CBMC: Add proofs on top of native functions

willieyz · mkannwischer · willieyz · commit 85e1c574c2a1 · 2026-01-06T12:18:06.000+08:00
(polymat_permute_bitrev_to_custom_native) - Unlike previous commit: 52df632, this commit want to remove the temporary workaround, directly prove polymat_permute_bitrev_custom on top of native API. Co-authored-by: Matthias J. Kannwischer <matthias@kannwischer.eu> Signed-off-by: willieyz <willie.zhao@chelpis.com>
diff --git a/mldsa/src/native/api.h b/mldsa/src/native/api.h
@@ -131,7 +131,8 @@ __contract__(
   requires(memory_no_alias(p, sizeof(int32_t) * MLDSA_N))
   requires(array_bound(p, 0, MLDSA_N, 0, MLDSA_Q))
   assigns(memory_slice(p, sizeof(int32_t) * MLDSA_N))
-  ensures(array_bound(p, 0, MLDSA_N, 0, MLDSA_Q)));
+  ensures(array_bound(p, 0, MLDSA_N, 0, MLDSA_Q))
+);
 #endif /* MLD_USE_NATIVE_NTT_CUSTOM_ORDER */
 
 
diff --git a/mldsa/src/polyvec.c b/mldsa/src/polyvec.c
@@ -25,8 +25,6 @@
  * with native backends, which are currently not yet namespaced. */
 #define mld_polymat_permute_bitrev_to_custom \
   MLD_ADD_PARAM_SET(mld_polymat_permute_bitrev_to_custom)
-#define mld_polyvecl_permute_bitrev_to_custom \
-  MLD_ADD_PARAM_SET(mld_polyvecl_permute_bitrev_to_custom)
 #define mld_polyvecl_pointwise_acc_montgomery_c \
   MLD_ADD_PARAM_SET(mld_polyvecl_pointwise_acc_montgomery_c)
 
@@ -37,36 +35,6 @@
  * No-op unless a native backend with a custom ordering is used.
  */
 
-static void mld_polyvecl_permute_bitrev_to_custom(mld_polyvecl *v)
-__contract__(
-  /* We don't specify that this should be a permutation, but only
-   * that it does not change the bound established at the end of
-   * mld_polyvec_matrix_expand. 
-   */
-  requires(memory_no_alias(v, sizeof(mld_polyvecl)))
-  requires(forall(x, 0, MLDSA_L,
-    array_bound(v->vec[x].coeffs, 0, MLDSA_N, 0, MLDSA_Q)))
-  assigns(memory_slice(v, sizeof(mld_polyvecl)))
-  ensures(forall(x, 0, MLDSA_L,
-    array_bound(v->vec[x].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
-{
-#if defined(MLD_USE_NATIVE_NTT_CUSTOM_ORDER)
-  unsigned i;
-  for (i = 0; i < MLDSA_L; i++)
-  __loop__(
-     assigns(i, memory_slice(v, sizeof(mld_polyvecl)))
-     invariant(i <= MLDSA_L)
-     invariant(forall(x, 0, MLDSA_L,
-       array_bound(v->vec[x].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
-  {
-    mld_poly_permute_bitrev_to_custom(v->vec[i].coeffs);
-  }
-#else  /* MLD_USE_NATIVE_NTT_CUSTOM_ORDER */
-  /* Nothing to do */
-  (void)v;
-#endif /* !MLD_USE_NATIVE_NTT_CUSTOM_ORDER */
-}
-
 static void mld_polymat_permute_bitrev_to_custom(mld_polymat *mat)
 __contract__(
   /* We don't specify that this should be a permutation, but only
@@ -81,16 +49,27 @@ __contract__(
     array_bound(mat->vec[k1].vec[l1].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
 )
 {
+#if defined(MLD_USE_NATIVE_NTT_CUSTOM_ORDER)
+  /* TODO: proof */
   unsigned int i;
-  for (i = 0; i < MLDSA_K; i++)
+  for (i = 0; i < MLDSA_K * MLDSA_L; i++)
   __loop__(
     assigns(i, memory_slice(mat, sizeof(mld_polymat)))
-    invariant(i <= MLDSA_K)
+    invariant(i <= MLDSA_K * MLDSA_L)
     invariant(forall(k1, 0, MLDSA_K, forall(l1, 0, MLDSA_L,
-      array_bound(mat->vec[k1].vec[l1].coeffs, 0, MLDSA_N, 0, MLDSA_Q)))))
+      array_bound(mat->vec[k1].vec[l1].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
+  )
   {
-    mld_polyvecl_permute_bitrev_to_custom(&mat->vec[i]);
+    mld_poly_permute_bitrev_to_custom(
+        mat->vec[i / MLDSA_L].vec[i % MLDSA_L].coeffs);
   }
+
+#else /* MLD_USE_NATIVE_NTT_CUSTOM_ORDER */
+
+  /* Nothing to do */
+  ((void)mat);
+
+#endif /* !MLD_USE_NATIVE_NTT_CUSTOM_ORDER */
 }
 #endif /* !MLD_CONFIG_REDUCE_RAM */
 
@@ -951,5 +930,4 @@ void mld_polyveck_unpack_t0(mld_polyveck *p,
 /* To facilitate single-compilation-unit (SCU) builds, undefine all macros.
  * Don't modify by hand -- this is auto-generated by scripts/autogen. */
 #undef mld_polymat_permute_bitrev_to_custom
-#undef mld_polyvecl_permute_bitrev_to_custom
 #undef mld_polyvecl_pointwise_acc_montgomery_c
diff --git a/proofs/cbmc/polymat_permute_bitrev_to_custom/Makefile b/proofs/cbmc/polymat_permute_bitrev_to_custom/Makefile
@@ -20,7 +20,7 @@ PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
 PROJECT_SOURCES += $(SRCDIR)/mldsa/src/polyvec.c
 
