Introduce local mld_matrix_permute_bitrev_to_custom() function.

rod-chapman · rod-chapman · commit e5478ee12325 · 2025-11-05T10:07:37.000Z
to simplify polyvec_maxtrix_expand(),
stabilize proof and avoid need to ignore code for proof.

Signed-off-by: Rod Chapman &lt;rodchap@amazon.com&gt;
diff --git a/mldsa/src/polyvec.c b/mldsa/src/polyvec.c
@@ -21,17 +21,47 @@
 #include "poly_kl.h"
 #include "polyvec.h"
 
-#if !defined(MLD_USE_NATIVE_NTT_CUSTOM_ORDER)
 /* This namespacing is not done at the top to avoid a naming conflict
  * with native backends, which are currently not yet namespaced. */
-#define mld_poly_permute_bitrev_to_custom \
-  MLD_NAMESPACE_KL(mld_poly_permute_bitrev_to_custom)
+#define mld_matrix_permute_bitrev_to_custom \
+  MLD_NAMESPACE_KL(mld_matrix_permute_bitrev_to_custom)
 
-static MLD_INLINE void mld_poly_permute_bitrev_to_custom(int32_t data[MLDSA_N])
+/* Helper function to ensure that the polynomial entries in the output
+ * of mld_polyvec_matrix_expand use the standard (bitreversed) ordering
+ * of coefficients.
+ * No-op unless a native backend with a custom ordering is used.
+ */
+static void mld_matrix_permute_bitrev_to_custom(mld_polyvecl mat[MLDSA_K])
+__contract__(
+  /* We don't specify that this should be a permutation, but only
+   * that it does not change the bound established at the end of
+   * mld_polyvec_matrix_expand.
+   */
+  requires(memory_no_alias(mat, MLDSA_K * sizeof(mld_polyvecl)))
+  requires(forall(k1, 0, MLDSA_K, forall(l1, 0, MLDSA_L,
+    array_bound(mat[k1].vec[l1].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
+  assigns(object_whole(mat))
+  ensures(forall(k1, 0, MLDSA_K, forall(l1, 0, MLDSA_L,
+    array_bound(mat[k1].vec[l1].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
+)
 {
-  ((void)data);
-}
+#if defined(MLD_USE_NATIVE_NTT_CUSTOM_ORDER)
+  unsigned int i, j;
+  for (i = 0; i < MLDSA_K; i++)
+  {
+    for (j = 0; j < MLDSA_L; j++)
+    {
+      mld_poly_permute_bitrev_to_custom(mat[i].vec[j].coeffs);
+    }
+  }
+
+#else /* MLD_USE_NATIVE_NTT_CUSTOM_ORDER */
+
+  /* Nothing to do */
+  ((void)mat);
+
 #endif /* !MLD_USE_NATIVE_NTT_CUSTOM_ORDER */
+}
 
 
 MLD_INTERNAL_API
@@ -107,21 +137,7 @@ void mld_polyvec_matrix_expand(mld_polyvecl mat[MLDSA_K],
     i++;
   }
 
-  /*
-   * The public matrix is generated in NTT domain. If the native backend
-   * uses a custom order in NTT domain, permute A accordingly. This does
-   * not affect the bounds on the coefficients, so we ignore this for CBMC
-   * to simplify proof.
-   */
-#ifndef CBMC
-  for (i = 0; i < MLDSA_K; i++)
-  {
-    for (j = 0; j < MLDSA_L; j++)
-    {
-      mld_poly_permute_bitrev_to_custom(mat[i].vec[j].coeffs);
-    }
-  }
-#endif /* !CBMC */
+  mld_matrix_permute_bitrev_to_custom(mat);
 
