pq-code-package · jakemas · Apr 1, 2026
@@ -85,6 +85,12 @@ jobs:
             needs: ["mldsa_specs.ml", "mldsa_zetas.ml", "aarch64_utils.ml", "subroutine_signatures.ml"]
           - name: mldsa_pointwise
             needs: ["mldsa_specs.ml", "aarch64_utils.ml", "subroutine_signatures.ml"]
+          - name: mldsa_pointwise_acc_l4
+            needs: ["mldsa_specs.ml", "aarch64_utils.ml", "subroutine_signatures.ml"]
+          - name: mldsa_pointwise_acc_l5
+            needs: ["mldsa_specs.ml", "aarch64_utils.ml", "subroutine_signatures.ml"]
+          - name: mldsa_pointwise_acc_l7
+            needs: ["mldsa_specs.ml", "aarch64_utils.ml", "subroutine_signatures.ml"]
           - name: mldsa_poly_caddq
             needs: ["aarch64_utils.ml"]
           - name: mldsa_poly_chknorm
@@ -185,6 +191,12 @@ jobs:
             needs: ["mldsa_specs.ml", "mldsa_utils.ml", "mldsa_zetas.ml"]
           - name: mldsa_pointwise
             needs: ["mldsa_specs.ml", "mldsa_utils.ml", "mldsa_zetas.ml"]
+          - name: mldsa_pointwise_acc_l4
+            needs: ["mldsa_specs.ml", "mldsa_utils.ml", "mldsa_zetas.ml", "subroutine_signatures.ml"]
+          - name: mldsa_pointwise_acc_l5
+            needs: ["mldsa_specs.ml", "mldsa_utils.ml", "mldsa_zetas.ml", "subroutine_signatures.ml"]
+          - name: mldsa_pointwise_acc_l7
+            needs: ["mldsa_specs.ml", "mldsa_utils.ml", "mldsa_zetas.ml", "subroutine_signatures.ml"]
     name: x86_64 HOL Light proof for ${{ matrix.proof.name }}.S
     runs-on: pqcp-x64
     if: github.repository_owner == 'pq-code-package' && !github.event.pull_request.head.repo.fork

@@ -254,6 +254,9 @@ source code and documentation.
   - [proofs/hol_light/x86_64/mldsa/mldsa_intt.S](proofs/hol_light/x86_64/mldsa/mldsa_intt.S)
   - [proofs/hol_light/x86_64/mldsa/mldsa_ntt.S](proofs/hol_light/x86_64/mldsa/mldsa_ntt.S)
   - [proofs/hol_light/x86_64/mldsa/mldsa_pointwise.S](proofs/hol_light/x86_64/mldsa/mldsa_pointwise.S)
+  - [proofs/hol_light/x86_64/mldsa/mldsa_pointwise_acc_l4.S](proofs/hol_light/x86_64/mldsa/mldsa_pointwise_acc_l4.S)
+  - [proofs/hol_light/x86_64/mldsa/mldsa_pointwise_acc_l5.S](proofs/hol_light/x86_64/mldsa/mldsa_pointwise_acc_l5.S)
+  - [proofs/hol_light/x86_64/mldsa/mldsa_pointwise_acc_l7.S](proofs/hol_light/x86_64/mldsa/mldsa_pointwise_acc_l7.S)
 
 ### `Round3_Spec`
 

@@ -213,8 +213,7 @@ static MLD_INLINE int mld_polyvecl_pointwise_acc_montgomery_l4_native(
     int32_t w[MLDSA_N], const int32_t u[4][MLDSA_N],
     const int32_t v[4][MLDSA_N])
 {
-  mld_polyvecl_pointwise_acc_montgomery_l4_asm(w, (const int32_t *)u,
-                                               (const int32_t *)v);
+  mld_polyvecl_pointwise_acc_montgomery_l4_asm(w, u, v);
   return MLD_NATIVE_FUNC_SUCCESS;
 }
 #endif /* MLD_CONFIG_MULTILEVEL_WITH_SHARED || MLDSA_L == 4 */
@@ -225,8 +224,7 @@ static MLD_INLINE int mld_polyvecl_pointwise_acc_montgomery_l5_native(
     int32_t w[MLDSA_N], const int32_t u[5][MLDSA_N],
     const int32_t v[5][MLDSA_N])
 {
-  mld_polyvecl_pointwise_acc_montgomery_l5_asm(w, (const int32_t *)u,
-                                               (const int32_t *)v);
+  mld_polyvecl_pointwise_acc_montgomery_l5_asm(w, u, v);
   return MLD_NATIVE_FUNC_SUCCESS;
 }
 #endif /* MLD_CONFIG_MULTILEVEL_WITH_SHARED || MLDSA_L == 5 */
@@ -237,8 +235,7 @@ static MLD_INLINE int mld_polyvecl_pointwise_acc_montgomery_l7_native(
     int32_t w[MLDSA_N], const int32_t u[7][MLDSA_N],
     const int32_t v[7][MLDSA_N])
 {
-  mld_polyvecl_pointwise_acc_montgomery_l7_asm(w, (const int32_t *)u,
-                                               (const int32_t *)v);
+  mld_polyvecl_pointwise_acc_montgomery_l7_asm(w, u, v);
   return MLD_NATIVE_FUNC_SUCCESS;
 }
 #endif /* MLD_CONFIG_MULTILEVEL_WITH_SHARED || MLDSA_L == 7 */