 CHECK_FUNCTION_CONTRACTS=mld_polymat_permute_bitrev_to_custom
-USE_FUNCTION_CONTRACTS=mld_polyvecl_permute_bitrev_to_custom
+USE_FUNCTION_CONTRACTS=
 APPLY_LOOP_CONTRACTS=on
 USE_DYNAMIC_FRAMES=1
 
diff --git a/proofs/cbmc/polymat_permute_bitrev_to_custom_native/Makefile b/proofs/cbmc/polymat_permute_bitrev_to_custom_native/Makefile
@@ -1,42 +1,43 @@
-# Copyright (c) The mlkem-native project authors
 # Copyright (c) The mldsa-native project authors
 # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
 
 include ../Makefile_params.common
 
 HARNESS_ENTRY = harness
-HARNESS_FILE = polyvecl_permute_bitrev_to_custom_native_harness
+HARNESS_FILE = polymat_permute_bitrev_to_custom_native_harness
 
 # This should be a unique identifier for this proof, and will appear on the
 # Litani dashboard. It can be human-readable and contain spaces if you wish.
-PROOF_UID = mld_polyvecl_permute_bitrev_to_custom_native
+PROOF_UID = polymat_permute_bitrev_to_custom_native
 
 DEFINES += -DMLD_CONFIG_USE_NATIVE_BACKEND_ARITH -DMLD_CONFIG_ARITH_BACKEND_FILE="\"dummy_backend.h\""
 INCLUDES +=
-UNWINDSET +=
 
 REMOVE_FUNCTION_BODY +=
+UNWINDSET +=
 
 PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
 PROJECT_SOURCES += $(SRCDIR)/mldsa/src/polyvec.c
 
-CHECK_FUNCTION_CONTRACTS=mld_polyvecl_permute_bitrev_to_custom
-USE_FUNCTION_CONTRACTS= mld_poly_permute_bitrev_to_custom
+CHECK_FUNCTION_CONTRACTS=mld_polymat_permute_bitrev_to_custom
+USE_FUNCTION_CONTRACTS=mld_poly_permute_bitrev_to_custom
 APPLY_LOOP_CONTRACTS=on
 USE_DYNAMIC_FRAMES=1
 
 # Disable any setting of EXTERNAL_SAT_SOLVER, and choose SMT backend instead
 EXTERNAL_SAT_SOLVER=
 CBMCFLAGS=--smt2 --slice-formula --no-array-field-sensitivity
 
-FUNCTION_NAME = mld_polyvecl_permute_bitrev_to_custom_native
+FUNCTION_NAME = polymat_permute_bitrev_to_custom_native
 
 # If this proof is found to consume huge amounts of RAM, you can set the
 # EXPENSIVE variable. With new enough versions of the proof tools, this will
 # restrict the number of EXPENSIVE CBMC jobs running at once. See the
 # documentation in Makefile.common under the "Job Pools" heading for details.
 # EXPENSIVE = true
-CBMC_OBJECT_BITS = 10
+
+# This function is large enough to need...
+CBMC_OBJECT_BITS = 12
 
 # If you require access to a file-local ("static") function or object to conduct
 # your proof, set the following (and do not include the original source file
diff --git a/proofs/cbmc/polymat_permute_bitrev_to_custom_native/polymat_permute_bitrev_to_custom_native_harness.c b/proofs/cbmc/polymat_permute_bitrev_to_custom_native/polymat_permute_bitrev_to_custom_native_harness.c
@@ -3,10 +3,10 @@
 
 #include "polyvec.h"
 
-void mld_polyvecl_permute_bitrev_to_custom(mld_polyvecl *v);
+void mld_polymat_permute_bitrev_to_custom(mld_polymat *mat);
 
 void harness(void)
 {
-  mld_polyvecl *v;
-  mld_polyvecl_permute_bitrev_to_custom(v);
+  mld_polymat *mat;
+  mld_polymat_permute_bitrev_to_custom(mat);
 }
diff --git a/proofs/cbmc/polyvecl_permute_bitrev_to_custom/Makefile b/proofs/cbmc/polyvecl_permute_bitrev_to_custom/Makefile
diff --git a/proofs/cbmc/polyvecl_permute_bitrev_to_custom_native/polyvecl_permute_bitrev_to_custom_native_harness.c b/proofs/cbmc/polyvecl_permute_bitrev_to_custom_native/polyvecl_permute_bitrev_to_custom_native_harness.c

Original file line number	Diff line number	Diff line change
`@@ -3,10 +3,10 @@`
`3`	`3`
`4`	`4`	`#include "polyvec.h"`
`5`	`5`
`6`		`-void mld_polyvecl_permute_bitrev_to_custom(mld_polyvecl *v);`
	`6`	`+void mld_polymat_permute_bitrev_to_custom(mld_polymat *mat);`
`7`	`7`
`8`	`8`	`void harness(void)`
`9`	`9`	`{`
`10`		`- mld_polyvecl *v;`
`11`		`- mld_polyvecl_permute_bitrev_to_custom(v);`
	`10`	`+ mld_polymat *mat;`
	`11`	`+ mld_polymat_permute_bitrev_to_custom(mat);`
`12`	`12`	`}`