CBMC: Add proofs on top of native functions (poly_use_hint_native)

- This commit adds CBMC proofs for following the native function:
 `mld_poly_use_hint_32_native`, `mld_poly_use_hint_88_native`.
 called `poly_use_hint_native`.

- This following changes are include:

 - Apply the same harness file and construct function contract reference
  from `poly_use_hint`.

 - Use the following function contracts:
  - mld_poly_use_hint_c
  - mld_poly_use_hint_32_native
  - mld_poly_use_hint_88_native

 - Add `MLD_USE_NATIVE_POLY_USE_HINT_32`,
  `MLD_USE_NATIVE_POLY_USE_HINT_88` in dummy_backend.h

Signed-off-by: willieyz <willie.zhao@chelpis.com>

Author: willieyz

mldsa/src/native/api.h

@@ -342,7 +342,18 @@ __contract__(
  *              - const int32_t *h: pointer to input hint polynomial
  **************************************************/
 static MLD_INLINE int mld_poly_use_hint_32_native(int32_t *b, const int32_t *a,
-                                                  const int32_t *h);
+                                                  const int32_t *h)
+__contract__(
+  requires(memory_no_alias(a, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(h, sizeof(int32_t) * MLDSA_N))
+  requires(array_bound(a, 0, MLDSA_N, 0, MLDSA_Q))
+  requires(array_bound(h, 0, MLDSA_N, 0, 2))
+  assigns(memory_slice(b, sizeof(int32_t) * MLDSA_N))
+  ensures(return_value == MLD_NATIVE_FUNC_FALLBACK || return_value == MLD_NATIVE_FUNC_SUCCESS)
+  ensures((return_value == MLD_NATIVE_FUNC_SUCCESS) ==> array_bound(b, 0, MLDSA_N, 0, (MLDSA_Q-1)/(2*MLDSA_GAMMA2)))
+  ensures((return_value == MLD_NATIVE_FUNC_FALLBACK) ==> array_unchanged(b, MLDSA_N))
+);
 #endif /* MLD_USE_NATIVE_POLY_USE_HINT_32 */
 
 #if defined(MLD_USE_NATIVE_POLY_USE_HINT_88)
@@ -358,7 +369,18 @@ static MLD_INLINE int mld_poly_use_hint_32_native(int32_t *b, const int32_t *a,
  *              - const int32_t *h: pointer to input hint polynomial
  **************************************************/
 static MLD_INLINE int mld_poly_use_hint_88_native(int32_t *b, const int32_t *a,
-                                                  const int32_t *h);
+                                                  const int32_t *h)
+__contract__(
+  requires(memory_no_alias(a, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(h, sizeof(int32_t) * MLDSA_N))
+  requires(array_bound(a, 0, MLDSA_N, 0, MLDSA_Q))
+  requires(array_bound(h, 0, MLDSA_N, 0, 2))
+  assigns(memory_slice(b, sizeof(int32_t) * MLDSA_N))
+  ensures(return_value == MLD_NATIVE_FUNC_FALLBACK || return_value == MLD_NATIVE_FUNC_SUCCESS)
+  ensures((return_value == MLD_NATIVE_FUNC_SUCCESS) ==> array_bound(b, 0, MLDSA_N, 0, (MLDSA_Q-1)/(2*MLDSA_GAMMA2)))
+  ensures((return_value == MLD_NATIVE_FUNC_FALLBACK) ==> array_unchanged(b, MLDSA_N))
+);
 #endif /* MLD_USE_NATIVE_POLY_USE_HINT_88 */
 
 #if defined(MLD_USE_NATIVE_POLY_CHKNORM)

mldsa/src/poly_kl.c

@@ -158,7 +158,6 @@ void mld_poly_use_hint(mld_poly *b, const mld_poly *a, const mld_poly *h)
   int ret;
   mld_assert_bound(a->coeffs, MLDSA_N, 0, MLDSA_Q);
   mld_assert_bound(h->coeffs, MLDSA_N, 0, 2);
-  /* TODO: proof */
   ret = mld_poly_use_hint_88_native(b->coeffs, a->coeffs, h->coeffs);
   if (ret == MLD_NATIVE_FUNC_SUCCESS)
   {
@@ -170,7 +169,6 @@ void mld_poly_use_hint(mld_poly *b, const mld_poly *a, const mld_poly *h)
   int ret;
   mld_assert_bound(a->coeffs, MLDSA_N, 0, MLDSA_Q);
   mld_assert_bound(h->coeffs, MLDSA_N, 0, 2);
-  /* TODO: proof */
   ret = mld_poly_use_hint_32_native(b->coeffs, a->coeffs, h->coeffs);
   if (ret == MLD_NATIVE_FUNC_SUCCESS)
   {

