Use ad-hoc matrix generation for reduced RAM usage

Signed-off-by: Hanno Becker <beckphan@amazon.co.uk>

Author: hanno-becker

README.md

@@ -153,6 +153,15 @@ contracts and loop invariants from the code; they will be ignored unless `CBMC`
 
 Yes. mldsa-native supports all three ML-DSA security levels (ML-DSA-44, ML-DSA-65, ML-DSA-87) as defined in FIPS 204. The security level is a compile-time parameter configured by setting `MLD_CONFIG_PARAMETER_SET=44/65/87` in [mldsa_native_config.h](mldsa/mldsa_native_config.h).
 
+### Can I reduce RAM usage for embedded systems?
+
+Yes. mldsa-native provides a compile-time option `MLD_CONFIG_REDUCE_RAM` that reduces RAM usage. This trades memory for performance:
+
+- **Memory savings**: 16 KB (ML-DSA-44), 30 KB (ML-DSA-65), 56 KB (ML-DSA-87)
+- **Performance cost**: Matrix generation is no longer batched, resulting in slower signing and verification
+
+To enable this mode, define `MLD_CONFIG_REDUCE_RAM` in [mldsa_config.h](mldsa/mldsa_config.h) or pass `-DMLD_CONFIG_REDUCE_RAM` as a compiler flag.
+
 ### Does mldsa-native use hedged or deterministic signing?
 
 By default, mldsa-native uses the randomized "hedged" signing variant as specified in FIPS 204 Section 3.4. The hedged variant uses both fresh randomness at signing time and precomputed randomness from the private key. This helps mitigate fault injection attacks and side-channel attacks while protecting against potential flaws in the random number generator.

examples/basic_deterministic/mldsa_native/mldsa_native_config.h

@@ -671,13 +671,11 @@
  *
  * Description: Set this to reduce RAM usage.
  *
- *              This configuration option is work in progress.
- *
- *              At present it results the following memory saving in signing
- *              with no impact on performance:
- *               - ML-DSA-44: 4 KiB
- *               - ML-DSA-65: 5 KiB
- *               - ML-DSA-87: 7 KiB
+ *              This trades memory for performance:
+ *              - Memory savings: 16 KB (ML-DSA-44), 30 KB (ML-DSA-65),
+ *                56 KB (ML-DSA-87)
+ *              - Performance cost: Matrix generation is no longer batched,
+ *                resulting in slower signing and verification
  *
  *              This option is useful for embedded systems with tight RAM
  *              constraints but relaxed performance requirements.
@@ -689,7 +687,6 @@
  *****************************************************************************/
 /* #define MLD_CONFIG_REDUCE_RAM */
 
-
 /*************************  Config internals  ********************************/
 
 #endif /* MLD_BUILD_INTERNAL */

examples/basic_lowram/mldsa_native/mldsa_native_config.h

@@ -670,13 +670,11 @@
  *
  * Description: Set this to reduce RAM usage.
  *
- *              This configuration option is work in progress.
- *
- *              At present it results the following memory saving in signing
- *              with no impact on performance:
- *               - ML-DSA-44: 4 KiB
- *               - ML-DSA-65: 5 KiB
- *               - ML-DSA-87: 7 KiB
+ *              This trades memory for performance:
+ *              - Memory savings: 16 KB (ML-DSA-44), 30 KB (ML-DSA-65),
+ *                56 KB (ML-DSA-87)
+ *              - Performance cost: Matrix generation is no longer batched,
+ *                resulting in slower signing and verification
  *
  *              This option is useful for embedded systems with tight RAM
  *              constraints but relaxed performance requirements.
@@ -688,7 +686,6 @@
  *****************************************************************************/
 #define MLD_CONFIG_REDUCE_RAM
 
-
 /*************************  Config internals  ********************************/
 
