pq-code-package · mkannwischer · Dec 12, 2025 · Dec 1, 2025 · Dec 1, 2025 · Dec 3, 2025
@@ -547,9 +547,12 @@
 #endif /* MLD_CONFIG_USE_NATIVE_BACKEND_FIPS202 */
 #if defined(MLD_CONFIG_USE_NATIVE_BACKEND_ARITH)
 /* mldsa/src/native/api.h */
+#undef MLD_INTT_BOUND
 #undef MLD_NATIVE_API_H
 #undef MLD_NATIVE_FUNC_FALLBACK
 #undef MLD_NATIVE_FUNC_SUCCESS
+#undef MLD_NTT_BOUND
+#undef REDUCE32_RANGE_MAX
 /* mldsa/src/native/meta.h */
 #undef MLD_NATIVE_META_H
 #if defined(MLD_SYS_AARCH64)

@@ -544,9 +544,12 @@
 #endif /* MLD_CONFIG_USE_NATIVE_BACKEND_FIPS202 */
 #if defined(MLD_CONFIG_USE_NATIVE_BACKEND_ARITH)
 /* mldsa/src/native/api.h */
+#undef MLD_INTT_BOUND
 #undef MLD_NATIVE_API_H
 #undef MLD_NATIVE_FUNC_FALLBACK
 #undef MLD_NATIVE_FUNC_SUCCESS
+#undef MLD_NTT_BOUND
+#undef REDUCE32_RANGE_MAX
 /* mldsa/src/native/meta.h */
 #undef MLD_NATIVE_META_H
 #if defined(MLD_SYS_AARCH64)

@@ -8,14 +8,14 @@
 /***************************************************
  * Basic replacements for __CPROVER_XXX contracts
  ***************************************************/
-
 #ifndef CBMC
 
 #define __contract__(x)
 #define __loop__(x)
 #define cassert(x)
 
 #else /* !CBMC */
+
 #include <stdint.h>
 
 #define __contract__(x) x
@@ -128,6 +128,28 @@
 #define array_bound(array_var, qvar_lb, qvar_ub, value_lb, value_ub) \
   array_bound_core(CBMC_CONCAT(_cbmc_idx, __COUNTER__), (qvar_lb),      \
       (qvar_ub), (array_var), (value_lb), (value_ub))
+
+#define array_unchanged_core(qvar, qvar_lb, qvar_ub, array_var)        \
+  __CPROVER_forall                                                     \
+  {                                                                    \
+    unsigned qvar;                                                     \
+    ((qvar_lb) <= (qvar) && (qvar) < (qvar_ub)) ==>                    \
+    ((array_var)[(qvar)]) == (old(* (int16_t (*)[(qvar_ub)])(array_var)))[(qvar)] \
+  }
+
+#define array_unchanged(array_var, N) \
+    array_unchanged_core(CBMC_CONCAT(_cbmc_idx, __COUNTER__), 0, (N), (array_var))
+
+#define array_unchanged_u64_core(qvar, qvar_lb, qvar_ub, array_var)        \
+  __CPROVER_forall                                                     \
+  {                                                                    \
+    unsigned qvar;                                                     \
+    ((qvar_lb) <= (qvar) && (qvar) < (qvar_ub)) ==>                    \
+    ((array_var)[(qvar)]) == (old(* (uint64_t (*)[(qvar_ub)])(array_var)))[(qvar)] \
+  }
+
+#define array_unchanged_u64(array_var, N) \
+    array_unchanged_u64_core(CBMC_CONCAT(_cbmc_idx, __COUNTER__), 0, (N), (array_var))
 /* clang-format on */
 
 /* Wrapper around array_bound operating on absolute values.

@@ -46,10 +46,22 @@
  */
 
 #if defined(MLD_USE_FIPS202_X1_NATIVE)
-static MLD_INLINE int mld_keccak_f1600_x1_native(uint64_t *state);
-#endif
+static MLD_INLINE int mld_keccak_f1600_x1_native(uint64_t *state)
+__contract__(
+    requires(memory_no_alias(state, sizeof(uint64_t) * 25 * 1))
+    assigns(memory_slice(state, sizeof(uint64_t) * 25 * 1))
+    ensures(return_value == MLD_NATIVE_FUNC_FALLBACK || return_value == MLD_NATIVE_FUNC_SUCCESS)
+    ensures((return_value == MLD_NATIVE_FUNC_FALLBACK) ==> array_unchanged_u64(state, 25 * 1))
+);
+#endif /* MLD_USE_FIPS202_X1_NATIVE */
 #if defined(MLD_USE_FIPS202_X4_NATIVE)
-static MLD_INLINE int mld_keccak_f1600_x4_native(uint64_t *state);
-#endif
+static MLD_INLINE int mld_keccak_f1600_x4_native(uint64_t *state)
+__contract__(
+    requires(memory_no_alias(state, sizeof(uint64_t) * 25 * 4))
+    assigns(memory_slice(state, sizeof(uint64_t) * 25 * 4))
+    ensures(return_value == MLD_NATIVE_FUNC_FALLBACK || return_value == MLD_NATIVE_FUNC_SUCCESS)
+    ensures((return_value == MLD_NATIVE_FUNC_FALLBACK) ==> array_unchanged_u64(state, 25 * 4))
+);
+#endif /* MLD_USE_FIPS202_X4_NATIVE */
 
