymm9, %ymm5, %ymm4 # ymm4 = ymm5[0,1],ymm9[0,1]
+        vperm2i128	$0x31, %ymm9, %ymm5, %ymm9 # ymm9 = ymm5[2,3],ymm9[2,3]
+        vperm2i128	$0x20, %ymm10, %ymm6, %ymm5 # ymm5 = ymm6[0,1],ymm10[0,1]
+        vperm2i128	$0x31, %ymm10, %ymm6, %ymm10 # ymm10 = ymm6[2,3],ymm10[2,3]
+        vperm2i128	$0x20, %ymm11, %ymm7, %ymm6 # ymm6 = ymm7[0,1],ymm11[0,1]
+        vperm2i128	$0x31, %ymm11, %ymm7, %ymm11 # ymm11 = ymm7[2,3],ymm11[2,3]
+        vpunpcklqdq	%ymm5, %ymm3, %ymm7 # ymm7 = ymm3[0],ymm5[0],ymm3[2],ymm5[2]
+        vpunpckhqdq	%ymm5, %ymm3, %ymm5 # ymm5 = ymm3[1],ymm5[1],ymm3[3],ymm5[3]
+        vpunpcklqdq	%ymm10, %ymm8, %ymm3 # ymm3 = ymm8[0],ymm10[0],ymm8[2],ymm10[2]
+        vpunpckhqdq	%ymm10, %ymm8, %ymm10 # ymm10 = ymm8[1],ymm10[1],ymm8[3],ymm10[3]
+        vpunpcklqdq	%ymm6, %ymm4, %ymm8 # ymm8 = ymm4[0],ymm6[0],ymm4[2],ymm6[2]
+        vpunpckhqdq	%ymm6, %ymm4, %ymm6 # ymm6 = ymm4[1],ymm6[1],ymm4[3],ymm6[3]
+        vpunpcklqdq	%ymm11, %ymm9, %ymm4 # ymm4 = ymm9[0],ymm11[0],ymm9[2],ymm11[2]
+        vpunpckhqdq	%ymm11, %ymm9, %ymm11 # ymm11 = ymm9[1],ymm11[1],ymm9[3],ymm11[3]
+        vmovsldup	%ymm8, %ymm9    # ymm9 = ymm8[0,0,2,2,4,4,6,6]
+        vpblendd	$0xaa, %ymm9, %ymm7, %ymm9 # ymm9 = ymm7[0],ymm9[1],ymm7[2],ymm9[3],ymm7[4],ymm9[5],ymm7[6],ymm9[7]
+        vpsrlq	$0x20, %ymm7, %ymm7
+        vpblendd	$0xaa, %ymm8, %ymm7, %ymm8 # ymm8 = ymm7[0],ymm8[1],ymm7[2],ymm8[3],ymm7[4],ymm8[5],ymm7[6],ymm8[7]
+        vmovsldup	%ymm6, %ymm7    # ymm7 = ymm6[0,0,2,2,4,4,6,6]
+        vpblendd	$0xaa, %ymm7, %ymm5, %ymm7 # ymm7 = ymm5[0],ymm7[1],ymm5[2],ymm7[3],ymm5[4],ymm7[5],ymm5[6],ymm7[7]
+        vpsrlq	$0x20, %ymm5, %ymm5
+        vpblendd	$0xaa, %ymm6, %ymm5, %ymm6 # ymm6 = ymm5[0],ymm6[1],ymm5[2],ymm6[3],ymm5[4],ymm6[5],ymm5[6],ymm6[7]
+        vmovsldup	%ymm4, %ymm5    # ymm5 = ymm4[0,0,2,2,4,4,6,6]
+        vpblendd	$0xaa, %ymm5, %ymm3, %ymm5 # ymm5 = ymm3[0],ymm5[1],ymm3[2],ymm5[3],ymm3[4],ymm5[5],ymm3[6],ymm5[7]
+        vpsrlq	$0x20, %ymm3, %ymm3
+        vpblendd	$0xaa, %ymm4, %ymm3, %ymm4 # ymm4 = ymm3[0],ymm4[1],ymm3[2],ymm4[3],ymm3[4],ymm4[5],ymm3[6],ymm4[7]
+        vmovsldup	%ymm11, %ymm3   # ymm3 = ymm11[0,0,2,2,4,4,6,6]