 #endif /* MLD_BUILD_INTERNAL */

examples/bring_your_own_fips202/mldsa_native/mldsa_native_config.h

@@ -671,13 +671,11 @@
  *
  * Description: Set this to reduce RAM usage.
  *
- *              This configuration option is work in progress.
- *
- *              At present it results the following memory saving in signing
- *              with no impact on performance:
- *               - ML-DSA-44: 4 KiB
- *               - ML-DSA-65: 5 KiB
- *               - ML-DSA-87: 7 KiB
+ *              This trades memory for performance:
+ *              - Memory savings: 16 KB (ML-DSA-44), 30 KB (ML-DSA-65),
+ *                56 KB (ML-DSA-87)
+ *              - Performance cost: Matrix generation is no longer batched,
+ *                resulting in slower signing and verification
  *
  *              This option is useful for embedded systems with tight RAM
  *              constraints but relaxed performance requirements.
@@ -689,7 +687,6 @@
  *****************************************************************************/
 /* #define MLD_CONFIG_REDUCE_RAM */
 
-
 /*************************  Config internals  ********************************/
 
 #endif /* MLD_BUILD_INTERNAL */

examples/bring_your_own_fips202_static/mldsa_native/mldsa_native_config.h

@@ -672,13 +672,11 @@
  *
  * Description: Set this to reduce RAM usage.
  *
- *              This configuration option is work in progress.
- *
- *              At present it results the following memory saving in signing
- *              with no impact on performance:
- *               - ML-DSA-44: 4 KiB
- *               - ML-DSA-65: 5 KiB
- *               - ML-DSA-87: 7 KiB
+ *              This trades memory for performance:
+ *              - Memory savings: 16 KB (ML-DSA-44), 30 KB (ML-DSA-65),
+ *                56 KB (ML-DSA-87)
+ *              - Performance cost: Matrix generation is no longer batched,
+ *                resulting in slower signing and verification
  *
  *              This option is useful for embedded systems with tight RAM
  *              constraints but relaxed performance requirements.
@@ -690,7 +688,6 @@
  *****************************************************************************/
 /* #define MLD_CONFIG_REDUCE_RAM */
 
-
 /*************************  Config internals  ********************************/
 
 #endif /* MLD_BUILD_INTERNAL */

examples/custom_backend/mldsa_native/mldsa_native_config.h

@@ -667,13 +667,11 @@
  *
  * Description: Set this to reduce RAM usage.
  *
- *              This configuration option is work in progress.
- *
- *              At present it results the following memory saving in signing
- *              with no impact on performance:
- *               - ML-DSA-44: 4 KiB
- *               - ML-DSA-65: 5 KiB
- *               - ML-DSA-87: 7 KiB
+ *              This trades memory for performance:
+ *              - Memory savings: 16 KB (ML-DSA-44), 30 KB (ML-DSA-65),
+ *                56 KB (ML-DSA-87)
+ *              - Performance cost: Matrix generation is no longer batched,
+ *                resulting in slower signing and verification
  *
  *              This option is useful for embedded systems with tight RAM
  *              constraints but relaxed performance requirements.
@@ -685,7 +683,6 @@
  *****************************************************************************/
 /* #define MLD_CONFIG_REDUCE_RAM */
 
-
 /*************************  Config internals  ********************************/
 
 #endif /* MLD_BUILD_INTERNAL */

examples/monolithic_build/mldsa_native/mldsa_native_config.h

@@ -670,13 +670,11 @@
  *
  * Description: Set this to reduce RAM usage.
  *
- *              This configuration option is work in progress.
- *
- *              At present it results the following memory saving in signing
- *              with no impact on performance:
- *               - ML-DSA-44: 4 KiB
- *               - ML-DSA-65: 5 KiB
- *               - ML-DSA-87: 7 KiB
+ *              This trades memory for performance:
+ *              - Memory savings: 16 KB (ML-DSA-44), 30 KB (ML-DSA-65),
+ *                56 KB (ML-DSA-87)
+ *              - Performance cost: Matrix generation is no longer batched,
+ *                resulting in slower signing and verification
  *
  *              This option is useful for embedded systems with tight RAM
  *              constraints but relaxed performance requirements.
@@ -688,7 +686,6 @@
  *****************************************************************************/
 /* #define MLD_CONFIG_REDUCE_RAM */
 