 #endif /* !MLD_FIPS202_NATIVE_API_H */
@@ -244,7 +244,6 @@ void mld_poly_pointwise_montgomery(mld_poly *c, const mld_poly *a,
                                    const mld_poly *b)
 {
 #if defined(MLD_USE_NATIVE_POINTWISE_MONTGOMERY)
-  /* TODO: proof */
   int ret;
   mld_assert_abs_bound(a->coeffs, MLDSA_N, MLD_NTT_BOUND);
   mld_assert_abs_bound(b->coeffs, MLDSA_N, MLD_NTT_BOUND);
@@ -368,7 +367,6 @@ __contract__(
   ensures(array_bound(a, 0, return_value, 0, MLDSA_Q))
 )
 {
-/* TODO: CBMC proof based on mld_rej_uniform_native */
 #if defined(MLD_USE_NATIVE_REJ_UNIFORM)
   int ret;
   mld_assert_bound(a, offset, 0, MLDSA_Q);
@@ -704,7 +702,6 @@ MLD_INTERNAL_API
 uint32_t mld_poly_chknorm(const mld_poly *a, int32_t B)
 {
 #if defined(MLD_USE_NATIVE_POLY_CHKNORM)
-  /* TODO: proof */
   int ret;
   int success;
   mld_assert_bound(a->coeffs, MLDSA_N, -REDUCE32_RANGE_MAX, REDUCE32_RANGE_MAX);

@@ -75,7 +75,6 @@ void mld_poly_decompose(mld_poly *a1, mld_poly *a0, const mld_poly *a)
 #if defined(MLD_USE_NATIVE_POLY_DECOMPOSE_88) && MLD_CONFIG_PARAMETER_SET == 44
   int ret;
   mld_assert_bound(a->coeffs, MLDSA_N, 0, MLDSA_Q);
-  /* TODO: proof */
   ret = mld_poly_decompose_88_native(a1->coeffs, a0->coeffs, a->coeffs);
   if (ret == MLD_NATIVE_FUNC_SUCCESS)
   {
@@ -88,7 +87,6 @@ void mld_poly_decompose(mld_poly *a1, mld_poly *a0, const mld_poly *a)
     (MLD_CONFIG_PARAMETER_SET == 65 || MLD_CONFIG_PARAMETER_SET == 87)
   int ret;
   mld_assert_bound(a->coeffs, MLDSA_N, 0, MLDSA_Q);
-  /* TODO: proof */
   ret = mld_poly_decompose_32_native(a1->coeffs, a0->coeffs, a->coeffs);
   if (ret == MLD_NATIVE_FUNC_SUCCESS)
   {
@@ -160,7 +158,6 @@ void mld_poly_use_hint(mld_poly *b, const mld_poly *a, const mld_poly *h)
   int ret;
   mld_assert_bound(a->coeffs, MLDSA_N, 0, MLDSA_Q);
   mld_assert_bound(h->coeffs, MLDSA_N, 0, 2);
-  /* TODO: proof */
   ret = mld_poly_use_hint_88_native(b->coeffs, a->coeffs, h->coeffs);
   if (ret == MLD_NATIVE_FUNC_SUCCESS)
   {
@@ -172,7 +169,6 @@ void mld_poly_use_hint(mld_poly *b, const mld_poly *a, const mld_poly *h)
   int ret;
   mld_assert_bound(a->coeffs, MLDSA_N, 0, MLDSA_Q);
   mld_assert_bound(h->coeffs, MLDSA_N, 0, 2);
-  /* TODO: proof */
   ret = mld_poly_use_hint_32_native(b->coeffs, a->coeffs, h->coeffs);
   if (ret == MLD_NATIVE_FUNC_SUCCESS)
   {
@@ -313,7 +309,6 @@ __contract__(
   ensures(array_abs_bound(a, 0, return_value, MLDSA_ETA + 1))
 )
 {
-/* TODO: CBMC proof based on mld_rej_uniform_eta2_native */
 #if MLDSA_ETA == 2 && defined(MLD_USE_NATIVE_REJ_UNIFORM_ETA2)
   int ret;
   mld_assert_abs_bound(a, offset, MLDSA_ETA + 1);
@@ -327,7 +322,6 @@ __contract__(
       return res;
     }
   }
-/* TODO: CBMC proof based on mld_rej_uniform_eta4_native */
 #elif MLDSA_ETA == 4 && defined(MLD_USE_NATIVE_REJ_UNIFORM_ETA4)
   int ret;
   mld_assert_abs_bound(a, offset, MLDSA_ETA + 1);
@@ -867,7 +861,6 @@ MLD_INTERNAL_API
 void mld_polyz_unpack(mld_poly *r, const uint8_t a[MLDSA_POLYZ_PACKEDBYTES])
 {
 #if defined(MLD_USE_NATIVE_POLYZ_UNPACK_17) && MLD_CONFIG_PARAMETER_SET == 44
-  /* TODO: proof */
   int ret;
   ret = mld_polyz_unpack_17_native(r->coeffs, a);
   if (ret == MLD_NATIVE_FUNC_SUCCESS)
@@ -877,7 +870,6 @@ void mld_polyz_unpack(mld_poly *r, const uint8_t a[MLDSA_POLYZ_PACKEDBYTES])
   }
 #elif defined(MLD_USE_NATIVE_POLYZ_UNPACK_19) && \
     (MLD_CONFIG_PARAMETER_SET == 65 || MLD_CONFIG_PARAMETER_SET == 87)
-  /* TODO: proof */
   int ret;
   ret = mld_polyz_unpack_19_native(r->coeffs, a);
   if (ret == MLD_NATIVE_FUNC_SUCCESS)

