> I'd particularly appreciate test reports from anyone with access to
> a 64-bit BE architecture, as there has been bugs here in the past.

Seems to work fine on sparc64. I applied the diff, ran regress and
restarted sshd. I had to disable -Werror in the kex unittest to get past
the familiar '--param max-inline-insns-single limit reached' warning.

I can connect into and out of the box from and to 64-bit BE and LE
machines with the -oKexAlgorithms=mlkem768x25519-sha256 option and
without (which should not change anything afaik). It seems to
interoperate fine with the old mlkem in the ssh client and the new one.

I have verified that I get the same libcrux_mlkem768_sha3.h as you by
only applying the mlkem768.sh part of your diff and running the
resulting script. I have skimmed the upstream changes. Nothing
particularly bothered me but there's way too much churn to make any
kind of meaningful assessment in a reasonable amount of time.

In short, I am about as confident as I can be moving forward with this.

ok tb