HOL-Light: Add AArch64 poly_decompose_{32,88} correctness proofs

.github/workflows/hol_light.yml

@@ -12,6 +12,7 @@ on:
      - 'proofs/hol_light/aarch64/Makefile'
      - 'proofs/hol_light/aarch64/**/*.S'
      - 'proofs/hol_light/aarch64/**/*.ml'
+     - 'proofs/hol_light/common/**/*.ml'
      - 'proofs/hol_light/x86_64/Makefile'
      - 'proofs/hol_light/x86_64/**/*.S'
      - 'proofs/hol_light/x86_64/**/*.ml'
@@ -26,6 +27,7 @@ on:
       - 'proofs/hol_light/aarch64/Makefile'
       - 'proofs/hol_light/aarch64/**/*.S'
       - 'proofs/hol_light/aarch64/**/*.ml'
+      - 'proofs/hol_light/common/**/*.ml'
       - 'proofs/hol_light/x86_64/Makefile'
       - 'proofs/hol_light/x86_64/**/*.S'
       - 'proofs/hol_light/x86_64/**/*.ml'
@@ -81,6 +83,16 @@ jobs:
           # Dependencies on {name}.{S,ml} are implicit
           - name: mldsa_poly_caddq
             needs: ["aarch64_utils.ml"]
+          - name: mldsa_poly_chknorm
+            needs: ["aarch64_utils.ml"]
+          - name: mldsa_polyz_unpack_17
+            needs: ["aarch64_utils.ml", "mldsa_polyz_unpack_consts.ml", "mldsa_specs.ml"]
+          - name: mldsa_polyz_unpack_19
+            needs: ["aarch64_utils.ml", "mldsa_polyz_unpack_consts.ml", "mldsa_specs.ml"]
+          - name: mldsa_poly_decompose_32
+            needs: ["aarch64_utils.ml", "mldsa_specs.ml"]
+          - name: mldsa_poly_decompose_88
+            needs: ["aarch64_utils.ml", "mldsa_specs.ml"]
     name: AArch64 HOL Light proof for ${{ matrix.proof.name }}.S
     runs-on: pqcp-arm64
     if: github.repository_owner == 'pq-code-package' && !github.event.pull_request.head.repo.fork

dev/aarch64_clean/src/arith_native_aarch64.h

@@ -71,10 +71,36 @@ uint64_t mld_rej_uniform_eta4_asm(int32_t *r, const uint8_t *buf,
                                   unsigned buflen, const uint8_t *table);
 
 #define mld_poly_decompose_32_asm MLD_NAMESPACE(poly_decompose_32_asm)
-void mld_poly_decompose_32_asm(int32_t *a1, int32_t *a0);
+void mld_poly_decompose_32_asm(int32_t *a1, int32_t *a0)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_poly_decompose_32.ml */
+__contract__(
+  requires(memory_no_alias(a1, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a0, sizeof(int32_t) * MLDSA_N))
+  requires(array_bound(a0, 0, MLDSA_N, 0, MLDSA_Q))
+  assigns(memory_slice(a1, sizeof(int32_t) * MLDSA_N))
+  assigns(memory_slice(a0, sizeof(int32_t) * MLDSA_N))
+  /* check-magic: 16 == (MLDSA_Q - 1) / (2 * ((MLDSA_Q - 1) / 32)) */
+  ensures(array_bound(a1, 0, MLDSA_N, 0, 16))
+  /* check-magic: 261889 == (MLDSA_Q - 1) / 32 + 1 */
+  ensures(array_abs_bound(a0, 0, MLDSA_N, 261889))
+);
 