@@ -152,17 +152,59 @@ __contract__(
 
 #define mld_polyvecl_pointwise_acc_montgomery_l4_asm \
   MLD_NAMESPACE(polyvecl_pointwise_acc_montgomery_l4_asm)
-void mld_polyvecl_pointwise_acc_montgomery_l4_asm(int32_t *, const int32_t *,
-                                                  const int32_t *);
+void mld_polyvecl_pointwise_acc_montgomery_l4_asm(int32_t *r,
+                                                  const int32_t a[4][MLDSA_N],
+                                                  const int32_t b[4][MLDSA_N])
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_pointwise_acc_l4.ml */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * 4 * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * 4 * MLDSA_N))
+  /* check-magic: off */
+  requires(forall(l0, 0, 4, array_abs_bound(a[l0], 0, MLDSA_N, 8380417)))
+  requires(forall(l1, 0, 4, array_abs_bound(b[l1], 0, MLDSA_N, 75423753)))
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  ensures(array_abs_bound(r, 0, MLDSA_N, 8380417))
+  /* check-magic: on */
+);
 
 #define mld_polyvecl_pointwise_acc_montgomery_l5_asm \
   MLD_NAMESPACE(polyvecl_pointwise_acc_montgomery_l5_asm)
-void mld_polyvecl_pointwise_acc_montgomery_l5_asm(int32_t *, const int32_t *,
-                                                  const int32_t *);
+void mld_polyvecl_pointwise_acc_montgomery_l5_asm(int32_t *r,
+                                                  const int32_t a[5][MLDSA_N],
+                                                  const int32_t b[5][MLDSA_N])
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_pointwise_acc_l5.ml */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * 5 * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * 5 * MLDSA_N))
+  /* check-magic: off */
+  requires(forall(l0, 0, 5, array_abs_bound(a[l0], 0, MLDSA_N, 8380417)))
+  requires(forall(l1, 0, 5, array_abs_bound(b[l1], 0, MLDSA_N, 75423753)))
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  ensures(array_abs_bound(r, 0, MLDSA_N, 8380417))
+  /* check-magic: on */
+);
 
 #define mld_polyvecl_pointwise_acc_montgomery_l7_asm \
   MLD_NAMESPACE(polyvecl_pointwise_acc_montgomery_l7_asm)
-void mld_polyvecl_pointwise_acc_montgomery_l7_asm(int32_t *, const int32_t *,
-                                                  const int32_t *);
+void mld_polyvecl_pointwise_acc_montgomery_l7_asm(int32_t *r,
+                                                  const int32_t a[7][MLDSA_N],
+                                                  const int32_t b[7][MLDSA_N])
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_pointwise_acc_l7.ml */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * 7 * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * 7 * MLDSA_N))
+  /* check-magic: off */
+  requires(forall(l0, 0, 7, array_abs_bound(a[l0], 0, MLDSA_N, 8380417)))
+  requires(forall(l1, 0, 7, array_abs_bound(b[l1], 0, MLDSA_N, 75423753)))
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  ensures(array_abs_bound(r, 0, MLDSA_N, 8380417))
+  /* check-magic: on */
+);
 
