Sign: Set smlen to 0 in case of failure by mkannwischer · Pull Request #959 · pq-code-package/mldsa-native

mkannwischer · 2026-02-10T03:18:33Z

Resolves Inconsistent and possibly confusing mld_sign() API and contracts #974

oqs-bot · 2026-02-10T03:37:02Z

CBMC Results (ML-DSA-44)

Full Results (186 proofs)

Proof	Status	Current	Previous	Change
`TOTAL`	✅	2187s	2274s	-3.8%
`polyvecl_pointwise_acc_montgomery_c`	✅	382s	360s	+6%
`poly_pointwise_montgomery_c`	✅	172s	144s	+19%
`sign_verify_internal`	✅	166s	161s	+3%
`rej_uniform_native`	✅	150s	143s	+5%
`mld_invntt_layer`	✅	113s	106s	+7%
`mld_attempt_signature_generation`	✅	103s	285s	-64%
`mld_ct_memcmp`	✅	82s	73s	+12%
`mld_ntt_layer`	✅	58s	55s	+5%
`poly_invntt_tomont_c`	✅	28s	24s	+17%
`polymat_permute_bitrev_to_custom`	✅	28s	27s	+4%
`rej_uniform`	✅	24s	20s	+20%
`polyvec_matrix_expand`	✅	23s	20s	+15%
`polyvec_matrix_expand_serial`	✅	23s	22s	+5%
`fqmul`	✅	21s	20s	+5%
`poly_chknorm_c`	✅	21s	18s	+17%
`sign_signature_internal`	✅	21s	21s	+0%
`polyt0_unpack`	✅	19s	19s	+0%
`poly_uniform_eta_4x`	✅	17s	16s	+6%
`polyeta_unpack`	✅	17s	18s	-6%
`rej_uniform_c`	✅	17s	14s	+21%
`poly_uniform_4x`	✅	16s	13s	+23%
`mld_compute_t0_t1_tr_from_sk_components`	✅	15s	13s	+15%
`mld_ntt_butterfly_block`	✅	14s	12s	+17%
`polyz_unpack_c`	✅	14s	11s	+27%
`keccakf1600x4_permute_native`	✅	12s	13s	-8%
`keccak_absorb_once_x4`	✅	11s	10s	+10%
`poly_add`	✅	11s	11s	+0%
`keccakf1600_permute`	✅	10s	9s	+11%
`keccak_squeezeblocks_x4`	✅	9s	9s	+0%
`mld_compute_pack_z`	✅	9s	6s	+50%
`poly_power2round`	✅	9s	9s	+0%
`mld_check_pct`	✅	8s	12s	-33%
`mld_polyvecl_permute_bitrev_to_custom_native`	✅	8s	9s	-11%
`polyvec_matrix_pointwise_montgomery`	✅	8s	9s	-11%
`polyveck_decompose`	✅	8s	8s	+0%
`sign_pk_from_sk`	✅	8s	9s	-11%
`unpack_sk`	✅	8s	8s	+0%
`keccak_absorb`	✅	7s	9s	-22%
`keccakf1600_permute_native`	✅	7s	7s	+0%
`poly_caddq_c`	✅	7s	6s	+17%
`poly_use_hint_c`	✅	7s	5s	+40%
`polyveck_reduce`	✅	7s	5s	+40%
`polyveck_use_hint`	✅	7s	6s	+17%
`sign`	✅	7s	8s	-12%
`mld_ct_abs_i32`	✅	6s	3s	+100%
`mld_sample_s1_s2`	✅	6s	5s	+20%
`pointwise_acc_native_x86_64`	✅	6s	9s	-33%
`polyveck_add`	✅	6s	6s	+0%
`polyveck_sub`	✅	6s	6s	+0%
`rej_eta_native`	✅	6s	6s	+0%
`sign_verify_extmu`	✅	6s	5s	+20%
`sign_verify_pre_hash_shake256`	✅	6s	4s	+50%
`unpack_hints`	✅	6s	6s	+0%
`fqscale`	✅	5s	3s	+67%
