sign stack usage: compute z incrementally

This commit reduces the stack usage of signing by computing z = y + s1*cp
incrementally (one polynomial at a time) allowing to eliminate the polyvecl
z (at to cost of a single poly z).
De-facto this saves L-1 KB irrespective of MLD_CONFIG_REDUCE_RAM.

Practically, the same buffer was used early in the function too. Here we
instead introduce a new polyvecl buffer tmp, but that can be placed in a union
together with w1.
Unfortuantely, with the current struct workaround for
diffblue/cbmc#8813, this results in an increase in
stack space by L KB.
This gets eliminated when MLD_CONFIG_REDUCE_RAM is set.

Hoisted out from #791

Signed-off-by: Matthias J. Kannwischer <[email protected]>

Author: mkannwischer

README.md

@@ -158,7 +158,7 @@ Yes. mldsa-native supports all three ML-DSA security levels (ML-DSA-44, ML-DSA-6
 Yes. mldsa-native provides a compile-time option `MLD_CONFIG_REDUCE_RAM` that reduces RAM usage. This trades memory for performance:
 
 - **Memory savings**: 12 KB (ML-DSA-44), 25 KB (ML-DSA-65), 49 KB (ML-DSA-87) for each of key generation, signing, and verification.
-                      For signing, additional 4 KB (ML-DSA-44), 5 KB (ML-DSA-65), and 7 KB (ML-DSA-87) are saved.
+                      For signing, additional 8 KB (ML-DSA-44), 10 KB (ML-DSA-65), and 14 KB (ML-DSA-87) are saved.
 - **Performance cost**: Matrix generation is no longer batched, resulting in slower signing and verification
 
 To enable this mode, define `MLD_CONFIG_REDUCE_RAM` in [mldsa_native_config.h](mldsa/mldsa_native_config.h) or pass `-DMLD_CONFIG_REDUCE_RAM` as a compiler flag.

mldsa/mldsa_native.S

@@ -222,6 +222,7 @@
 #undef MLD_PACKING_H
 #undef mld_pack_pk
 #undef mld_pack_sig
+#undef mld_pack_sig_z
 #undef mld_pack_sk
 #undef mld_unpack_pk
 #undef mld_unpack_sig
@@ -296,15 +297,10 @@
 #undef mld_polyveck_unpack_t0
 #undef mld_polyveck_use_hint
 #undef mld_polyvecl
-#undef mld_polyvecl_add
 #undef mld_polyvecl_chknorm
-#undef mld_polyvecl_invntt_tomont
 #undef mld_polyvecl_ntt
 #undef mld_polyvecl_pack_eta
-#undef mld_polyvecl_pack_z
 #undef mld_polyvecl_pointwise_acc_montgomery
-#undef mld_polyvecl_pointwise_poly_montgomery
-#undef mld_polyvecl_reduce
 #undef mld_polyvecl_uniform_gamma1
 #undef mld_polyvecl_unpack_eta
 #undef mld_polyvecl_unpack_z

mldsa/mldsa_native.c

@@ -218,6 +218,7 @@
 #undef MLD_PACKING_H
 #undef mld_pack_pk
 #undef mld_pack_sig
+#undef mld_pack_sig_z
 #undef mld_pack_sk
 #undef mld_unpack_pk
 #undef mld_unpack_sig
@@ -292,15 +293,10 @@
 #undef mld_polyveck_unpack_t0
 #undef mld_polyveck_use_hint
 #undef mld_polyvecl
-#undef mld_polyvecl_add
 #undef mld_polyvecl_chknorm
-#undef mld_polyvecl_invntt_tomont
 #undef mld_polyvecl_ntt
 #undef mld_polyvecl_pack_eta
-#undef mld_polyvecl_pack_z
 #undef mld_polyvecl_pointwise_acc_montgomery
-#undef mld_polyvecl_pointwise_poly_montgomery
-#undef mld_polyvecl_reduce
 #undef mld_polyvecl_uniform_gamma1
 #undef mld_polyvecl_unpack_eta
 #undef mld_polyvecl_unpack_z

mldsa/src/packing.c

@@ -100,15 +100,15 @@ void mld_unpack_sk(uint8_t rho[MLDSA_SEEDBYTES], uint8_t tr[MLDSA_TRBYTES],
 