proofs/cbmc/dummy_backend.h

@@ -15,6 +15,8 @@
 #define MLD_USE_NATIVE_POLY_DECOMPOSE_32
 #define MLD_USE_NATIVE_POLY_DECOMPOSE_88
 #define MLD_USE_NATIVE_POLY_CADDQ
+#define MLD_USE_NATIVE_POLY_USE_HINT_32
+#define MLD_USE_NATIVE_POLY_USE_HINT_88
 
 #include "../../mldsa/src/native/api.h"
 

proofs/cbmc/poly_use_hint_native/Makefile

@@ -0,0 +1,62 @@
+# Copyright (c) The mldsa-native project authors
+# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+include ../Makefile_params.common
+
+HARNESS_ENTRY = harness
+HARNESS_FILE = poly_use_hint_native_harness
+
+# This should be a unique identifier for this proof, and will appear on the
+# Litani dashboard. It can be human-readable and contain spaces if you wish.
+PROOF_UID = poly_use_hint_native
+
+DEFINES += -DMLD_CONFIG_USE_NATIVE_BACKEND_ARITH -DMLD_CONFIG_ARITH_BACKEND_FILE="\"dummy_backend.h\""
+INCLUDES +=
+
+REMOVE_FUNCTION_BODY +=
+UNWINDSET +=
+
+PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
+PROJECT_SOURCES += $(SRCDIR)/mldsa/src/poly_kl.c
+
+CHECK_FUNCTION_CONTRACTS=$(MLD_NAMESPACE)poly_use_hint
+USE_FUNCTION_CONTRACTS=mld_poly_use_hint_c
+ifeq ($(MLD_CONFIG_PARAMETER_SET),44)
+	USE_FUNCTION_CONTRACTS+=mld_poly_use_hint_88_native
+else ifeq ($(MLD_CONFIG_PARAMETER_SET),65)
+	USE_FUNCTION_CONTRACTS+=mld_poly_use_hint_32_native
+else ifeq ($(MLD_CONFIG_PARAMETER_SET),87)
+	USE_FUNCTION_CONTRACTS+=mld_poly_use_hint_32_native
+endif
+APPLY_LOOP_CONTRACTS=on
+USE_DYNAMIC_FRAMES=1
+
+# Disable any setting of EXTERNAL_SAT_SOLVER, and choose SMT backend instead
+EXTERNAL_SAT_SOLVER=
+CBMCFLAGS=--smt2
+
+FUNCTION_NAME = poly_use_hint_native
+
+# If this proof is found to consume huge amounts of RAM, you can set the
+# EXPENSIVE variable. With new enough versions of the proof tools, this will
+# restrict the number of EXPENSIVE CBMC jobs running at once. See the
+# documentation in Makefile.common under the "Job Pools" heading for details.
+# EXPENSIVE = true
+
+# This function is large enough to need...
+CBMC_OBJECT_BITS = 8
+
+# If you require access to a file-local ("static") function or object to conduct
+# your proof, set the following (and do not include the original source file
+# ("mldsa/poly.c") in PROJECT_SOURCES).
+# REWRITTEN_SOURCES = $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i
+# include ../Makefile.common
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_SOURCE = $(SRCDIR)/mldsa/src/poly.c
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_FUNCTIONS = foo bar
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_OBJECTS = baz
+# Care is required with variables on the left-hand side: REWRITTEN_SOURCES must
+# be set before including Makefile.common, but any use of variables on the
+# left-hand side requires those variables to be defined. Hence, _SOURCE,
+# _FUNCTIONS, _OBJECTS is set after including Makefile.common.
+
+include ../Makefile.common

proofs/cbmc/poly_use_hint_native/poly_use_hint_native_harness.c

@@ -0,0 +1,11 @@
+// Copyright (c) The mldsa-native project authors
+// SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+#include "poly_kl.h"
+
+
+void harness(void)
+{
+  mld_poly *a, *b, *h;
+  mld_poly_use_hint(b, a, h);
+}