 #define mld_poly_decompose_88_asm MLD_NAMESPACE(poly_decompose_88_asm)
-void mld_poly_decompose_88_asm(int32_t *a1, int32_t *a0);
+void mld_poly_decompose_88_asm(int32_t *a1, int32_t *a0)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_poly_decompose_88.ml */
+__contract__(
+  requires(memory_no_alias(a1, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a0, sizeof(int32_t) * MLDSA_N))
+  requires(array_bound(a0, 0, MLDSA_N, 0, MLDSA_Q))
+  assigns(memory_slice(a1, sizeof(int32_t) * MLDSA_N))
+  assigns(memory_slice(a0, sizeof(int32_t) * MLDSA_N))
+  /* check-magic: 44 == (MLDSA_Q - 1) / (2 * ((MLDSA_Q - 1) / 88)) */
+  ensures(array_bound(a1, 0, MLDSA_N, 0, 44))
+  /* check-magic: 95233 == (MLDSA_Q - 1) / 88 + 1 */
+  ensures(array_abs_bound(a0, 0, MLDSA_N, 95233))
+);
 
 #define mld_poly_caddq_asm MLD_NAMESPACE(poly_caddq_asm)
 void mld_poly_caddq_asm(int32_t *a)
@@ -95,15 +121,42 @@ void mld_poly_use_hint_88_asm(int32_t *b, const int32_t *a, const int32_t *h);
 
 #define mld_poly_chknorm_asm MLD_NAMESPACE(poly_chknorm_asm)
 MLD_MUST_CHECK_RETURN_VALUE
-int mld_poly_chknorm_asm(const int32_t *a, int32_t B);
+int mld_poly_chknorm_asm(const int32_t *a, int32_t B)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_poly_chknorm.ml */
+__contract__(
+  requires(memory_no_alias(a, sizeof(int32_t) * MLDSA_N))
+  /* HOL Light precondition: abs(ival(x i)) < 2^31, i.e., a[i] != INT32_MIN */
+  requires(forall(k0, 0, MLDSA_N, a[k0] > INT32_MIN))
+  ensures(return_value == 0 || return_value == 1)
+  ensures((return_value == 0) == array_abs_bound(a, 0, MLDSA_N, B))
+);
 
 #define mld_polyz_unpack_17_asm MLD_NAMESPACE(polyz_unpack_17_asm)
 void mld_polyz_unpack_17_asm(int32_t *r, const uint8_t *buf,
-                             const uint8_t *indices);
+                             const uint8_t *indices)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_polyz_unpack_17.ml */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(buf, 576))
+  requires(indices == mld_polyz_unpack_17_indices)
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  ensures(array_bound(r, 0, MLDSA_N, -((1 << 17) - 1), (1 << 17) + 1))
+);
 
 #define mld_polyz_unpack_19_asm MLD_NAMESPACE(polyz_unpack_19_asm)
 void mld_polyz_unpack_19_asm(int32_t *r, const uint8_t *buf,
-                             const uint8_t *indices);
+                             const uint8_t *indices)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_polyz_unpack_19.ml */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(buf, 640))
+  requires(indices == mld_polyz_unpack_19_indices)
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  ensures(array_bound(r, 0, MLDSA_N, -((1 << 19) - 1), (1 << 19) + 1))
+);
 
 #define mld_poly_pointwise_montgomery_asm \
   MLD_NAMESPACE(poly_pointwise_montgomery_asm)

dev/aarch64_opt/src/arith_native_aarch64.h

@@ -71,10 +71,36 @@ uint64_t mld_rej_uniform_eta4_asm(int32_t *r, const uint8_t *buf,
                                   unsigned buflen, const uint8_t *table);
 
 #define mld_poly_decompose_32_asm MLD_NAMESPACE(poly_decompose_32_asm)
-void mld_poly_decompose_32_asm(int32_t *a1, int32_t *a0);
+void mld_poly_decompose_32_asm(int32_t *a1, int32_t *a0)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_poly_decompose_32.ml */
+__contract__(
+  requires(memory_no_alias(a1, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a0, sizeof(int32_t) * MLDSA_N))
+  requires(array_bound(a0, 0, MLDSA_N, 0, MLDSA_Q))
+  assigns(memory_slice(a1, sizeof(int32_t) * MLDSA_N))
+  assigns(memory_slice(a0, sizeof(int32_t) * MLDSA_N))
+  /* check-magic: 16 == (MLDSA_Q - 1) / (2 * ((MLDSA_Q - 1) / 32)) */
+  ensures(array_bound(a1, 0, MLDSA_N, 0, 16))
+  /* check-magic: 261889 == (MLDSA_Q - 1) / 32 + 1 */
+  ensures(array_abs_bound(a0, 0, MLDSA_N, 261889))
+);
 