 MLD_INTERNAL_API
 void mld_pack_sig(uint8_t sig[MLDSA_CRYPTO_BYTES],
-                  const uint8_t c[MLDSA_CTILDEBYTES], const mld_polyvecl *z,
-                  const mld_polyveck *h, const unsigned int number_of_hints)
+                  const uint8_t c[MLDSA_CTILDEBYTES], const mld_polyveck *h,
+                  const unsigned int number_of_hints)
 {
   unsigned int i, j, k;
 
   mld_memcpy(sig, c, MLDSA_CTILDEBYTES);
   sig += MLDSA_CTILDEBYTES;
 
-  mld_polyvecl_pack_z(sig, z);
+  /* skip z component - packed via mld_pack_sig_z */
   sig += MLDSA_L * MLDSA_POLYZ_PACKEDBYTES;
 
   /* Encode hints h */
@@ -168,6 +168,15 @@ void mld_pack_sig(uint8_t sig[MLDSA_CRYPTO_BYTES],
   }
 }
 
+MLD_INTERNAL_API
+void mld_pack_sig_z(uint8_t sig[MLDSA_CRYPTO_BYTES], const mld_poly *zi,
+                    unsigned i)
+{
+  sig += MLDSA_CTILDEBYTES;
+  sig += i * MLDSA_POLYZ_PACKEDBYTES;
+  mld_polyz_pack(sig, zi);
+}
+
 /*************************************************
  * Name:        mld_unpack_hints
  *

mldsa/src/packing.h

@@ -73,12 +73,12 @@ __contract__(
 /*************************************************
  * Name:        mld_pack_sig
  *
- * Description: Bit-pack signature sig = (c, z, h).
+ * Description: Bit-pack c and h component of sig = (c, z, h).
+ *              The z component is packed separately using mld_pack_sig_z.
  *
  * Arguments:   - uint8_t sig[]: output byte array
  *              - const uint8_t *c:  pointer to challenge hash length
  *                                   MLDSA_SEEDBYTES
- *              - const mld_polyvecl *z: pointer to vector z
  *              - const mld_polyveck *h: pointer to hint vector h
  *              - const unsigned int number_of_hints: total
  *                                   hints in *h
@@ -89,21 +89,41 @@ __contract__(
  **************************************************/
 MLD_INTERNAL_API
 void mld_pack_sig(uint8_t sig[MLDSA_CRYPTO_BYTES],
-                  const uint8_t c[MLDSA_CTILDEBYTES], const mld_polyvecl *z,
-                  const mld_polyveck *h, const unsigned int number_of_hints)
+                  const uint8_t c[MLDSA_CTILDEBYTES], const mld_polyveck *h,
+                  const unsigned int number_of_hints)
 __contract__(
   requires(memory_no_alias(sig, MLDSA_CRYPTO_BYTES))
   requires(memory_no_alias(c, MLDSA_CTILDEBYTES))
-  requires(memory_no_alias(z, sizeof(mld_polyvecl)))
   requires(memory_no_alias(h, sizeof(mld_polyveck)))
-  requires(forall(k0, 0, MLDSA_L,
-    array_bound(z->vec[k0].coeffs, 0, MLDSA_N, -(MLDSA_GAMMA1 - 1), MLDSA_GAMMA1 + 1)))
   requires(forall(k1, 0, MLDSA_K,
     array_bound(h->vec[k1].coeffs, 0, MLDSA_N, 0, 2)))
   requires(number_of_hints <= MLDSA_OMEGA)
   assigns(memory_slice(sig, MLDSA_CRYPTO_BYTES))
 );
 