@@ -375,7 +375,6 @@ void mld_polyvecl_pointwise_acc_montgomery(mld_poly *w, const mld_polyvecl *u,
 {
 #if defined(MLD_USE_NATIVE_POLYVECL_POINTWISE_ACC_MONTGOMERY_L4) && \
     MLD_CONFIG_PARAMETER_SET == 44
-  /* TODO: proof */
   int ret;
   mld_assert_bound_2d(u->vec, MLDSA_L, MLDSA_N, 0, MLDSA_Q);
   mld_assert_abs_bound_2d(v->vec, MLDSA_L, MLDSA_N, MLD_NTT_BOUND);
@@ -389,7 +388,6 @@ void mld_polyvecl_pointwise_acc_montgomery(mld_poly *w, const mld_polyvecl *u,
   }
 #elif defined(MLD_USE_NATIVE_POLYVECL_POINTWISE_ACC_MONTGOMERY_L5) && \
     MLD_CONFIG_PARAMETER_SET == 65
-  /* TODO: proof */
   int ret;
   mld_assert_bound_2d(u->vec, MLDSA_L, MLDSA_N, 0, MLDSA_Q);
   mld_assert_abs_bound_2d(v->vec, MLDSA_L, MLDSA_N, MLD_NTT_BOUND);
@@ -403,7 +401,6 @@ void mld_polyvecl_pointwise_acc_montgomery(mld_poly *w, const mld_polyvecl *u,
   }
 #elif defined(MLD_USE_NATIVE_POLYVECL_POINTWISE_ACC_MONTGOMERY_L7) && \
     MLD_CONFIG_PARAMETER_SET == 87
-  /* TODO: proof */
   int ret;
   mld_assert_bound_2d(u->vec, MLDSA_L, MLDSA_N, 0, MLDSA_Q);
   mld_assert_abs_bound_2d(v->vec, MLDSA_L, MLDSA_N, MLD_NTT_BOUND);