`mld_h`	✅	5s	7s	-29%
`mld_value_barrier_u32`	✅	5s	2s	+150%
`ntt_native_x86_64`	✅	5s	2s	+150%
`pointwise_acc_native_aarch64`	✅	5s	6s	-17%
`pointwise_native_x86_64`	✅	5s	4s	+25%
`poly_challenge`	✅	5s	4s	+25%
`poly_decompose_c`	✅	5s	4s	+25%
`poly_decompose_native`	✅	5s	5s	+0%
`poly_ntt`	✅	5s	2s	+150%
`poly_ntt_c`	✅	5s	5s	+0%
`poly_use_hint`	✅	5s	4s	+25%
`polyveck_pointwise_poly_montgomery`	✅	5s	4s	+25%
`polyveck_power2round`	✅	5s	5s	+0%
`polyvecl_chknorm`	✅	5s	3s	+67%
`sign_keypair_internal`	✅	5s	7s	-29%
`sign_signature_pre_hash_internal`	✅	5s	3s	+67%
`sign_signature_pre_hash_shake256`	✅	5s	5s	+0%
`sign_verify`	✅	5s	2s	+150%
`keccak_f1600_x4_native_aarch64_v84a`	✅	4s	1s	+300%
`keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid`	✅	4s	2s	+100%
`keccak_finalize`	✅	4s	2s	+100%
`keccakf1600_xor_bytes`	✅	4s	3s	+33%
`montgomery_reduce`	✅	4s	4s	+0%
`pointwise_native_aarch64`	✅	4s	1s	+300%
`poly_invntt_tomont_native`	✅	4s	4s	+0%
`poly_shiftl`	✅	4s	5s	-20%
`poly_uniform_eta`	✅	4s	8s	-50%
`polyeta_pack`	✅	4s	2s	+100%
`polyveck_caddq`	✅	4s	5s	-20%
`polyveck_invntt_tomont`	✅	4s	2s	+100%
`polyveck_pack_eta`	✅	4s	3s	+33%
`polyveck_shiftl`	✅	4s	3s	+33%
`polyveck_unpack_t0`	✅	4s	3s	+33%
`polyvecl_pointwise_acc_montgomery_native`	✅	4s	4s	+0%
`polyvecl_unpack_eta`	✅	4s	1s	+300%
`polyz_unpack_native`	✅	4s	3s	+33%
`rej_eta`	✅	4s	3s	+33%
`rej_eta_c`	✅	4s	6s	-33%
`shake128_absorb`	✅	4s	3s	+33%
`shake128_init`	✅	4s	3s	+33%
`shake128_release`	✅	4s	2s	+100%
`shake256_init`	✅	4s	3s	+33%
`shake256x4_absorb_once`	✅	4s	4s	+0%
`sign_keypair`	✅	4s	5s	-20%
`sign_open`	✅	4s	4s	+0%
`sign_signature`	✅	4s	7s	-43%
`unpack_sig`	✅	4s	4s	+0%
`use_hint`	✅	4s	3s	+33%
`caddq`	✅	3s	5s	-40%
`intt_native_x86_64`	✅	3s	4s	-25%
`keccak_squeeze`	✅	3s	3s	+0%
`keccakf1600x4_permute`	✅	3s	2s	+50%
`mld_ct_cmask_neg_i32`	✅	3s	2s	+50%
`mld_ct_get_optblocker_u32`	✅	3s	2s	+50%
`mld_keccakf1600_extract_bytes`	✅	3s	4s	-25%
`mld_sample_s1_s2_serial`	✅	3s	3s	+0%
`mld_value_barrier_i64`	✅	3s	3s	+0%
`ntt_native_aarch64`	✅	3s	4s	-25%
`pack_sig_c`	✅	3s	4s	-25%
`pack_sig_z`	✅	3s	2s	+50%
`poly_caddq`	✅	3s	3s	+0%
`poly_caddq_native`	✅	3s	3s	+0%
`poly_chknorm`	✅	3s	2s	+50%
`poly_chknorm_native_aarch64`	✅	3s	2s	+50%
`poly_decompose`	✅	3s	3s	+0%
`poly_ntt_native`	✅	3s	5s	-40%
`poly_reduce`	✅	3s	4s	-25%