+#define mld_pack_sig_z MLD_NAMESPACE_KL(pack_sig_z)
+/*************************************************
+ * Name:        mld_pack_sig_z
+ *
+ * Description: Bit-pack single polynomial of z component of sig = (c, z, h).
+ *              The c and h components are packed separately using mld_pack_sig.
+ *
+ * Arguments:   - uint8_t sig[]: output byte array
+ *              - const mld_poly *zi: pointer to a single polynomial in z
+ *              - const unsigned int i: index of zi in vector z
+ *
+ **************************************************/
+MLD_INTERNAL_API
+void mld_pack_sig_z(uint8_t sig[MLDSA_CRYPTO_BYTES], const mld_poly *zi,
+                    unsigned i)
+__contract__(
+  requires(memory_no_alias(sig, MLDSA_CRYPTO_BYTES))
+  requires(memory_no_alias(zi, sizeof(mld_poly)))
+  requires(i < MLDSA_L)
+  requires(array_bound(zi->coeffs, 0, MLDSA_N, -(MLDSA_GAMMA1 - 1), MLDSA_GAMMA1 + 1))
+  assigns(memory_slice(sig, MLDSA_CRYPTO_BYTES))
+);
+
 #define mld_unpack_pk MLD_NAMESPACE_KL(unpack_pk)
 /*************************************************
  * Name:        mld_unpack_pk

mldsa/src/polyvec.c

@@ -264,50 +264,6 @@ void mld_polyvecl_uniform_gamma1(mld_polyvecl *v,
                       MLDSA_GAMMA1 + 1);
 }
 
-MLD_INTERNAL_API
-void mld_polyvecl_reduce(mld_polyvecl *v)
-{
-  unsigned int i;
-  mld_assert_bound_2d(v->vec, MLDSA_L, MLDSA_N, INT32_MIN,
-                      MLD_REDUCE32_DOMAIN_MAX);
-
-  for (i = 0; i < MLDSA_L; ++i)
-  __loop__(
-    assigns(i, memory_slice(v, sizeof(mld_polyvecl)))
-    invariant(i <= MLDSA_L)
-    invariant(forall(k0, i, MLDSA_L, forall(k1, 0, MLDSA_N, v->vec[k0].coeffs[k1] == loop_entry(*v).vec[k0].coeffs[k1])))
-    invariant(forall(k2, 0, i,
-      array_bound(v->vec[k2].coeffs, 0, MLDSA_N, -MLD_REDUCE32_RANGE_MAX, MLD_REDUCE32_RANGE_MAX))))
-  {
-    mld_poly_reduce(&v->vec[i]);
-  }
-
-  mld_assert_bound_2d(v->vec, MLDSA_L, MLDSA_N, -MLD_REDUCE32_RANGE_MAX,
-                      MLD_REDUCE32_RANGE_MAX);
-}
-
-/* Reference: We use destructive version (output=first input) to avoid
- *            reasoning about aliasing in the CBMC specification */
-MLD_INTERNAL_API
-void mld_polyvecl_add(mld_polyvecl *u, const mld_polyvecl *v)
-{
-  unsigned int i;
-
-  for (i = 0; i < MLDSA_L; ++i)
-  __loop__(
-    assigns(i, memory_slice(u, sizeof(mld_polyvecl)))
-    invariant(i <= MLDSA_L)
-    invariant(forall(k0, i, MLDSA_L,
-              forall(k1, 0, MLDSA_N, u->vec[k0].coeffs[k1] == loop_entry(*u).vec[k0].coeffs[k1])))
-    invariant(forall(k6, 0, i, array_bound(u->vec[k6].coeffs, 0, MLDSA_N, INT32_MIN, MLD_REDUCE32_DOMAIN_MAX)))
-  )
-  {
-    mld_poly_add(&u->vec[i], &v->vec[i]);
-  }
-  mld_assert_bound_2d(u->vec, MLDSA_L, MLDSA_N, INT32_MIN,
-                      MLD_REDUCE32_DOMAIN_MAX);
-}
-
 MLD_INTERNAL_API
 void mld_polyvecl_ntt(mld_polyvecl *v)
 {
@@ -327,46 +283,6 @@ void mld_polyvecl_ntt(mld_polyvecl *v)
   mld_assert_abs_bound_2d(v->vec, MLDSA_L, MLDSA_N, MLD_NTT_BOUND);
 }
 