 #endif /* !MLD_NATIVE_AARCH64_SRC_ARITH_NATIVE_AARCH64_H */
@@ -213,8 +213,7 @@ static MLD_INLINE int mld_polyvecl_pointwise_acc_montgomery_l4_native(
     int32_t w[MLDSA_N], const int32_t u[4][MLDSA_N],
     const int32_t v[4][MLDSA_N])
 {
-  mld_polyvecl_pointwise_acc_montgomery_l4_asm(w, (const int32_t *)u,
-                                               (const int32_t *)v);
+  mld_polyvecl_pointwise_acc_montgomery_l4_asm(w, u, v);
   return MLD_NATIVE_FUNC_SUCCESS;
 }
 #endif /* MLD_CONFIG_MULTILEVEL_WITH_SHARED || MLDSA_L == 4 */
@@ -225,8 +224,7 @@ static MLD_INLINE int mld_polyvecl_pointwise_acc_montgomery_l5_native(
     int32_t w[MLDSA_N], const int32_t u[5][MLDSA_N],
     const int32_t v[5][MLDSA_N])
 {
-  mld_polyvecl_pointwise_acc_montgomery_l5_asm(w, (const int32_t *)u,
-                                               (const int32_t *)v);
+  mld_polyvecl_pointwise_acc_montgomery_l5_asm(w, u, v);
   return MLD_NATIVE_FUNC_SUCCESS;
 }
 #endif /* MLD_CONFIG_MULTILEVEL_WITH_SHARED || MLDSA_L == 5 */
@@ -237,8 +235,7 @@ static MLD_INLINE int mld_polyvecl_pointwise_acc_montgomery_l7_native(
     int32_t w[MLDSA_N], const int32_t u[7][MLDSA_N],
     const int32_t v[7][MLDSA_N])
 {
-  mld_polyvecl_pointwise_acc_montgomery_l7_asm(w, (const int32_t *)u,
-                                               (const int32_t *)v);
+  mld_polyvecl_pointwise_acc_montgomery_l7_asm(w, u, v);
   return MLD_NATIVE_FUNC_SUCCESS;
 }
 #endif /* MLD_CONFIG_MULTILEVEL_WITH_SHARED || MLDSA_L == 7 */

@@ -152,17 +152,59 @@ __contract__(
 
 #define mld_polyvecl_pointwise_acc_montgomery_l4_asm \
   MLD_NAMESPACE(polyvecl_pointwise_acc_montgomery_l4_asm)
-void mld_polyvecl_pointwise_acc_montgomery_l4_asm(int32_t *, const int32_t *,
-                                                  const int32_t *);
+void mld_polyvecl_pointwise_acc_montgomery_l4_asm(int32_t *r,
+                                                  const int32_t a[4][MLDSA_N],
+                                                  const int32_t b[4][MLDSA_N])
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_pointwise_acc_l4.ml */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * 4 * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * 4 * MLDSA_N))
+  /* check-magic: off */
+  requires(forall(l0, 0, 4, array_abs_bound(a[l0], 0, MLDSA_N, 8380417)))
+  requires(forall(l1, 0, 4, array_abs_bound(b[l1], 0, MLDSA_N, 75423753)))
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  ensures(array_abs_bound(r, 0, MLDSA_N, 8380417))
+  /* check-magic: on */
+);
 
 #define mld_polyvecl_pointwise_acc_montgomery_l5_asm \
   MLD_NAMESPACE(polyvecl_pointwise_acc_montgomery_l5_asm)
-void mld_polyvecl_pointwise_acc_montgomery_l5_asm(int32_t *, const int32_t *,
-                                                  const int32_t *);
+void mld_polyvecl_pointwise_acc_montgomery_l5_asm(int32_t *r,
+                                                  const int32_t a[5][MLDSA_N],
+                                                  const int32_t b[5][MLDSA_N])
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_pointwise_acc_l5.ml */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * 5 * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * 5 * MLDSA_N))
+  /* check-magic: off */
+  requires(forall(l0, 0, 5, array_abs_bound(a[l0], 0, MLDSA_N, 8380417)))
+  requires(forall(l1, 0, 5, array_abs_bound(b[l1], 0, MLDSA_N, 75423753)))
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  ensures(array_abs_bound(r, 0, MLDSA_N, 8380417))
+  /* check-magic: on */
+);
 
 #define mld_polyvecl_pointwise_acc_montgomery_l7_asm \
   MLD_NAMESPACE(polyvecl_pointwise_acc_montgomery_l7_asm)
-void mld_polyvecl_pointwise_acc_montgomery_l7_asm(int32_t *, const int32_t *,
-                                                  const int32_t *);
+void mld_polyvecl_pointwise_acc_montgomery_l7_asm(int32_t *r,
+                                                  const int32_t a[7][MLDSA_N],
+                                                  const int32_t b[7][MLDSA_N])
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_pointwise_acc_l7.ml */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * 7 * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * 7 * MLDSA_N))
+  /* check-magic: off */
+  requires(forall(l0, 0, 7, array_abs_bound(a[l0], 0, MLDSA_N, 8380417)))
+  requires(forall(l1, 0, 7, array_abs_bound(b[l1], 0, MLDSA_N, 75423753)))
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  ensures(array_abs_bound(r, 0, MLDSA_N, 8380417))
+  /* check-magic: on */
+);
 