`poly_sub`	✅	3s	3s	+0%
`poly_uniform`	✅	3s	3s	+0%
`poly_uniform_gamma1`	✅	3s	5s	-40%
`poly_uniform_gamma1_4x`	✅	3s	3s	+0%
`poly_use_hint_native`	✅	3s	5s	-40%
`polyt0_pack`	✅	3s	6s	-50%
`polyt1_pack`	✅	3s	3s	+0%
`polyt1_unpack`	✅	3s	5s	-40%
`polyveck_ntt`	✅	3s	5s	-40%
`polyveck_pack_t0`	✅	3s	3s	+0%
`polyveck_pack_w1`	✅	3s	4s	-25%
`polyvecl_ntt`	✅	3s	4s	-25%
`polyvecl_pack_eta`	✅	3s	3s	+0%
`polyvecl_pointwise_acc_montgomery`	✅	3s	4s	-25%
`polyvecl_uniform_gamma1`	✅	3s	3s	+0%
`polyvecl_uniform_gamma1_serial`	✅	3s	4s	-25%
`polyvecl_unpack_z`	✅	3s	3s	+0%
`polyw1_pack`	✅	3s	3s	+0%
`polyz_pack`	✅	3s	3s	+0%
`polyz_unpack`	✅	3s	5s	-40%
`shake128_finalize`	✅	3s	2s	+50%
`shake128x4_squeezeblocks`	✅	3s	2s	+50%
`shake256_absorb`	✅	3s	2s	+50%
`shake256_squeeze`	✅	3s	2s	+50%
`sign_signature_extmu`	✅	3s	3s	+0%
`unpack_pk`	✅	3s	3s	+0%
`decompose`	✅	2s	2s	+0%
`keccak_f1600_x1_native_aarch64_v84a`	✅	2s	2s	+0%
`keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid`	✅	2s	2s	+0%
`keccak_init`	✅	2s	2s	+0%
`keccakf1600_extract_bytes (big endian)`	✅	2s	2s	+0%
`keccakf1600_xor_bytes (big endian)`	✅	2s	3s	-33%
`keccakf1600x4_extract_bytes`	✅	2s	3s	-33%
`keccakf1600x4_xor_bytes`	✅	2s	2s	+0%
`mld_ct_cmask_nonzero_u8`	✅	2s	3s	-33%
`mld_ct_get_optblocker_i64`	✅	2s	1s	+100%
`mld_ct_get_optblocker_u8`	✅	2s	2s	+0%
`mld_ct_sel_int32`	✅	2s	4s	-50%
`mld_prepare_domain_separation_prefix`	✅	2s	3s	-33%
`pack_pk`	✅	2s	3s	-33%
`pack_sig_h_poly`	✅	2s	4s	-50%
`pack_sk`	✅	2s	3s	-33%
`poly_caddq_native_aarch64`	✅	2s	5s	-60%
`poly_chknorm_native`	✅	2s	3s	-33%
`poly_invntt_tomont`	✅	2s	3s	-33%
`poly_make_hint`	✅	2s	3s	-33%
`poly_pointwise_montgomery`	✅	2s	3s	-33%
`poly_pointwise_montgomery_native`	✅	2s	5s	-60%
`polyveck_chknorm`	✅	2s	5s	-60%
`polyveck_unpack_eta`	✅	2s	2s	+0%
`polyvecl_permute_bitrev_to_custom`	✅	2s	3s	-33%
`power2round`	✅	2s	5s	-60%
`reduce32`	✅	2s	3s	-33%
`shake128_squeeze`	✅	2s	3s	-33%
`shake256_finalize`	✅	2s	3s	-33%
`shake256x4_squeezeblocks`	✅	2s	2s	+0%
`sign_verify_pre_hash_internal`	✅	2s	3s	-33%
`sys_check_capability`	✅	2s	1s	+100%
`keccak_f1600_x1_native_aarch64`	✅	1s	1s	+0%
`make_hint`	✅	1s	4s	-75%
`mld_ct_cmask_nonzero_u32`	✅	1s	3s	-67%
`mld_value_barrier_u8`	✅	1s	2s	-50%
`shake128x4_absorb_once`	✅	1s	3s	-67%
`shake256`	✅	1s	3s	-67%
`shake256_release`	✅	1s	1s	+0%