+        vpblendd	$0xaa, %ymm3, %ymm10, %ymm3 # ymm3 = ymm10[0],ymm3[1],ymm10[2],ymm3[3],ymm10[4],ymm3[5],ymm10[6],ymm3[7]
+        vpsrlq	$0x20, %ymm10, %ymm10
+        vpblendd	$0xaa, %ymm11, %ymm10, %ymm11 # ymm11 = ymm10[0],ymm11[1],ymm10[2],ymm11[3],ymm10[4],ymm11[5],ymm10[6],ymm11[7]
+        vmovdqa	%ymm9, 0x200(%rdi)
+        vmovdqa	%ymm8, 0x220(%rdi)
+        vmovdqa	%ymm7, 0x240(%rdi)
+        vmovdqa	%ymm6, 0x260(%rdi)
+        vmovdqa	%ymm5, 0x280(%rdi)
+        vmovdqa	%ymm4, 0x2a0(%rdi)
+        vmovdqa	%ymm3, 0x2c0(%rdi)
+        vmovdqa	%ymm11, 0x2e0(%rdi)
+        vmovdqa	0x300(%rdi), %ymm4
+        vmovdqa	0x320(%rdi), %ymm5
+        vmovdqa	0x340(%rdi), %ymm6
+        vmovdqa	0x360(%rdi), %ymm7
+        vmovdqa	0x380(%rdi), %ymm8
+        vmovdqa	0x3a0(%rdi), %ymm9
+        vmovdqa	0x3c0(%rdi), %ymm10
+        vmovdqa	0x3e0(%rdi), %ymm11
+        vperm2i128	$0x20, %ymm8, %ymm4, %ymm3 # ymm3 = ymm4[0,1],ymm8[0,1]
+        vperm2i128	$0x31, %ymm8, %ymm4, %ymm8 # ymm8 = ymm4[2,3],ymm8[2,3]
+        vperm2i128	$0x20, %ymm9, %ymm5, %ymm4 # ymm4 = ymm5[0,1],ymm9[0,1]
+        vperm2i128	$0x31, %ymm9, %ymm5, %ymm9 # ymm9 = ymm5[2,3],ymm9[2,3]
+        vperm2i128	$0x20, %ymm10, %ymm6, %ymm5 # ymm5 = ymm6[0,1],ymm10[0,1]
+        vperm2i128	$0x31, %ymm10, %ymm6, %ymm10 # ymm10 = ymm6[2,3],ymm10[2,3]
+        vperm2i128	$0x20, %ymm11, %ymm7, %ymm6 # ymm6 = ymm7[0,1],ymm11[0,1]
+        vperm2i128	$0x31, %ymm11, %ymm7, %ymm11 # ymm11 = ymm7[2,3],ymm11[2,3]
+        vpunpcklqdq	%ymm5, %ymm3, %ymm7 # ymm7 = ymm3[0],ymm5[0],ymm3[2],ymm5[2]
+        vpunpckhqdq	%ymm5, %ymm3, %ymm5 # ymm5 = ymm3[1],ymm5[1],ymm3[3],ymm5[3]
+        vpunpcklqdq	%ymm10, %ymm8, %ymm3 # ymm3 = ymm8[0],ymm10[0],ymm8[2],ymm10[2]
+        vpunpckhqdq	%ymm10, %ymm8, %ymm10 # ymm10 = ymm8[1],ymm10[1],ymm8[3],ymm10[3]
+        vpunpcklqdq	%ymm6, %ymm4, %ymm8 # ymm8 = ymm4[0],ymm6[0],ymm4[2],ymm6[2]
+        vpunpckhqdq	%ymm6, %ymm4, %ymm6 # ymm6 = ymm4[1],ymm6[1],ymm4[3],ymm6[3]
+        vpunpcklqdq	%ymm11, %ymm9, %ymm4 # ymm4 = ymm9[0],ymm11[0],ymm9[2],ymm11[2]
+        vpunpckhqdq	%ymm11, %ymm9, %ymm11 # ymm11 = ymm9[1],ymm11[1],ymm9[3],ymm11[3]
+        vmovsldup	%ymm8, %ymm9    # ymm9 = ymm8[0,0,2,2,4,4,6,6]
