CBMC: Add proofs on top of native functions(polyvecl_pointwise_acc_montgomery_native)

willieyz · mkannwischer · commit 6763fe841de1 · 2025-12-12T22:41:58.000+08:00
- This commit adds CBMC proofs for following the native function:
  `mld_polyvecl_pointwise_acc_montgomery_l4_native`,
  `mld_polyvecl_pointwise_acc_montgomery_l5_native` and
  `mld_polyvecl_pointwise_acc_montgomery_l7_native`
  called `polyvecl_pointwise_acc_montgomery_native`.

- This following changes are include:
  - Apply the same harness file and construct function contract reference
    from `polyvecl_pointwise_acc_montgomery`.
  - Use the following function contracts:
    - `mld_polyvecl_pointwise_acc_montgomery_l4_native`
    - `mld_polyvecl_pointwise_acc_montgomery_l5_native`
    - `mld_polyvecl_pointwise_acc_montgomery_l7_native`

- Add `MLD_USE_NATIVE_POLYVECL_POINTWISE_ACC_MONTGOMERY_L4`,
      `MLD_USE_NATIVE_POLYVECL_POINTWISE_ACC_MONTGOMERY_L5`,
      `MLD_USE_NATIVE_POLYVECL_POINTWISE_ACC_MONTGOMERY_L7`
    in dummy_backend.h

Signed-off-by: willieyz &lt;willie.zhao@chelpis.com&gt;
diff --git a/mldsa/src/native/api.h b/mldsa/src/native/api.h
@@ -504,7 +504,20 @@ __contract__(
  **************************************************/
 static MLD_INLINE int mld_polyvecl_pointwise_acc_montgomery_l4_native(
     int32_t w[MLDSA_N], const int32_t u[4][MLDSA_N],
-    const int32_t v[4][MLDSA_N]);
+    const int32_t v[4][MLDSA_N])
+__contract__(
+  requires(memory_no_alias(w, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(u, sizeof(int32_t) * 4 * MLDSA_N))
+  requires(memory_no_alias(v, sizeof(int32_t) * 4 * MLDSA_N))
+  requires(forall(l0, 0, 4,
+                  array_bound(u[l0], 0, MLDSA_N, 0, MLDSA_Q)))
+  requires(forall(l1, 0, 4,
+    array_abs_bound(v[l1], 0, MLDSA_N, MLD_NTT_BOUND)))
+  assigns(memory_slice(w, sizeof(int32_t) * MLDSA_N))
+  ensures(return_value == MLD_NATIVE_FUNC_FALLBACK || return_value == MLD_NATIVE_FUNC_SUCCESS)
+  ensures((return_value == MLD_NATIVE_FUNC_SUCCESS) ==> array_abs_bound(w, 0, MLDSA_N, MLDSA_Q))
+  ensures((return_value == MLD_NATIVE_FUNC_FALLBACK) ==> array_unchanged(w, MLDSA_N))
+);
 #endif /* MLD_USE_NATIVE_POLYVECL_POINTWISE_ACC_MONTGOMERY_L4 */
 
 #if defined(MLD_USE_NATIVE_POLYVECL_POINTWISE_ACC_MONTGOMERY_L5)
@@ -524,7 +537,20 @@ static MLD_INLINE int mld_polyvecl_pointwise_acc_montgomery_l4_native(
  **************************************************/
 static MLD_INLINE int mld_polyvecl_pointwise_acc_montgomery_l5_native(
     int32_t w[MLDSA_N], const int32_t u[5][MLDSA_N],
-    const int32_t v[5][MLDSA_N]);
+    const int32_t v[5][MLDSA_N])
+__contract__(
+  requires(memory_no_alias(w, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(u, sizeof(int32_t) * 5 * MLDSA_N))
+  requires(memory_no_alias(v, sizeof(int32_t) * 5 * MLDSA_N))
+  requires(forall(l0, 0, 5,
+                  array_bound(u[l0], 0, MLDSA_N, 0, MLDSA_Q)))
+  requires(forall(l1, 0, 5,
+    array_abs_bound(v[l1], 0, MLDSA_N, MLD_NTT_BOUND)))
+  assigns(memory_slice(w, sizeof(int32_t) * MLDSA_N))
+  ensures(return_value == MLD_NATIVE_FUNC_FALLBACK || return_value == MLD_NATIVE_FUNC_SUCCESS)
+  ensures((return_value == MLD_NATIVE_FUNC_SUCCESS) ==> array_abs_bound(w, 0, MLDSA_N, MLDSA_Q))
+  ensures((return_value == MLD_NATIVE_FUNC_FALLBACK) ==> array_unchanged(w, MLDSA_N))
+);
 #endif /* MLD_USE_NATIVE_POLYVECL_POINTWISE_ACC_MONTGOMERY_L5 */
 