oqs-bot · 2026-02-10T03:37:31Z

CBMC Results (ML-DSA-87)

⚠️ Attention Required

Proof	Status	Current	Previous	Change
`sign_verify_internal`	⚠️	249s	109s	+128%

Full Results (186 proofs)

Proof	Status	Current	Previous	Change
`TOTAL`	✅	2444s	2432s	+0.5%
`sign_verify_internal`	⚠️	249s	109s	+128%
`polyvec_matrix_expand`	✅	231s	237s	-3%
`poly_pointwise_montgomery_c`	✅	228s	243s	-6%
`polyvecl_pointwise_acc_montgomery_c`	✅	181s	198s	-9%
`mld_attempt_signature_generation`	✅	161s	198s	-19%
`rej_uniform_native`	✅	144s	147s	-2%
`mld_invntt_layer`	✅	95s	102s	-7%
`polyvec_matrix_expand_serial`	✅	81s	85s	-5%
`mld_ct_memcmp`	✅	71s	76s	-7%
`mld_ntt_layer`	✅	52s	53s	-2%
`sign_signature_internal`	✅	36s	37s	-3%
`polymat_permute_bitrev_to_custom`	✅	26s	29s	-10%
`mld_compute_t0_t1_tr_from_sk_components`	✅	24s	24s	+0%
`fqmul`	✅	20s	21s	-5%
`poly_chknorm_c`	✅	20s	21s	-5%
`rej_uniform`	✅	20s	21s	-5%
`poly_uniform_eta_4x`	✅	18s	19s	-5%
`polyveck_power2round`	✅	18s	17s	+6%
`polyeta_unpack`	✅	16s	17s	-6%
`polyt0_unpack`	✅	16s	14s	+14%
`poly_uniform_4x`	✅	15s	15s	+0%
`rej_uniform_c`	✅	15s	16s	-6%
`mld_check_pct`	✅	13s	13s	+0%
`mld_ntt_butterfly_block`	✅	13s	13s	+0%
`poly_invntt_tomont_c`	✅	13s	11s	+18%
`polyveck_decompose`	✅	13s	13s	+0%
`keccakf1600x4_permute_native`	✅	12s	14s	-14%
`mld_polyvecl_permute_bitrev_to_custom_native`	✅	12s	13s	-8%
`polyveck_invntt_tomont`	✅	11s	10s	+10%
`keccak_absorb`	✅	10s	7s	+43%
`poly_add`	✅	10s	11s	-9%
`poly_decompose_c`	✅	10s	7s	+43%
`polyveck_use_hint`	✅	10s	11s	-9%
`unpack_sk`	✅	10s	8s	+25%
`keccakf1600_permute`	✅	9s	8s	+12%
`pointwise_acc_native_aarch64`	✅	9s	8s	+12%
`polyvec_matrix_pointwise_montgomery`	✅	9s	9s	+0%
`polyveck_add`	✅	9s	11s	-18%
`polyveck_shiftl`	✅	9s	6s	+50%
`polyvecl_ntt`	✅	9s	9s	+0%
`sign`	✅	9s	7s	+29%
`sign_pk_from_sk`	✅	9s	9s	+0%
`keccak_absorb_once_x4`	✅	8s	11s	-27%
`keccakf1600_permute_native`	✅	8s	7s	+14%
`pointwise_acc_native_x86_64`	✅	8s	6s	+33%
`polyveck_reduce`	✅	8s	9s	-11%
`pack_pk`	✅	7s	2s	+250%
`polyveck_chknorm`	✅	7s	6s	+17%
`polyveck_ntt`	✅	7s	10s	-30%
`polyz_unpack_c`	✅	7s	11s	-36%
`shake128_absorb`	✅	7s	3s	+133%
`sign_signature_pre_hash_internal`	✅	7s	6s	+17%
`mld_sample_s1_s2`	✅	6s	8s	-25%
`poly_caddq_native`	✅	6s	3s	+100%
`poly_power2round`	✅	6s	5s	+20%
`poly_uniform_gamma1_4x`	✅	6s	7s	-14%
`polyveck_sub`	✅	6s	6s	+0%
`polyvecl_chknorm`	✅	6s	6s	+0%
`unpack_hints`	✅	6s	4s	+50%
`fqscale`	✅	5s	3s	+67%
`keccak_f1600_x1_native_aarch64`	✅	5s	3s	+67%
`keccak_squeezeblocks_x4`	✅	5s	6s	-17%
`mld_compute_pack_z`	✅	5s	5s	+0%
`mld_prepare_domain_separation_prefix`	✅	5s	4s	+25%
`mld_sample_s1_s2_serial`	✅	5s	9s	-44%
`montgomery_reduce`	✅	5s	3s	+67%
`poly_reduce`	✅	5s	2s	+150%
`polyveck_caddq`	✅	5s	6s	-17%
`polyveck_pack_eta`	✅	5s	2s	+150%
`polyveck_pointwise_poly_montgomery`	✅	5s	7s	-29%
`polyveck_unpack_t0`	✅	5s	4s	+25%
`polyvecl_pointwise_acc_montgomery_native`	✅	5s	2s	+150%
`shake128_finalize`	✅	5s	4s	+25%
`sign_keypair_internal`	✅	5s	5s	+0%
`intt_native_x86_64`	✅	4s	4s	+0%
`keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid`	✅	4s	4s	+0%
`keccakf1600_xor_bytes (big endian)`	✅	4s	3s	+33%
`mld_ct_cmask_nonzero_u8`	✅	4s	3s	+33%
`pack_sig_c`	✅	4s	2s	+100%
`pack_sig_z`	✅	4s	2s	+100%
`poly_caddq_c`	✅	4s	5s	-20%
`poly_challenge`	✅	4s	4s	+0%
`poly_chknorm_native_aarch64`	✅	4s	2s	+100%
`poly_decompose_native`	✅	4s	4s	+0%
`poly_invntt_tomont`	✅	4s	2s	+100%
`poly_invntt_tomont_native`	✅	4s	6s	-33%
