diff --git a/mldsa/src/polyvec.c b/mldsa/src/polyvec.c index 8469c8654..e7ce34514 100644 --- a/mldsa/src/polyvec.c +++ b/mldsa/src/polyvec.c @@ -21,17 +21,48 @@ #include "poly_kl.h" #include "polyvec.h" -#if !defined(MLD_USE_NATIVE_NTT_CUSTOM_ORDER) /* This namespacing is not done at the top to avoid a naming conflict * with native backends, which are currently not yet namespaced. */ -#define mld_poly_permute_bitrev_to_custom \ - MLD_NAMESPACE_KL(mld_poly_permute_bitrev_to_custom) +#define mld_matrix_permute_bitrev_to_custom \ + MLD_NAMESPACE_KL(mld_matrix_permute_bitrev_to_custom) + +/* Helper function to ensure that the polynomial entries in the output + * of mld_polyvec_matrix_expand use the standard (bitreversed) ordering + * of coefficients. + * No-op unless a native backend with a custom ordering is used. + */ +static void mld_matrix_permute_bitrev_to_custom(mld_polyvecl mat[MLDSA_K]) +__contract__( + /* We don't specify that this should be a permutation, but only + * that it does not change the bound established at the end of + * mld_polyvec_matrix_expand. + */ + requires(memory_no_alias(mat, MLDSA_K * sizeof(mld_polyvecl))) + requires(forall(k1, 0, MLDSA_K, forall(l1, 0, MLDSA_L, + array_bound(mat[k1].vec[l1].coeffs, 0, MLDSA_N, 0, MLDSA_Q)))) + assigns(object_whole(mat)) + ensures(forall(k1, 0, MLDSA_K, forall(l1, 0, MLDSA_L, + array_bound(mat[k1].vec[l1].coeffs, 0, MLDSA_N, 0, MLDSA_Q)))) +) +{ +#if defined(MLD_USE_NATIVE_NTT_CUSTOM_ORDER) + /* TODO: proof */ + unsigned int i, j; + for (i = 0; i < MLDSA_K; i++) + { + for (j = 0; j < MLDSA_L; j++) + { + mld_poly_permute_bitrev_to_custom(mat[i].vec[j].coeffs); + } + } + +#else /* MLD_USE_NATIVE_NTT_CUSTOM_ORDER */ + + /* Nothing to do */ + ((void)mat); -static MLD_INLINE void mld_poly_permute_bitrev_to_custom(int32_t data[MLDSA_N]) -{ - ((void)data); -} #endif /* !MLD_USE_NATIVE_NTT_CUSTOM_ORDER */ +} MLD_INTERNAL_API @@ -112,17 +143,7 @@ void mld_polyvec_matrix_expand(mld_polyvecl mat[MLDSA_K], i++; } - /* - * The public matrix is generated in NTT domain. If the native backend - * uses a custom order in NTT domain, permute A accordingly. - */ - for (i = 0; i < MLDSA_K; i++) - { - for (j = 0; j < MLDSA_L; j++) - { - mld_poly_permute_bitrev_to_custom(mat[i].vec[j].coeffs); - } - } + mld_matrix_permute_bitrev_to_custom(mat); /* @[FIPS204, Section 3.6.3] Destruction of intermediate values. */ mld_zeroize(seed_ext, sizeof(seed_ext)); diff --git a/proofs/cbmc/matrix_permute_bitrev_to_custom/Makefile b/proofs/cbmc/matrix_permute_bitrev_to_custom/Makefile new file mode 100644 index 000000000..738478314 --- /dev/null +++ b/proofs/cbmc/matrix_permute_bitrev_to_custom/Makefile @@ -0,0 +1,55 @@ +# Copyright (c) The mldsa-native project authors +# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT + +include ../Makefile_params.common + +HARNESS_ENTRY = harness +HARNESS_FILE = matrix_permute_bitrev_to_custom_harness + +# This should be a unique identifier for this proof, and will appear on the +# Litani dashboard. It can be human-readable and contain spaces if you wish. +PROOF_UID = matrix_permute_bitrev_to_custom + +DEFINES += +INCLUDES += + +REMOVE_FUNCTION_BODY += +UNWINDSET += + +PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c +PROJECT_SOURCES += $(SRCDIR)/mldsa/src/polyvec.c + +CHECK_FUNCTION_CONTRACTS=$(MLD_NAMESPACE)mld_matrix_permute_bitrev_to_custom +USE_FUNCTION_CONTRACTS= +APPLY_LOOP_CONTRACTS=on +USE_DYNAMIC_FRAMES=1 + +# Disable any setting of EXTERNAL_SAT_SOLVER, and choose SMT backend instead +EXTERNAL_SAT_SOLVER= +CBMCFLAGS=--smt2 --slice-formula --no-array-field-sensitivity + +FUNCTION_NAME = mld_matrix_permute_bitrev_to_custom + +# If this proof is found to consume huge amounts of RAM, you can set the +# EXPENSIVE variable. With new enough versions of the proof tools, this