 #endif /* !MLD_NATIVE_AARCH64_SRC_ARITH_NATIVE_AARCH64_H */
@@ -123,16 +123,58 @@ __contract__(
 #define mld_pointwise_acc_l4_avx2 MLD_NAMESPACE(pointwise_acc_l4_avx2)
 void mld_pointwise_acc_l4_avx2(int32_t c[MLDSA_N], const int32_t a[4][MLDSA_N],
                                const int32_t b[4][MLDSA_N],
-                               const int32_t *qdata);
+                               const int32_t *qdata)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/x86_64/proofs/mldsa_pointwise_acc_l4.ml */
+__contract__(
+  requires(memory_no_alias(c, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * 4 * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * 4 * MLDSA_N))
+  /* check-magic: off */
+  requires(forall(l0, 0, 4, array_abs_bound(a[l0], 0, MLDSA_N, 8380417)))
+  requires(forall(l1, 0, 4, array_abs_bound(b[l1], 0, MLDSA_N, 75423753)))
+  requires(qdata == mld_qdata)
+  assigns(memory_slice(c, sizeof(int32_t) * MLDSA_N))
+  ensures(array_abs_bound(c, 0, MLDSA_N, 8380417))
+  /* check-magic: on */
+);
 
 #define mld_pointwise_acc_l5_avx2 MLD_NAMESPACE(pointwise_acc_l5_avx2)
 void mld_pointwise_acc_l5_avx2(int32_t c[MLDSA_N], const int32_t a[5][MLDSA_N],
                                const int32_t b[5][MLDSA_N],
-                               const int32_t *qdata);
+                               const int32_t *qdata)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/x86_64/proofs/mldsa_pointwise_acc_l5.ml */
+__contract__(
+  requires(memory_no_alias(c, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * 5 * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * 5 * MLDSA_N))
+  /* check-magic: off */
+  requires(forall(l0, 0, 5, array_abs_bound(a[l0], 0, MLDSA_N, 8380417)))
+  requires(forall(l1, 0, 5, array_abs_bound(b[l1], 0, MLDSA_N, 75423753)))
+  requires(qdata == mld_qdata)
+  assigns(memory_slice(c, sizeof(int32_t) * MLDSA_N))
+  ensures(array_abs_bound(c, 0, MLDSA_N, 8380417))
+  /* check-magic: on */
+);
 
 #define mld_pointwise_acc_l7_avx2 MLD_NAMESPACE(pointwise_acc_l7_avx2)
 void mld_pointwise_acc_l7_avx2(int32_t c[MLDSA_N], const int32_t a[7][MLDSA_N],
                                const int32_t b[7][MLDSA_N],
-                               const int32_t *qdata);
+                               const int32_t *qdata)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/x86_64/proofs/mldsa_pointwise_acc_l7.ml */
+__contract__(
+  requires(memory_no_alias(c, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * 7 * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * 7 * MLDSA_N))
+  /* check-magic: off */
+  requires(forall(l0, 0, 7, array_abs_bound(a[l0], 0, MLDSA_N, 8380417)))
+  requires(forall(l1, 0, 7, array_abs_bound(b[l1], 0, MLDSA_N, 75423753)))
+  requires(qdata == mld_qdata)
+  assigns(memory_slice(c, sizeof(int32_t) * MLDSA_N))
+  ensures(array_abs_bound(c, 0, MLDSA_N, 8380417))
+  /* check-magic: on */
+);
 