`poly_pointwise_montgomery_native`	✅	4s	4s	+0%
`poly_uniform`	✅	4s	3s	+33%
`poly_uniform_eta`	✅	4s	5s	-20%
`poly_uniform_gamma1`	✅	4s	4s	+0%
`poly_use_hint_c`	✅	4s	4s	+0%
`polyeta_pack`	✅	4s	2s	+100%
`polyveck_unpack_eta`	✅	4s	3s	+33%
`polyvecl_pack_eta`	✅	4s	4s	+0%
`polyvecl_permute_bitrev_to_custom`	✅	4s	2s	+100%
`polyvecl_uniform_gamma1`	✅	4s	5s	-20%
`polyz_pack`	✅	4s	2s	+100%
`rej_eta_c`	✅	4s	3s	+33%
`shake256`	✅	4s	2s	+100%
`shake256_absorb`	✅	4s	1s	+300%
`sign_keypair`	✅	4s	3s	+33%
`sign_verify`	✅	4s	4s	+0%
`sign_verify_pre_hash_shake256`	✅	4s	5s	-20%
`unpack_sig`	✅	4s	5s	-20%
`keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid`	✅	3s	2s	+50%
`keccak_init`	✅	3s	1s	+200%
`keccak_squeeze`	✅	3s	2s	+50%
`mld_ct_abs_i32`	✅	3s	3s	+0%
`mld_ct_get_optblocker_u32`	✅	3s	3s	+0%
`mld_h`	✅	3s	4s	-25%
`mld_keccakf1600_extract_bytes`	✅	3s	2s	+50%
`mld_value_barrier_i64`	✅	3s	2s	+50%
`mld_value_barrier_u32`	✅	3s	3s	+0%
`ntt_native_aarch64`	✅	3s	5s	-40%
`pack_sk`	✅	3s	3s	+0%
`pointwise_native_aarch64`	✅	3s	3s	+0%
`poly_caddq`	✅	3s	2s	+50%
`poly_decompose`	✅	3s	2s	+50%
`poly_make_hint`	✅	3s	5s	-40%
`poly_ntt`	✅	3s	4s	-25%
`poly_shiftl`	✅	3s	3s	+0%
`poly_use_hint`	✅	3s	2s	+50%
`polyt0_pack`	✅	3s	4s	-25%
`polyt1_pack`	✅	3s	4s	-25%
`polyveck_pack_w1`	✅	3s	4s	-25%
`polyvecl_pointwise_acc_montgomery`	✅	3s	5s	-40%
`polyvecl_uniform_gamma1_serial`	✅	3s	2s	+50%
`polyvecl_unpack_eta`	✅	3s	4s	-25%
`polyz_unpack`	✅	3s	6s	-50%
`polyz_unpack_native`	✅	3s	2s	+50%
`reduce32`	✅	3s	2s	+50%
`rej_eta_native`	✅	3s	3s	+0%
`shake128x4_absorb_once`	✅	3s	2s	+50%
`shake256_release`	✅	3s	2s	+50%
`sign_open`	✅	3s	4s	-25%
`sign_signature_extmu`	✅	3s	3s	+0%
`sign_verify_pre_hash_internal`	✅	3s	4s	-25%
`unpack_pk`	✅	3s	3s	+0%
`caddq`	✅	2s	4s	-50%
`decompose`	✅	2s	3s	-33%
`keccak_f1600_x4_native_aarch64_v84a`	✅	2s	1s	+100%
`keccak_finalize`	✅	2s	3s	-33%
`keccakf1600_extract_bytes (big endian)`	✅	2s	4s	-50%
`keccakf1600_xor_bytes`	✅	2s	3s	-33%
`keccakf1600x4_xor_bytes`	✅	2s	3s	-33%
`make_hint`	✅	2s	4s	-50%
`mld_ct_cmask_nonzero_u32`	✅	2s	3s	-33%
`mld_ct_get_optblocker_u8`	✅	2s	2s	+0%
`mld_ct_sel_int32`	✅	2s	1s	+100%
`mld_value_barrier_u8`	✅	2s	3s	-33%
`ntt_native_x86_64`	✅	2s	4s	-50%
`pack_sig_h_poly`	✅	2s	3s	-33%
`pointwise_native_x86_64`	✅	2s	6s	-67%
`poly_caddq_native_aarch64`	✅	2s	4s	-50%
`poly_chknorm`	✅	2s	3s	-33%
`poly_chknorm_native`	✅	2s	2s	+0%
`poly_ntt_c`	✅	2s	3s	-33%
`poly_pointwise_montgomery`	✅	2s	3s	-33%
`poly_sub`	✅	2s	3s	-33%
`poly_use_hint_native`	✅	2s	3s	-33%
`polyveck_pack_t0`	✅	2s	3s	-33%
`polyvecl_unpack_z`	✅	2s	4s	-50%
`polyw1_pack`	✅	2s	2s	+0%
`power2round`	✅	2s	3s	-33%
`rej_eta`	✅	2s	3s	-33%
`shake128_init`	✅	2s	3s	-33%
`shake128_squeeze`	✅	2s	2s	+0%
`shake256_finalize`	✅	2s	3s	-33%
`shake256_squeeze`	✅	2s	4s	-50%
`shake256x4_absorb_once`	✅	2s	2s	+0%
`sign_signature`	✅	2s	7s	-71%
`sign_signature_pre_hash_shake256`	✅	2s	5s	-60%
`sign_verify_extmu`	✅	2s	3s	-33%
`sys_check_capability`	✅	2s	1s	+100%
`use_hint`	✅	2s	3s	-33%
`keccak_f1600_x1_native_aarch64_v84a`	✅	1s	3s	-67%
`keccakf1600x4_extract_bytes`	✅	1s	5s	-80%
`keccakf1600x4_permute`	✅	1s	5s	-80%
`mld_ct_cmask_neg_i32`	✅	1s	2s	-50%
`mld_ct_get_optblocker_i64`	✅	1s	1s	+0%
`poly_ntt_native`	✅	1s	5s	-80%
`polyt1_unpack`	✅	1s	2s	-50%
`shake128_release`	✅	1s	3s	-67%
`shake128x4_squeezeblocks`	✅	1s	2s	-50%
`shake256_init`	✅	1s	4s	-75%
`shake256x4_squeezeblocks`	✅	1s	5s	-80%