@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) The mldsa-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+
+#ifndef MLD_DUMMY_ARITH_BACKEND_H
+#define MLD_DUMMY_ARITH_BACKEND_H
+
+
+#define MLD_USE_NATIVE_NTT
+#define MLD_USE_NATIVE_INTT
+#define MLD_USE_NATIVE_REJ_UNIFORM
+#define MLD_USE_NATIVE_REJ_UNIFORM_ETA2
+#define MLD_USE_NATIVE_REJ_UNIFORM_ETA4
+#define MLD_USE_NATIVE_POLY_DECOMPOSE_32
+#define MLD_USE_NATIVE_POLY_DECOMPOSE_88
+#define MLD_USE_NATIVE_POLY_CADDQ
+#define MLD_USE_NATIVE_POLY_USE_HINT_32
+#define MLD_USE_NATIVE_POLY_USE_HINT_88
+#define MLD_USE_NATIVE_POLY_CHKNORM
+#define MLD_USE_NATIVE_POLYZ_UNPACK_17
+#define MLD_USE_NATIVE_POLYZ_UNPACK_19
+#define MLD_USE_NATIVE_POINTWISE_MONTGOMERY
+#define MLD_USE_NATIVE_POLYVECL_POINTWISE_ACC_MONTGOMERY_L4
+#define MLD_USE_NATIVE_POLYVECL_POINTWISE_ACC_MONTGOMERY_L5
+#define MLD_USE_NATIVE_POLYVECL_POINTWISE_ACC_MONTGOMERY_L7
+
+#include "../../mldsa/src/native/api.h"
+
+#endif /* !MLD_DUMMY_ARITH_BACKEND_H */
@@ -0,0 +1,14 @@
+/*
+ * Copyright (c) The mldsa-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+
+#ifndef MLD_DUMMY_FIPS202X1_BACKEND_H
+#define MLD_DUMMY_FIPS202X1_BACKEND_H
+
+
+#define MLD_USE_FIPS202_X1_NATIVE
+
+#include "../../mldsa/src/fips202/native/api.h"
+
+#endif /* !MLD_DUMMY_FIPS202X1_BACKEND_H */
@@ -0,0 +1,14 @@
+/*
+ * Copyright (c) The mldsa-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+
+#ifndef MLD_DUMMY_FIPS202X4_BACKEND_H
+#define MLD_DUMMY_FIPS202X4_BACKEND_H
+
+
+#define MLD_USE_FIPS202_X4_NATIVE
+
+#include "../../mldsa/src/fips202/native/api.h"
+
+#endif /* !MLD_DUMMY_FIPS202X4_BACKEND_H */
@@ -0,0 +1,55 @@
+# Copyright (c) The mldsa-native project authors
+# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+include ../Makefile_params.common
+
+HARNESS_ENTRY = harness
+HARNESS_FILE = keccakf1600_permute_native_harness
+
+# This should be a unique identifier for this proof, and will appear on the
+# Litani dashboard. It can be human-readable and contain spaces if you wish.
+PROOF_UID = keccakf1600_permute_native
+
+DEFINES += -DMLD_CONFIG_USE_NATIVE_BACKEND_FIPS202 -DMLD_CONFIG_FIPS202_BACKEND_FILE="\"dummy_backend_fips202_x1.h\""
+INCLUDES +=
+
+REMOVE_FUNCTION_BODY +=
+UNWINDSET +=
+
+PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
+PROJECT_SOURCES += $(SRCDIR)/mldsa/src/fips202/keccakf1600.c
+
+CHECK_FUNCTION_CONTRACTS=$(MLD_NAMESPACE)keccakf1600_permute
+USE_FUNCTION_CONTRACTS=mld_keccak_f1600_x1_native
+APPLY_LOOP_CONTRACTS=on
+USE_DYNAMIC_FRAMES=1
+
+# Disable any setting of EXTERNAL_SAT_SOLVER, and choose SMT backend instead
+EXTERNAL_SAT_SOLVER=
+CBMCFLAGS=--smt2
+
+FUNCTION_NAME = mld_keccakf1600_permute_native
+
+# If this proof is found to consume huge amounts of RAM, you can set the
+# EXPENSIVE variable. With new enough versions of the proof tools, this will
+# restrict the number of EXPENSIVE CBMC jobs running at once. See the
+# documentation in Makefile.common under the "Job Pools" heading for details.
+# EXPENSIVE = true
+
+# This function is large enough to need...
+CBMC_OBJECT_BITS = 8
+
+# If you require access to a file-local ("static") function or object to conduct
+# your proof, set the following (and do not include the original source file
+# ("mldsa/poly.c") in PROJECT_SOURCES).
+# REWRITTEN_SOURCES = $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i
+# include ../Makefile.common
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_SOURCE = $(SRCDIR)/mldsa/src/poly.c
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_FUNCTIONS = foo bar
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_OBJECTS = baz
+# Care is required with variables on the left-hand side: REWRITTEN_SOURCES must
+# be set before including Makefile.common, but any use of variables on the
+# left-hand side requires those variables to be defined. Hence, _SOURCE,
+# _FUNCTIONS, _OBJECTS is set after including Makefile.common.
+
+include ../Makefile.common
@@ -0,0 +1,10 @@
+// Copyright (c) The mldsa-native project authors
+// SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+#include <keccakf1600.h>
+
+void harness(void)
+{
+  uint64_t *a;
+  mld_keccakf1600_permute(a);
+}