-MLD_INTERNAL_API
-void mld_polyvecl_invntt_tomont(mld_polyvecl *v)
-{
-  unsigned int i;
-  mld_assert_abs_bound_2d(v->vec, MLDSA_L, MLDSA_N, MLDSA_Q);
-
-  for (i = 0; i < MLDSA_L; ++i)
-  __loop__(
-    assigns(i, memory_slice(v, sizeof(mld_polyvecl)))
-    invariant(i <= MLDSA_L)
-    invariant(forall(k0, i, MLDSA_L, forall(k1, 0, MLDSA_N, v->vec[k0].coeffs[k1] == loop_entry(*v).vec[k0].coeffs[k1])))
-    invariant(forall(k1, 0, i, array_abs_bound(v->vec[k1].coeffs, 0, MLDSA_N, MLD_INTT_BOUND))))
-  {
-    mld_poly_invntt_tomont(&v->vec[i]);
-  }
-
-  mld_assert_abs_bound_2d(v->vec, MLDSA_L, MLDSA_N, MLD_INTT_BOUND);
-}
-
-MLD_INTERNAL_API
-void mld_polyvecl_pointwise_poly_montgomery(mld_polyvecl *r, const mld_poly *a,
-                                            const mld_polyvecl *v)
-{
-  unsigned int i;
-  mld_assert_abs_bound(a->coeffs, MLDSA_N, MLD_NTT_BOUND);
-  mld_assert_abs_bound_2d(v->vec, MLDSA_L, MLDSA_N, MLD_NTT_BOUND);
-
-  for (i = 0; i < MLDSA_L; ++i)
-  __loop__(
-    assigns(i, memory_slice(r, sizeof(mld_polyvecl)))
-    invariant(i <= MLDSA_L)
-    invariant(forall(k2, 0, i, array_abs_bound(r->vec[k2].coeffs, 0, MLDSA_N, MLDSA_Q)))
-  )
-  {
-    mld_poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]);
-  }
-
-  mld_assert_abs_bound_2d(r->vec, MLDSA_L, MLDSA_N, MLDSA_Q);
-}
-
 MLD_STATIC_TESTABLE void mld_polyvecl_pointwise_acc_montgomery_c(
     mld_poly *w, const mld_polyvecl *u, const mld_polyvecl *v)
 __contract__(
@@ -832,23 +748,6 @@ void mld_polyvecl_pack_eta(uint8_t r[MLDSA_L * MLDSA_POLYETA_PACKEDBYTES],
   }
 }
 
-MLD_INTERNAL_API
-void mld_polyvecl_pack_z(uint8_t r[MLDSA_L * MLDSA_POLYZ_PACKEDBYTES],
-                         const mld_polyvecl *p)
-{
-  unsigned int i;
-  mld_assert_bound_2d(p->vec, MLDSA_L, MLDSA_N, -(MLDSA_GAMMA1 - 1),
-                      MLDSA_GAMMA1 + 1);
-  for (i = 0; i < MLDSA_L; ++i)
-  __loop__(
-    assigns(i, memory_slice(r, MLDSA_L * MLDSA_POLYZ_PACKEDBYTES))
-    invariant(i <= MLDSA_L)
-  )
-  {
-    mld_polyz_pack(&r[i * MLDSA_POLYZ_PACKEDBYTES], &p->vec[i]);
-  }
-}
-
 MLD_INTERNAL_API
 void mld_polyveck_pack_t0(uint8_t r[MLDSA_K * MLDSA_POLYT0_PACKEDBYTES],
                           const mld_polyveck *p)