oqs-bot · 2026-02-10T03:40:36Z

CBMC Results (ML-DSA-65)

Full Results (186 proofs)

Proof	Status	Current	Previous	Change
`TOTAL`	✅	2555s	2534s	+0.8%
`sign_verify_internal`	✅	326s	318s	+3%
`polyvecl_pointwise_acc_montgomery_c`	✅	317s	288s	+10%
`poly_pointwise_montgomery_c`	✅	272s	257s	+6%
`rej_uniform_native`	✅	150s	153s	-2%
`polyvec_matrix_expand`	✅	108s	115s	-6%
`mld_invntt_layer`	✅	99s	106s	-7%
`mld_attempt_signature_generation`	✅	98s	122s	-20%
`polyvec_matrix_expand_serial`	✅	83s	86s	-3%
`mld_ct_memcmp`	✅	82s	78s	+5%
`mld_ntt_layer`	✅	56s	58s	-3%
`polymat_permute_bitrev_to_custom`	✅	36s	35s	+3%
`sign_signature_internal`	✅	30s	25s	+20%
`mld_compute_t0_t1_tr_from_sk_components`	✅	25s	27s	-7%
`polyveck_use_hint`	✅	25s	25s	+0%
`rej_uniform`	✅	23s	21s	+10%
`poly_chknorm_c`	✅	21s	20s	+5%
`fqmul`	✅	20s	20s	+0%
`poly_uniform_eta_4x`	✅	18s	16s	+12%
`polyveck_decompose`	✅	18s	17s	+6%
`rej_uniform_c`	✅	18s	16s	+12%
`keccakf1600x4_permute_native`	✅	14s	14s	+0%
`poly_invntt_tomont_c`	✅	14s	10s	+40%
`polyt0_unpack`	✅	14s	15s	-7%
`polyvec_matrix_pointwise_montgomery`	✅	14s	13s	+8%
`mld_ntt_butterfly_block`	✅	13s	12s	+8%
`poly_uniform_4x`	✅	13s	16s	-19%
`polyveck_power2round`	✅	13s	13s	+0%
`mld_check_pct`	✅	11s	14s	-21%
`mld_polyvecl_permute_bitrev_to_custom_native`	✅	11s	9s	+22%
`keccak_absorb_once_x4`	✅	10s	12s	-17%
`mld_sample_s1_s2_serial`	✅	10s	5s	+100%
`poly_add`	✅	10s	15s	-33%
`poly_decompose_c`	✅	10s	7s	+43%
`polyveck_chknorm`	✅	10s	8s	+25%
`polyveck_ntt`	✅	10s	12s	-17%
`polyveck_add`	✅	9s	8s	+12%
`polyveck_caddq`	✅	9s	7s	+29%
`sign`	✅	9s	8s	+12%
`unpack_sk`	✅	9s	10s	-10%
`keccakf1600_permute`	✅	8s	8s	+0%
`keccak_absorb`	✅	7s	7s	+0%
`keccak_squeezeblocks_x4`	✅	7s	5s	+40%
`keccakf1600_permute_native`	✅	7s	7s	+0%
`pointwise_acc_native_aarch64`	✅	7s	6s	+17%
`polyveck_invntt_tomont`	✅	7s	7s	+0%
`polyvecl_ntt`	✅	7s	8s	-12%
`sign_open`	✅	7s	4s	+75%
`sign_pk_from_sk`	✅	7s	9s	-22%
`keccak_init`	✅	6s	1s	+500%
`mld_compute_pack_z`	✅	6s	5s	+20%
`mld_h`	✅	6s	3s	+100%
`mld_sample_s1_s2`	✅	6s	7s	-14%
`poly_caddq_c`	✅	6s	5s	+20%
`poly_chknorm`	✅	6s	2s	+200%
`poly_uniform_eta`	✅	6s	7s	-14%
`poly_uniform_gamma1`	✅	6s	5s	+20%
`polyeta_unpack`	✅	6s	6s	+0%
`polyveck_pointwise_poly_montgomery`	✅	6s	8s	-25%
`polyveck_shiftl`	✅	6s	5s	+20%
`polyveck_unpack_t0`	✅	6s	4s	+50%
`sign_verify_extmu`	✅	6s	4s	+50%
`unpack_pk`	✅	6s	3s	+100%
`keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid`	✅	5s	6s	-17%
`mld_ct_cmask_nonzero_u32`	✅	5s	2s	+150%
`pack_sig_z`	✅	5s	3s	+67%
`pointwise_native_x86_64`	✅	5s	4s	+25%
`poly_challenge`	✅	5s	5s	+0%
`poly_ntt`	✅	5s	1s	+400%
`poly_pointwise_montgomery`	✅	5s	4s	+25%
`poly_power2round`	✅	5s	4s	+25%
`poly_use_hint_c`	✅	5s	5s	+0%
`polyveck_pack_t0`	✅	5s	6s	-17%
`polyveck_reduce`	✅	5s	5s	+0%
`polyveck_sub`	✅	5s	7s	-29%
`polyvecl_uniform_gamma1`	✅	5s	3s	+67%
`power2round`	✅	5s	3s	+67%
`shake256x4_squeezeblocks`	✅	5s	2s	+150%
`sign_signature_pre_hash_shake256`	✅	5s	4s	+25%
`unpack_hints`	✅	5s	5s	+0%
`unpack_sig`	✅	5s	2s	+150%
`caddq`	✅	4s	4s	+0%
`fqscale`	✅	4s	2s	+100%
`keccak_squeeze`	✅	4s	2s	+100%
`pointwise_acc_native_x86_64`	✅	4s	9s	-56%
`poly_chknorm_native`	✅	4s	3s	+33%
`poly_decompose_native`	✅	4s	4s	+0%
`polyveck_pack_w1`	✅	4s	2s	+100%
`polyvecl_chknorm`	✅	4s	8s	-50%
`polyvecl_pack_eta`	✅	4s	4s	+0%
`polyvecl_unpack_eta`	✅	4s	4s	+0%
`polyvecl_unpack_z`	✅	4s	3s	+33%