   /* @[FIPS204, Section 3.6.3] Destruction of intermediate values. */
   mld_zeroize(single_seed, sizeof(single_seed));
@@ -160,7 +176,7 @@ void mld_polyvecl_uniform_gamma1(mld_polyvecl *v,
   /* Safety: nonce is at most ((UINT16_MAX - MLDSA_L) / MLDSA_L), and, hence,
    * this cast is safe. See NONCE_UB comment in sign.c. */
   nonce = (uint16_t)(MLDSA_L * nonce);
-  /* Now, nonce <= UINT16_MAX - (MLDSA_L - 1), so the casts below are safe. */
+/* Now, nonce <= UINT16_MAX - (MLDSA_L - 1), so the casts below are safe. */
 #if MLDSA_L == 4
   mld_poly_uniform_gamma1_4x(&v->vec[0], &v->vec[1], &v->vec[2], &v->vec[3],
                              seed, nonce, (uint16_t)(nonce + 1),
diff --git a/proofs/cbmc/matrix_permute_bitrev_to_custom/Makefile b/proofs/cbmc/matrix_permute_bitrev_to_custom/Makefile
@@ -0,0 +1,55 @@
+# Copyright (c) The mldsa-native project authors
+# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+include ../Makefile_params.common
+
+HARNESS_ENTRY = harness
+HARNESS_FILE = matrix_permute_bitrev_to_custom_harness
+
+# This should be a unique identifier for this proof, and will appear on the
+# Litani dashboard. It can be human-readable and contain spaces if you wish.
+PROOF_UID = matrix_permute_bitrev_to_custom
+
+DEFINES +=
+INCLUDES +=
+
+REMOVE_FUNCTION_BODY +=
+UNWINDSET +=
+
+PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
+PROJECT_SOURCES += $(SRCDIR)/mldsa/src/polyvec.c
+
+CHECK_FUNCTION_CONTRACTS=$(MLD_NAMESPACE)mld_matrix_permute_bitrev_to_custom
+USE_FUNCTION_CONTRACTS=
+APPLY_LOOP_CONTRACTS=on
+USE_DYNAMIC_FRAMES=1
+
+# Disable any setting of EXTERNAL_SAT_SOLVER, and choose SMT backend instead
+EXTERNAL_SAT_SOLVER=
+CBMCFLAGS=--smt2 --slice-formula --no-array-field-sensitivity
+
+FUNCTION_NAME = mld_matrix_permute_bitrev_to_custom
+
+# If this proof is found to consume huge amounts of RAM, you can set the
+# EXPENSIVE variable. With new enough versions of the proof tools, this will
+# restrict the number of EXPENSIVE CBMC jobs running at once. See the
+# documentation in Makefile.common under the "Job Pools" heading for details.
+# EXPENSIVE = true
+
+# This function is large enough to need...
+CBMC_OBJECT_BITS = 12
+
+# If you require access to a file-local ("static") function or object to conduct
+# your proof, set the following (and do not include the original source file
+# ("mldsa/poly.c") in PROJECT_SOURCES).
+# REWRITTEN_SOURCES = $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i
+# include ../Makefile.common
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_SOURCE = $(SRCDIR)/mldsa/poly.c
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_FUNCTIONS = foo bar
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_OBJECTS = baz
+# Care is required with variables on the left-hand side: REWRITTEN_SOURCES must
+# be set before including Makefile.common, but any use of variables on the
+# left-hand side requires those variables to be defined. Hence, _SOURCE,
+# _FUNCTIONS, _OBJECTS is set after including Makefile.common.
+
+include ../Makefile.common
diff --git a/proofs/cbmc/matrix_permute_bitrev_to_custom/matrix_permute_bitrev_to_custom_harness.c b/proofs/cbmc/matrix_permute_bitrev_to_custom/matrix_permute_bitrev_to_custom_harness.c
@@ -0,0 +1,14 @@
+// Copyright (c) The mldsa-native project authors
+// SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+#include "polyvec.h"
+
+#define mld_matrix_permute_bitrev_to_custom \
+  MLD_NAMESPACE_KL(mld_matrix_permute_bitrev_to_custom)
+void mld_matrix_permute_bitrev_to_custom(mld_polyvecl mat[MLDSA_K]);
+
+void harness(void)
+{
+  mld_polyvecl *mat;
+  mld_matrix_permute_bitrev_to_custom(mat);
+}
diff --git a/proofs/cbmc/polyvec_matrix_expand/Makefile b/proofs/cbmc/polyvec_matrix_expand/Makefile
@@ -20,7 +20,7 @@ PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
 PROJECT_SOURCES += $(SRCDIR)/mldsa/src/polyvec.c
 
 CHECK_FUNCTION_CONTRACTS=$(MLD_NAMESPACE)polyvec_matrix_expand
-USE_FUNCTION_CONTRACTS=$(MLD_NAMESPACE)poly_uniform_4x $(MLD_NAMESPACE)poly_uniform
+USE_FUNCTION_CONTRACTS=$(MLD_NAMESPACE)poly_uniform_4x $(MLD_NAMESPACE)poly_uniform $(MLD_NAMESPACE)mld_matrix_permute_bitrev_to_custom
 APPLY_LOOP_CONTRACTS=on
 USE_DYNAMIC_FRAMES=1
 