+        vpblendd	$0xaa, %ymm9, %ymm7, %ymm9 # ymm9 = ymm7[0],ymm9[1],ymm7[2],ymm9[3],ymm7[4],ymm9[5],ymm7[6],ymm9[7]
+        vpsrlq	$0x20, %ymm7, %ymm7
+        vpblendd	$0xaa, %ymm8, %ymm7, %ymm8 # ymm8 = ymm7[0],ymm8[1],ymm7[2],ymm8[3],ymm7[4],ymm8[5],ymm7[6],ymm8[7]
+        vmovsldup	%ymm6, %ymm7    # ymm7 = ymm6[0,0,2,2,4,4,6,6]
+        vpblendd	$0xaa, %ymm7, %ymm5, %ymm7 # ymm7 = ymm5[0],ymm7[1],ymm5[2],ymm7[3],ymm5[4],ymm7[5],ymm5[6],ymm7[7]
+        vpsrlq	$0x20, %ymm5, %ymm5
+        vpblendd	$0xaa, %ymm6, %ymm5, %ymm6 # ymm6 = ymm5[0],ymm6[1],ymm5[2],ymm6[3],ymm5[4],ymm6[5],ymm5[6],ymm6[7]
+        vmovsldup	%ymm4, %ymm5    # ymm5 = ymm4[0,0,2,2,4,4,6,6]
+        vpblendd	$0xaa, %ymm5, %ymm3, %ymm5 # ymm5 = ymm3[0],ymm5[1],ymm3[2],ymm5[3],ymm3[4],ymm5[5],ymm3[6],ymm5[7]
+        vpsrlq	$0x20, %ymm3, %ymm3
+        vpblendd	$0xaa, %ymm4, %ymm3, %ymm4 # ymm4 = ymm3[0],ymm4[1],ymm3[2],ymm4[3],ymm3[4],ymm4[5],ymm3[6],ymm4[7]
+        vmovsldup	%ymm11, %ymm3   # ymm3 = ymm11[0,0,2,2,4,4,6,6]
+        vpblendd	$0xaa, %ymm3, %ymm10, %ymm3 # ymm3 = ymm10[0],ymm3[1],ymm10[2],ymm3[3],ymm10[4],ymm3[5],ymm10[6],ymm3[7]
+        vpsrlq	$0x20, %ymm10, %ymm10
+        vpblendd	$0xaa, %ymm11, %ymm10, %ymm11 # ymm11 = ymm10[0],ymm11[1],ymm10[2],ymm11[3],ymm10[4],ymm11[5],ymm10[6],ymm11[7]
+        vmovdqa	%ymm9, 0x300(%rdi)
+        vmovdqa	%ymm8, 0x320(%rdi)
+        vmovdqa	%ymm7, 0x340(%rdi)
+        vmovdqa	%ymm6, 0x360(%rdi)
+        vmovdqa	%ymm5, 0x380(%rdi)
+        vmovdqa	%ymm4, 0x3a0(%rdi)
+        vmovdqa	%ymm3, 0x3c0(%rdi)
+        vmovdqa	%ymm11, 0x3e0(%rdi)
+        retq
+        .cfi_endproc

proofs/hol_light/x86_64/proofs/dump_bytecode.ml

@@ -8,3 +8,7 @@ needs "x86/proofs/base.ml";;
 print_string "=== bytecode start: x86_64/mldsa/mldsa_ntt.o ================\n";;
 print_literal_from_elf "x86_64/mldsa/mldsa_ntt.o";;
 print_string "==== bytecode end =====================================\n\n";;
+
+print_string "=== bytecode start: x86_64/mldsa/mldsa_nttunpack.o ================\n";;
+print_literal_from_elf "x86_64/mldsa/mldsa_nttunpack.o";;
+print_string "==== bytecode end =====================================\n\n";;