`rej_eta`	✅	4s	2s	+100%
`rej_eta_c`	✅	4s	4s	+0%
`rej_eta_native`	✅	4s	3s	+33%
`sign_keypair`	✅	4s	2s	+100%
`sign_signature`	✅	4s	3s	+33%
`sign_signature_pre_hash_internal`	✅	4s	5s	-20%
`sign_verify_pre_hash_internal`	✅	4s	4s	+0%
`sign_verify_pre_hash_shake256`	✅	4s	3s	+33%
`decompose`	✅	3s	1s	+200%
`keccakf1600_xor_bytes`	✅	3s	2s	+50%
`keccakf1600x4_permute`	✅	3s	2s	+50%
`make_hint`	✅	3s	3s	+0%
`mld_ct_cmask_neg_i32`	✅	3s	2s	+50%
`mld_ct_cmask_nonzero_u8`	✅	3s	3s	+0%
`mld_value_barrier_u8`	✅	3s	1s	+200%
`ntt_native_aarch64`	✅	3s	5s	-40%
`pack_pk`	✅	3s	4s	-25%
`pack_sig_h_poly`	✅	3s	1s	+200%
`poly_caddq`	✅	3s	2s	+50%
`poly_caddq_native`	✅	3s	1s	+200%
`poly_caddq_native_aarch64`	✅	3s	2s	+50%
`poly_chknorm_native_aarch64`	✅	3s	5s	-40%
`poly_decompose`	✅	3s	4s	-25%
`poly_invntt_tomont`	✅	3s	4s	-25%
`poly_ntt_c`	✅	3s	3s	+0%
`poly_reduce`	✅	3s	2s	+50%
`poly_shiftl`	✅	3s	4s	-25%
`poly_sub`	✅	3s	2s	+50%
`poly_uniform`	✅	3s	4s	-25%
`poly_use_hint`	✅	3s	4s	-25%
`poly_use_hint_native`	✅	3s	3s	+0%
`polyeta_pack`	✅	3s	5s	-40%
`polyt1_unpack`	✅	3s	3s	+0%
`polyveck_pack_eta`	✅	3s	4s	-25%
`polyveck_unpack_eta`	✅	3s	3s	+0%
`polyvecl_permute_bitrev_to_custom`	✅	3s	3s	+0%
`polyvecl_pointwise_acc_montgomery`	✅	3s	5s	-40%
`polyvecl_pointwise_acc_montgomery_native`	✅	3s	5s	-40%
`polyw1_pack`	✅	3s	5s	-40%
`polyz_unpack`	✅	3s	2s	+50%
`shake128_finalize`	✅	3s	3s	+0%
`shake128_init`	✅	3s	2s	+50%
`shake128x4_absorb_once`	✅	3s	5s	-40%
`shake256_finalize`	✅	3s	2s	+50%
`shake256_release`	✅	3s	2s	+50%
`sign_keypair_internal`	✅	3s	6s	-50%
`sign_signature_extmu`	✅	3s	4s	-25%
`intt_native_x86_64`	✅	2s	3s	-33%
`keccak_f1600_x1_native_aarch64_v84a`	✅	2s	1s	+100%
`keccak_f1600_x4_native_aarch64_v84a`	✅	2s	3s	-33%
`keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid`	✅	2s	1s	+100%
`keccakf1600_extract_bytes (big endian)`	✅	2s	3s	-33%
`keccakf1600_xor_bytes (big endian)`	✅	2s	3s	-33%
`keccakf1600x4_extract_bytes`	✅	2s	3s	-33%
`keccakf1600x4_xor_bytes`	✅	2s	4s	-50%
`mld_ct_abs_i32`	✅	2s	4s	-50%
`mld_ct_get_optblocker_i64`	✅	2s	2s	+0%
`mld_ct_get_optblocker_u32`	✅	2s	2s	+0%
`mld_ct_sel_int32`	✅	2s	3s	-33%
`mld_prepare_domain_separation_prefix`	✅	2s	3s	-33%
`mld_value_barrier_i64`	✅	2s	3s	-33%
`mld_value_barrier_u32`	✅	2s	3s	-33%
`montgomery_reduce`	✅	2s	3s	-33%
`ntt_native_x86_64`	✅	2s	2s	+0%
`pack_sig_c`	✅	2s	3s	-33%
`pack_sk`	✅	2s	2s	+0%
`pointwise_native_aarch64`	✅	2s	3s	-33%
`poly_invntt_tomont_native`	✅	2s	5s	-60%
`poly_make_hint`	✅	2s	3s	-33%
`poly_pointwise_montgomery_native`	✅	2s	3s	-33%
`poly_uniform_gamma1_4x`	✅	2s	7s	-71%
`polyt0_pack`	✅	2s	2s	+0%
`polyvecl_uniform_gamma1_serial`	✅	2s	3s	-33%
`polyz_pack`	✅	2s	2s	+0%
`polyz_unpack_c`	✅	2s	4s	-50%
`polyz_unpack_native`	✅	2s	1s	+100%
`reduce32`	✅	2s	2s	+0%
`shake128_absorb`	✅	2s	3s	-33%
`shake128x4_squeezeblocks`	✅	2s	3s	-33%
`shake256`	✅	2s	2s	+0%
`shake256_init`	✅	2s	1s	+100%
`shake256x4_absorb_once`	✅	2s	3s	-33%
`sign_verify`	✅	2s	5s	-60%
`sys_check_capability`	✅	2s	2s	+0%
`use_hint`	✅	2s	3s	-33%
`keccak_f1600_x1_native_aarch64`	✅	1s	2s	-50%
`keccak_finalize`	✅	1s	2s	-50%
`mld_ct_get_optblocker_u8`	✅	1s	4s	-75%
`mld_keccakf1600_extract_bytes`	✅	1s	3s	-67%
`poly_ntt_native`	✅	1s	3s	-67%
`polyt1_pack`	✅	1s	2s	-50%
`shake128_release`	✅	1s	3s	-67%
`shake128_squeeze`	✅	1s	2s	-50%
`shake256_absorb`	✅	1s	1s	+0%
`shake256_squeeze`	✅	1s	2s	-50%