 #define mld_poly_decompose_88_asm MLD_NAMESPACE(poly_decompose_88_asm)
-void mld_poly_decompose_88_asm(int32_t *a1, int32_t *a0);
+void mld_poly_decompose_88_asm(int32_t *a1, int32_t *a0)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_poly_decompose_88.ml */
+__contract__(
+  requires(memory_no_alias(a1, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a0, sizeof(int32_t) * MLDSA_N))
+  requires(array_bound(a0, 0, MLDSA_N, 0, MLDSA_Q))
+  assigns(memory_slice(a1, sizeof(int32_t) * MLDSA_N))
+  assigns(memory_slice(a0, sizeof(int32_t) * MLDSA_N))
+  /* check-magic: 44 == (MLDSA_Q - 1) / (2 * ((MLDSA_Q - 1) / 88)) */
+  ensures(array_bound(a1, 0, MLDSA_N, 0, 44))
+  /* check-magic: 95233 == (MLDSA_Q - 1) / 88 + 1 */
+  ensures(array_abs_bound(a0, 0, MLDSA_N, 95233))
+);
 
 #define mld_poly_caddq_asm MLD_NAMESPACE(poly_caddq_asm)
 void mld_poly_caddq_asm(int32_t *a)
@@ -95,15 +121,42 @@ void mld_poly_use_hint_88_asm(int32_t *b, const int32_t *a, const int32_t *h);
 
 #define mld_poly_chknorm_asm MLD_NAMESPACE(poly_chknorm_asm)
 MLD_MUST_CHECK_RETURN_VALUE
-int mld_poly_chknorm_asm(const int32_t *a, int32_t B);
+int mld_poly_chknorm_asm(const int32_t *a, int32_t B)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_poly_chknorm.ml */
+__contract__(
+  requires(memory_no_alias(a, sizeof(int32_t) * MLDSA_N))
+  /* HOL Light precondition: abs(ival(x i)) < 2^31, i.e., a[i] != INT32_MIN */
+  requires(forall(k0, 0, MLDSA_N, a[k0] > INT32_MIN))
+  ensures(return_value == 0 || return_value == 1)
+  ensures((return_value == 0) == array_abs_bound(a, 0, MLDSA_N, B))
+);
 
 #define mld_polyz_unpack_17_asm MLD_NAMESPACE(polyz_unpack_17_asm)
 void mld_polyz_unpack_17_asm(int32_t *r, const uint8_t *buf,
-                             const uint8_t *indices);
+                             const uint8_t *indices)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_polyz_unpack_17.ml */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(buf, 576))
+  requires(indices == mld_polyz_unpack_17_indices)
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  ensures(array_bound(r, 0, MLDSA_N, -((1 << 17) - 1), (1 << 17) + 1))
+);
 
 #define mld_polyz_unpack_19_asm MLD_NAMESPACE(polyz_unpack_19_asm)
 void mld_polyz_unpack_19_asm(int32_t *r, const uint8_t *buf,
-                             const uint8_t *indices);
+                             const uint8_t *indices)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_polyz_unpack_19.ml */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(buf, 640))
+  requires(indices == mld_polyz_unpack_19_indices)
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  ensures(array_bound(r, 0, MLDSA_N, -((1 << 19) - 1), (1 << 19) + 1))
+);
 
 #define mld_poly_pointwise_montgomery_asm \
   MLD_NAMESPACE(poly_pointwise_montgomery_asm)

dev/aarch64_opt/src/poly_chknorm_asm.S

@@ -30,7 +30,7 @@ MLD_ASM_FN_SYMBOL(poly_chknorm_asm)
         // Load constants
         dup bound.4s, B
 