will +# restrict the number of EXPENSIVE CBMC jobs running at once. See the +# documentation in Makefile.common under the "Job Pools" heading for details. +# EXPENSIVE = true + +# This function is large enough to need... +CBMC_OBJECT_BITS = 12 + +# If you require access to a file-local ("static") function or object to conduct +# your proof, set the following (and do not include the original source file +# ("mldsa/poly.c") in PROJECT_SOURCES). +# REWRITTEN_SOURCES = $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i +# include ../Makefile.common +# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_SOURCE = $(SRCDIR)/mldsa/poly.c +# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_FUNCTIONS = foo bar +# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_OBJECTS = baz +# Care is required with variables on the left-hand side: REWRITTEN_SOURCES must +# be set before including Makefile.common, but any use of variables on the +# left-hand side requires those variables to be defined. Hence, _SOURCE, +# _FUNCTIONS, _OBJECTS is set after including Makefile.common. + +include ../Makefile.common diff --git a/proofs/cbmc/matrix_permute_bitrev_to_custom/matrix_permute_bitrev_to_custom_harness.c b/proofs/cbmc/matrix_permute_bitrev_to_custom/matrix_permute_bitrev_to_custom_harness.c new file mode 100644 index 000000000..7178e8604 --- /dev/null +++ b/proofs/cbmc/matrix_permute_bitrev_to_custom/matrix_permute_bitrev_to_custom_harness.c @@ -0,0 +1,14 @@ +// Copyright (c) The mldsa-native project authors +// SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT + +#include "polyvec.h" + +#define mld_matrix_permute_bitrev_to_custom \ + MLD_NAMESPACE_KL(mld_matrix_permute_bitrev_to_custom) +void mld_matrix_permute_bitrev_to_custom(mld_polyvecl mat[MLDSA_K]); + +void harness(void) +{ + mld_polyvecl *mat; + mld_matrix_permute_bitrev_to_custom(mat); +} diff --git a/proofs/cbmc/pack_pk/Makefile b/proofs/cbmc/pack_pk/Makefile index 3552b2cd5..4907cd63f 100644 --- a/proofs/cbmc/pack_pk/Makefile +++ b/proofs/cbmc/pack_pk/Makefile @@ -25,8 +25,7 @@ USE_DYNAMIC_FRAMES=1 # Disable any setting of EXTERNAL_SAT_SOLVER, and choose SMT backend instead EXTERNAL_SAT_SOLVER= -CBMCFLAGS=--smt2 -CBMCFLAGS += --slice-formula +CBMCFLAGS=--smt2 --no-array-field-sensitivity --slice-formula FUNCTION_NAME = pack_pk @@ -37,7 +36,7 @@ FUNCTION_NAME = pack_pk # EXPENSIVE = true # This function is large enough to need... -CBMC_OBJECT_BITS = 8 +CBMC_OBJECT_BITS = 11 # If you require access to a file-local ("static") function or object to conduct # your proof, set the following (and do not include the original source file diff --git a/proofs/cbmc/polyvec_matrix_expand/Makefile b/proofs/cbmc/polyvec_matrix_expand/Makefile index 5c4d10bf6..b5901639f 100644 --- a/proofs/cbmc/polyvec_matrix_expand/Makefile +++ b/proofs/cbmc/polyvec_matrix_expand/Makefile @@ -20,7 +20,7 @@ PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mldsa/src/polyvec.c CHECK_FUNCTION_CONTRACTS=$(MLD_NAMESPACE)polyvec_matrix_expand -USE_FUNCTION_CONTRACTS=$(MLD_NAMESPACE)poly_uniform_4x $(MLD_NAMESPACE)poly_uniform +USE_FUNCTION_CONTRACTS=$(MLD_NAMESPACE)poly_uniform_4x $(MLD_NAMESPACE)poly_uniform $(MLD_NAMESPACE)mld_matrix_permute_bitrev_to_custom APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 diff --git a/proofs/cbmc/polyvecl_add/Makefile b/proofs/cbmc/polyvecl_add/Makefile index 9dd5289e1..38de96cdd 100644 --- a/proofs/cbmc/polyvecl_add/Makefile +++ b/proofs/cbmc/polyvecl_add/Makefile @@ -37,7 +37,7 @@ FUNCTION_NAME = polyvecl_add # EXPENSIVE = true # This function is large enough to need... -CBMC_OBJECT_BITS = 8 +CBMC_OBJECT_BITS = 10 # If you require access to a file-local ("static") function or object to conduct # your proof, set the following (and do not include the original source file