rod-chapman · 2026-02-23T10:15:58Z

  ret = mld_sign_signature(sm, smlen, sm + MLDSA_CRYPTO_BYTES, mlen, ctx,
                           ctxlen, sk, context);
-  *smlen += mlen;
+  if (ret == 0)


Please update the comment(s) and the ensures contract for this function in sign.h
(or is it deliberately left under-specified?)

Do the comments at the top-level API in mldsa/mldsa_native.h also need to be updated?

I think the contract and comments exactly what we want to guarantee:
(return_value == 0 && *smlen == MLDSA_CRYPTO_BYTES + mlen)
WDYT @hanno-becker?

In the long term I think we should rather consider eliminating smlen altogether - see #789.

In the failure case(s), should we write *smlen==0 in the ensures clause, or leave it unspecified?

I'm in favor of harmonizing this with mld_sign_signature, and modify the post-condition from

ensures((return_value == 0 && *smlen == MLDSA_CRYPTO_BYTES + mlen) || (return_value == MLD_ERR_FAIL || return_value == MLD_ERR_OUT_OF_MEMORY || return_value == MLD_ERR_RNG_FAIL))

to

ensures((return_value == 0 && *smlen == MLDSA_CRYPTO_BYTES + mlen) || ((return_value == MLD_ERR_FAIL || return_value == MLD_ERR_OUT_OF_MEMORY || return_value == MLD_ERR_RNG_FAIL) && *smlen == 0))

In mld_sign if a failure is returned from mld_sign_signature, we currently set the smlen to mlen (mld_sign_signature returns smlen=0, and we increment it by mlen). This commit changes it so that in the case of failure smlen=0 is returned. Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

This commit adds a reference to FIPS204 that states that t0 does not need to be considered secret. That replaces an old reference to an eprint report stating the same. Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

hanno-becker

I agree with @rod-chapman that we should note in the CBMC contract for mld_sign that *smlen == 0 if the function fails.

mkannwischer marked this pull request as ready for review February 10, 2026 03:54

mkannwischer requested a review from a team as a code owner February 10, 2026 03:54

mkannwischer mentioned this pull request Feb 23, 2026

Inconsistent and possibly confusing mld_sign() API and contracts #974

Open

rod-chapman self-requested a review February 23, 2026 10:08

rod-chapman force-pushed the smlen branch from 42ed215 to 134bfe1 Compare February 23, 2026 10:09

rod-chapman reviewed Feb 23, 2026

View reviewed changes

mkannwischer assigned hanno-becker Apr 1, 2026

mkannwischer added 2 commits April 13, 2026 06:09

hanno-becker force-pushed the smlen branch from 134bfe1 to 97afc26 Compare April 13, 2026 05:09

hanno-becker requested changes Apr 16, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Sign: Set smlen to 0 in case of failure#959

Sign: Set smlen to 0 in case of failure#959
mkannwischer wants to merge 2 commits intomainfrom
smlen

mkannwischer commented Feb 10, 2026 •

edited

Loading

Uh oh!

oqs-bot commented Feb 10, 2026 •

edited

Loading

Uh oh!

oqs-bot commented Feb 10, 2026 •

edited

Loading

Uh oh!

oqs-bot commented Feb 10, 2026 •

edited

Loading

Uh oh!

rod-chapman Feb 23, 2026

Uh oh!

rod-chapman Feb 23, 2026

Uh oh!

mkannwischer Feb 24, 2026

Uh oh!

rod-chapman Feb 24, 2026

Uh oh!

hanno-becker Apr 16, 2026

Uh oh!

hanno-becker left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

mkannwischer commented Feb 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

oqs-bot commented Feb 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

CBMC Results (ML-DSA-44)

Uh oh!

oqs-bot commented Feb 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

CBMC Results (ML-DSA-87)

Uh oh!

oqs-bot commented Feb 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

CBMC Results (ML-DSA-65)

Uh oh!

rod-chapman Feb 23, 2026

Choose a reason for hiding this comment

Uh oh!

rod-chapman Feb 23, 2026

Choose a reason for hiding this comment

Uh oh!

mkannwischer Feb 24, 2026

Choose a reason for hiding this comment

Uh oh!

rod-chapman Feb 24, 2026

Choose a reason for hiding this comment

Uh oh!

hanno-becker Apr 16, 2026

Choose a reason for hiding this comment

Uh oh!

hanno-becker left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

mkannwischer commented Feb 10, 2026 •

edited

Loading

oqs-bot commented Feb 10, 2026 •

edited

Loading

oqs-bot commented Feb 10, 2026 •

edited

Loading

oqs-bot commented Feb 10, 2026 •

edited

Loading