-        movi flags.4s, 0
+        eor flags.16b, flags.16b, flags.16b
 
         mov count, #(64/4)
 

mldsa/src/native/aarch64/src/arith_native_aarch64.h

@@ -71,10 +71,36 @@ uint64_t mld_rej_uniform_eta4_asm(int32_t *r, const uint8_t *buf,
                                   unsigned buflen, const uint8_t *table);
 
 #define mld_poly_decompose_32_asm MLD_NAMESPACE(poly_decompose_32_asm)
-void mld_poly_decompose_32_asm(int32_t *a1, int32_t *a0);
+void mld_poly_decompose_32_asm(int32_t *a1, int32_t *a0)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_poly_decompose_32.ml */
+__contract__(
+  requires(memory_no_alias(a1, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a0, sizeof(int32_t) * MLDSA_N))
+  requires(array_bound(a0, 0, MLDSA_N, 0, MLDSA_Q))
+  assigns(memory_slice(a1, sizeof(int32_t) * MLDSA_N))
+  assigns(memory_slice(a0, sizeof(int32_t) * MLDSA_N))
+  /* check-magic: 16 == (MLDSA_Q - 1) / (2 * ((MLDSA_Q - 1) / 32)) */
+  ensures(array_bound(a1, 0, MLDSA_N, 0, 16))
+  /* check-magic: 261889 == (MLDSA_Q - 1) / 32 + 1 */
+  ensures(array_abs_bound(a0, 0, MLDSA_N, 261889))
+);
 
 #define mld_poly_decompose_88_asm MLD_NAMESPACE(poly_decompose_88_asm)
-void mld_poly_decompose_88_asm(int32_t *a1, int32_t *a0);
+void mld_poly_decompose_88_asm(int32_t *a1, int32_t *a0)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_poly_decompose_88.ml */
+__contract__(
+  requires(memory_no_alias(a1, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a0, sizeof(int32_t) * MLDSA_N))
+  requires(array_bound(a0, 0, MLDSA_N, 0, MLDSA_Q))
+  assigns(memory_slice(a1, sizeof(int32_t) * MLDSA_N))
+  assigns(memory_slice(a0, sizeof(int32_t) * MLDSA_N))
+  /* check-magic: 44 == (MLDSA_Q - 1) / (2 * ((MLDSA_Q - 1) / 88)) */
+  ensures(array_bound(a1, 0, MLDSA_N, 0, 44))
+  /* check-magic: 95233 == (MLDSA_Q - 1) / 88 + 1 */
+  ensures(array_abs_bound(a0, 0, MLDSA_N, 95233))
+);
 
 #define mld_poly_caddq_asm MLD_NAMESPACE(poly_caddq_asm)
 void mld_poly_caddq_asm(int32_t *a)
@@ -95,15 +121,42 @@ void mld_poly_use_hint_88_asm(int32_t *b, const int32_t *a, const int32_t *h);
 
 #define mld_poly_chknorm_asm MLD_NAMESPACE(poly_chknorm_asm)
 MLD_MUST_CHECK_RETURN_VALUE
-int mld_poly_chknorm_asm(const int32_t *a, int32_t B);
+int mld_poly_chknorm_asm(const int32_t *a, int32_t B)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_poly_chknorm.ml */
+__contract__(
+  requires(memory_no_alias(a, sizeof(int32_t) * MLDSA_N))
+  /* HOL Light precondition: abs(ival(x i)) < 2^31, i.e., a[i] != INT32_MIN */
+  requires(forall(k0, 0, MLDSA_N, a[k0] > INT32_MIN))
+  ensures(return_value == 0 || return_value == 1)
+  ensures((return_value == 0) == array_abs_bound(a, 0, MLDSA_N, B))
+);
 
 #define mld_polyz_unpack_17_asm MLD_NAMESPACE(polyz_unpack_17_asm)
 void mld_polyz_unpack_17_asm(int32_t *r, const uint8_t *buf,
-                             const uint8_t *indices);
+                             const uint8_t *indices)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_polyz_unpack_17.ml */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(buf, 576))
+  requires(indices == mld_polyz_unpack_17_indices)
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  ensures(array_bound(r, 0, MLDSA_N, -((1 << 17) - 1), (1 << 17) + 1))
+);
 