 #endif /* !MLD_NATIVE_X86_64_SRC_ARITH_NATIVE_X86_64_H */
@@ -213,8 +213,7 @@ static MLD_INLINE int mld_polyvecl_pointwise_acc_montgomery_l4_native(
     int32_t w[MLDSA_N], const int32_t u[4][MLDSA_N],
     const int32_t v[4][MLDSA_N])
 {
-  mld_polyvecl_pointwise_acc_montgomery_l4_asm(w, (const int32_t *)u,
-                                               (const int32_t *)v);
+  mld_polyvecl_pointwise_acc_montgomery_l4_asm(w, u, v);
   return MLD_NATIVE_FUNC_SUCCESS;
 }
 #endif /* MLD_CONFIG_MULTILEVEL_WITH_SHARED || MLDSA_L == 4 */
@@ -225,8 +224,7 @@ static MLD_INLINE int mld_polyvecl_pointwise_acc_montgomery_l5_native(
     int32_t w[MLDSA_N], const int32_t u[5][MLDSA_N],
     const int32_t v[5][MLDSA_N])
 {
-  mld_polyvecl_pointwise_acc_montgomery_l5_asm(w, (const int32_t *)u,
-                                               (const int32_t *)v);
+  mld_polyvecl_pointwise_acc_montgomery_l5_asm(w, u, v);
   return MLD_NATIVE_FUNC_SUCCESS;
 }
 #endif /* MLD_CONFIG_MULTILEVEL_WITH_SHARED || MLDSA_L == 5 */
@@ -237,8 +235,7 @@ static MLD_INLINE int mld_polyvecl_pointwise_acc_montgomery_l7_native(
     int32_t w[MLDSA_N], const int32_t u[7][MLDSA_N],
     const int32_t v[7][MLDSA_N])
 {
-  mld_polyvecl_pointwise_acc_montgomery_l7_asm(w, (const int32_t *)u,
-                                               (const int32_t *)v);
+  mld_polyvecl_pointwise_acc_montgomery_l7_asm(w, u, v);
   return MLD_NATIVE_FUNC_SUCCESS;
 }
 #endif /* MLD_CONFIG_MULTILEVEL_WITH_SHARED || MLDSA_L == 7 */

@@ -152,17 +152,59 @@ __contract__(
 
 #define mld_polyvecl_pointwise_acc_montgomery_l4_asm \
   MLD_NAMESPACE(polyvecl_pointwise_acc_montgomery_l4_asm)
-void mld_polyvecl_pointwise_acc_montgomery_l4_asm(int32_t *, const int32_t *,
-                                                  const int32_t *);
+void mld_polyvecl_pointwise_acc_montgomery_l4_asm(int32_t *r,
+                                                  const int32_t a[4][MLDSA_N],
+                                                  const int32_t b[4][MLDSA_N])
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_pointwise_acc_l4.ml */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * 4 * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * 4 * MLDSA_N))
+  /* check-magic: off */
+  requires(forall(l0, 0, 4, array_abs_bound(a[l0], 0, MLDSA_N, 8380417)))
+  requires(forall(l1, 0, 4, array_abs_bound(b[l1], 0, MLDSA_N, 75423753)))
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  ensures(array_abs_bound(r, 0, MLDSA_N, 8380417))
+  /* check-magic: on */
+);
 
 #define mld_polyvecl_pointwise_acc_montgomery_l5_asm \
   MLD_NAMESPACE(polyvecl_pointwise_acc_montgomery_l5_asm)
-void mld_polyvecl_pointwise_acc_montgomery_l5_asm(int32_t *, const int32_t *,
-                                                  const int32_t *);
+void mld_polyvecl_pointwise_acc_montgomery_l5_asm(int32_t *r,
+                                                  const int32_t a[5][MLDSA_N],
+                                                  const int32_t b[5][MLDSA_N])
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_pointwise_acc_l5.ml */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * 5 * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * 5 * MLDSA_N))
+  /* check-magic: off */
+  requires(forall(l0, 0, 5, array_abs_bound(a[l0], 0, MLDSA_N, 8380417)))
+  requires(forall(l1, 0, 5, array_abs_bound(b[l1], 0, MLDSA_N, 75423753)))
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  ensures(array_abs_bound(r, 0, MLDSA_N, 8380417))
+  /* check-magic: on */
+);
 
 #define mld_polyvecl_pointwise_acc_montgomery_l7_asm \
   MLD_NAMESPACE(polyvecl_pointwise_acc_montgomery_l7_asm)
-void mld_polyvecl_pointwise_acc_montgomery_l7_asm(int32_t *, const int32_t *,
-                                                  const int32_t *);
+void mld_polyvecl_pointwise_acc_montgomery_l7_asm(int32_t *r,
+                                                  const int32_t a[7][MLDSA_N],
+                                                  const int32_t b[7][MLDSA_N])
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_pointwise_acc_l7.ml */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * 7 * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * 7 * MLDSA_N))
+  /* check-magic: off */
+  requires(forall(l0, 0, 7, array_abs_bound(a[l0], 0, MLDSA_N, 8380417)))
+  requires(forall(l1, 0, 7, array_abs_bound(b[l1], 0, MLDSA_N, 75423753)))
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  ensures(array_abs_bound(r, 0, MLDSA_N, 8380417))
+  /* check-magic: on */
+);
 
 #endif /* !MLD_NATIVE_AARCH64_SRC_ARITH_NATIVE_AARCH64_H */