Skip to content

sign stack usage: compute z incrementally #821

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mkannwischer wants to merge 2 commits into from
Closed

sign stack usage: compute z incrementally #821

mkannwischer wants to merge 2 commits into from

Conversation

@mkannwischer
Copy link
Contributor

@mkannwischer mkannwischer commented Dec 30, 2025
edited
Loading

This commit reduces the stack usage of signing by computing z = y + s1*cp
incrementally (one polynomial at a time) allowing to eliminate the polyvecl
z (at to cost of a single poly z).
De-facto this saves L-1 KB irrespective of MLD_CONFIG_REDUCE_RAM.

Practically, the same buffer was used early in the function too. Here we
instead introduce a new polyvecl buffer tmp, but that can be placed in a union
together with w1.
Unfortuantely, with the current struct workaround for
diffblue/cbmc#8813, this results in an increase in
stack space by L KB.
This gets eliminated when MLD_CONFIG_REDUCE_RAM is set.

@mkannwischer mkannwischer force-pushed the stack-stream-z branch 8 times, most recently from 01d6afc to 691c8ca Compare December 31, 2025 03:35
@mkannwischer mkannwischer mentioned this pull request Dec 31, 2025
Merged
@mkannwischer mkannwischer force-pushed the stack-stream-z branch 2 times, most recently from 0a3ebf4 to 57fd4a8 Compare December 31, 2025 09:35
@mkannwischer mkannwischer marked this pull request as ready for review December 31, 2025 10:12
@mkannwischer mkannwischer requested a review from a team as a code owner December 31, 2025 10:12
mkannwischer added a commit that referenced this pull request Jan 3, 2026
@mkannwischer
CT: Declassify sig in test instead of at the end of signing
3040a3f 
Alternative to #822 that
I hope to be less controversial.
Currently the constant time tests for verification rely on the signature
being declassified at the end of verification. This is not ideal.
This commit moves this declassification to the constant-time test instead.

As suggested in
#822 (review),
there is more work left to clean up the story around declassifications.
This PR is a first step towards cleaning up that story to unblock
#825 and
#821, but there is more
work left.

Signed-off-by: Matthias J. Kannwischer <[email protected]>
@mkannwischer mkannwischer mentioned this pull request Jan 3, 2026
Closed
mkannwischer added a commit that referenced this pull request Jan 3, 2026
@mkannwischer
CT: Declassify sig in test instead of at the end of signing
51b2d44 
Alternative to #822 that
I hope to be less controversial.
Currently the constant time tests for verification rely on the signature
being declassified at the end of verification. This is not ideal.
This commit moves this declassification to the constant-time test instead.

As suggested in
#822 (review),
there is more work left to clean up the story around declassifications.
This PR is a first step towards cleaning up that story to unblock
#825 and
#821, but there is more
work left.

Signed-off-by: Matthias J. Kannwischer <[email protected]>
@mkannwischer mkannwischer force-pushed the stack-stream-z branch 2 times, most recently from 381cfef to b9e4017 Compare January 3, 2026 11:48
@mkannwischer
sign stack usage: compute z incrementally
b72aab0 
This commit reduces the stack usage of signing by computing z = y + s1*cp
incrementally (one polynomial at a time) allowing to eliminate the polyvecl
z (at to cost of a single poly z).
De-facto this saves L-1 KB irrespective of MLD_CONFIG_REDUCE_RAM.

Practically, the same buffer was used early in the function too. Here we
instead introduce a new polyvecl buffer tmp, but that can be placed in a union
together with w1.
Unfortuantely, with the current struct workaround for
diffblue/cbmc#8813, this results in an increase in
stack space by L KB.
This gets eliminated when MLD_CONFIG_REDUCE_RAM is set.

Hoisted out from #791

Signed-off-by: Matthias J. Kannwischer <[email protected]>
@mkannwischer
CBMC: Correct called contracts in verify_pre_hash_internal
b3632bb 
For some reason the previous (unrelated) commit caused the
verify_pre_hash_internal proof to fail due to extra functions in
USE_FUNCTION_CONTRACTS.
This commit removes the extra functions.

Signed-off-by: Matthias J. Kannwischer <[email protected]>
@hanno-becker
Copy link
Contributor

hanno-becker commented Jan 7, 2026

I prefer #825 hoisting the computation of z into a separate function.

@mkannwischer
Copy link
Contributor Author

mkannwischer commented Jan 7, 2026

I prefer #825 hoisting the computation of z into a separate function.

Okay. Closing in favour of #825

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mkannwischer @hanno-becker