-
 /*************************  Config internals  ********************************/
 
 #endif /* MLD_BUILD_INTERNAL */

examples/monolithic_build_multilevel/mldsa_native/mldsa_native_config.h

@@ -671,13 +671,11 @@
  *
  * Description: Set this to reduce RAM usage.
  *
- *              This configuration option is work in progress.
- *
- *              At present it results the following memory saving in signing
- *              with no impact on performance:
- *               - ML-DSA-44: 4 KiB
- *               - ML-DSA-65: 5 KiB
- *               - ML-DSA-87: 7 KiB
+ *              This trades memory for performance:
+ *              - Memory savings: 16 KB (ML-DSA-44), 30 KB (ML-DSA-65),
+ *                56 KB (ML-DSA-87)
+ *              - Performance cost: Matrix generation is no longer batched,
+ *                resulting in slower signing and verification
  *
  *              This option is useful for embedded systems with tight RAM
  *              constraints but relaxed performance requirements.
@@ -689,7 +687,6 @@
  *****************************************************************************/
 /* #define MLD_CONFIG_REDUCE_RAM */
 
-
 /*************************  Config internals  ********************************/
 
 #endif /* MLD_BUILD_INTERNAL */

examples/monolithic_build_multilevel_native/mldsa_native/mldsa_native_config.h

@@ -678,13 +678,11 @@ static MLD_INLINE void mld_randombytes(uint8_t *ptr, size_t len)
  *
  * Description: Set this to reduce RAM usage.
  *
- *              This configuration option is work in progress.
- *
- *              At present it results the following memory saving in signing
- *              with no impact on performance:
- *               - ML-DSA-44: 4 KiB
- *               - ML-DSA-65: 5 KiB
- *               - ML-DSA-87: 7 KiB
+ *              This trades memory for performance:
+ *              - Memory savings: 16 KB (ML-DSA-44), 30 KB (ML-DSA-65),
+ *                56 KB (ML-DSA-87)
+ *              - Performance cost: Matrix generation is no longer batched,
+ *                resulting in slower signing and verification
  *
  *              This option is useful for embedded systems with tight RAM
  *              constraints but relaxed performance requirements.
@@ -696,7 +694,6 @@ static MLD_INLINE void mld_randombytes(uint8_t *ptr, size_t len)
  *****************************************************************************/
 /* #define MLD_CONFIG_REDUCE_RAM */
 
-
 /*************************  Config internals  ********************************/
 
 #endif /* MLD_BUILD_INTERNAL */

examples/monolithic_build_native/mldsa_native/mldsa_native_config.h

@@ -670,13 +670,11 @@
  *
  * Description: Set this to reduce RAM usage.
  *
- *              This configuration option is work in progress.
- *
- *              At present it results the following memory saving in signing
- *              with no impact on performance:
- *               - ML-DSA-44: 4 KiB
- *               - ML-DSA-65: 5 KiB
- *               - ML-DSA-87: 7 KiB
+ *              This trades memory for performance:
+ *              - Memory savings: 16 KB (ML-DSA-44), 30 KB (ML-DSA-65),
+ *                56 KB (ML-DSA-87)
+ *              - Performance cost: Matrix generation is no longer batched,
+ *                resulting in slower signing and verification
  *
  *              This option is useful for embedded systems with tight RAM
  *              constraints but relaxed performance requirements.
@@ -688,7 +686,6 @@
  *****************************************************************************/
 /* #define MLD_CONFIG_REDUCE_RAM */
 
-
 /*************************  Config internals  ********************************/
 
 #endif /* MLD_BUILD_INTERNAL */