 #define mld_polyz_unpack_19_asm MLD_NAMESPACE(polyz_unpack_19_asm)
 void mld_polyz_unpack_19_asm(int32_t *r, const uint8_t *buf,
-                             const uint8_t *indices);
+                             const uint8_t *indices)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_polyz_unpack_19.ml */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(buf, 640))
+  requires(indices == mld_polyz_unpack_19_indices)
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  ensures(array_bound(r, 0, MLDSA_N, -((1 << 19) - 1), (1 << 19) + 1))
+);
 
 #define mld_poly_pointwise_montgomery_asm \
   MLD_NAMESPACE(poly_pointwise_montgomery_asm)

mldsa/src/native/aarch64/src/poly_chknorm_asm.S

@@ -22,7 +22,7 @@ MLD_ASM_FN_SYMBOL(poly_chknorm_asm)
 
         .cfi_startproc
         dup	v20.4s, w1
-        movi	v21.4s, #0x0
+        eor	v21.16b, v21.16b, v21.16b
         mov	x2, #0x10               // =16
 
 Lpoly_chknorm_loop:

mldsa/src/native/api.h

@@ -440,7 +440,7 @@ __contract__(
   requires(memory_no_alias(a, sizeof(int32_t) * MLDSA_N))
   requires(0 <= B && B <= MLDSA_Q - REDUCE32_RANGE_MAX)
   requires(array_bound(a, 0, MLDSA_N, -REDUCE32_RANGE_MAX, REDUCE32_RANGE_MAX))
-  ensures(return_value == MLD_NATIVE_FUNC_FALLBACK || return_value == MLD_NATIVE_FUNC_SUCCESS)
+  ensures(return_value == MLD_NATIVE_FUNC_FALLBACK || return_value == 0 || return_value == 1)
   ensures((return_value == 0) == array_abs_bound(a, 0, MLDSA_N, B))
 );
 #endif /* MLD_USE_NATIVE_POLY_CHKNORM */

mldsa/src/poly.c

@@ -956,7 +956,7 @@ uint32_t mld_poly_chknorm(const mld_poly *a, int32_t B)
   if (success)
   {
     /* Convert 0 / 1 to 0 / 0xFFFFFFFF here */
-    return 0U - (uint32_t)ret;
+    return mld_ct_cmask_nonzero_u32((uint32_t)ret);
   }
 #endif /* MLD_USE_NATIVE_POLY_CHKNORM */
   return mld_poly_chknorm_c(a, B);

nix/s2n_bignum/default.nix

@@ -4,12 +4,12 @@
 { stdenv, fetchFromGitHub, writeText, ... }:
 stdenv.mkDerivation rec {
   pname = "s2n_bignum";
-  version = "113a146ab49c19281388881b3650b63a6a67e8dc";
+  version = "f9ebd40af24087c503ecaca008be22edd166afab";
   src = fetchFromGitHub {
-    owner = "awslabs";
+    owner = "mkannwischer";
     repo = "s2n-bignum";
     rev = "${version}";
-    hash = "sha256-Ub+Nrlo8DEmz3H5SdgcH9iLbNJnZmLvGk3dGgWar2kY=";
+    hash = "sha256-gXwGRS4TLFESnSbLRiFyMKqCiBA0hCIQibWzuDfpLeM=";
   };
   setupHook = writeText "setup-hook.sh" ''
     export S2N_BIGNUM_DIR="$1"

proofs/cbmc/poly_chknorm_native/Makefile

@@ -22,6 +22,7 @@ PROJECT_SOURCES += $(SRCDIR)/mldsa/src/poly.c
 CHECK_FUNCTION_CONTRACTS=mld_poly_chknorm
 USE_FUNCTION_CONTRACTS=mld_poly_chknorm_native
 USE_FUNCTION_CONTRACTS+=mld_poly_chknorm_c
+USE_FUNCTION_CONTRACTS+=mld_ct_cmask_nonzero_u32
 APPLY_LOOP_CONTRACTS=on
 USE_DYNAMIC_FRAMES=1