 #if defined(MLD_USE_NATIVE_POLYVECL_POINTWISE_ACC_MONTGOMERY_L7)
@@ -544,7 +570,20 @@ static MLD_INLINE int mld_polyvecl_pointwise_acc_montgomery_l5_native(
  **************************************************/
 static MLD_INLINE int mld_polyvecl_pointwise_acc_montgomery_l7_native(
     int32_t w[MLDSA_N], const int32_t u[7][MLDSA_N],
-    const int32_t v[7][MLDSA_N]);
+    const int32_t v[7][MLDSA_N])
+__contract__(
+  requires(memory_no_alias(w, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(u, sizeof(int32_t) * 7 * MLDSA_N))
+  requires(memory_no_alias(v, sizeof(int32_t) * 7 * MLDSA_N))
+  requires(forall(l0, 0, 7,
+                  array_bound(u[l0], 0, MLDSA_N, 0, MLDSA_Q)))
+  requires(forall(l1, 0, 7,
+    array_abs_bound(v[l1], 0, MLDSA_N, MLD_NTT_BOUND)))
+  assigns(memory_slice(w, sizeof(int32_t) * MLDSA_N))
+  ensures(return_value == MLD_NATIVE_FUNC_FALLBACK || return_value == MLD_NATIVE_FUNC_SUCCESS)
+  ensures((return_value == MLD_NATIVE_FUNC_SUCCESS) ==> array_abs_bound(w, 0, MLDSA_N, MLDSA_Q))
+  ensures((return_value == MLD_NATIVE_FUNC_FALLBACK) ==> array_unchanged(w, MLDSA_N))
+);
 #endif /* MLD_USE_NATIVE_POLYVECL_POINTWISE_ACC_MONTGOMERY_L7 */
 
 #endif /* !MLD_NATIVE_API_H */
diff --git a/mldsa/src/polyvec.c b/mldsa/src/polyvec.c
@@ -375,7 +375,6 @@ void mld_polyvecl_pointwise_acc_montgomery(mld_poly *w, const mld_polyvecl *u,
 {
 #if defined(MLD_USE_NATIVE_POLYVECL_POINTWISE_ACC_MONTGOMERY_L4) && \
     MLD_CONFIG_PARAMETER_SET == 44
-  /* TODO: proof */
   int ret;
   mld_assert_bound_2d(u->vec, MLDSA_L, MLDSA_N, 0, MLDSA_Q);
   mld_assert_abs_bound_2d(v->vec, MLDSA_L, MLDSA_N, MLD_NTT_BOUND);
@@ -389,7 +388,6 @@ void mld_polyvecl_pointwise_acc_montgomery(mld_poly *w, const mld_polyvecl *u,
   }
 #elif defined(MLD_USE_NATIVE_POLYVECL_POINTWISE_ACC_MONTGOMERY_L5) && \
     MLD_CONFIG_PARAMETER_SET == 65
-  /* TODO: proof */
   int ret;
   mld_assert_bound_2d(u->vec, MLDSA_L, MLDSA_N, 0, MLDSA_Q);
   mld_assert_abs_bound_2d(v->vec, MLDSA_L, MLDSA_N, MLD_NTT_BOUND);
@@ -403,7 +401,6 @@ void mld_polyvecl_pointwise_acc_montgomery(mld_poly *w, const mld_polyvecl *u,
   }
 #elif defined(MLD_USE_NATIVE_POLYVECL_POINTWISE_ACC_MONTGOMERY_L7) && \
     MLD_CONFIG_PARAMETER_SET == 87
-  /* TODO: proof */
   int ret;
   mld_assert_bound_2d(u->vec, MLDSA_L, MLDSA_N, 0, MLDSA_Q);
   mld_assert_abs_bound_2d(v->vec, MLDSA_L, MLDSA_N, MLD_NTT_BOUND);
diff --git a/proofs/cbmc/dummy_backend.h b/proofs/cbmc/dummy_backend.h
@@ -21,6 +21,9 @@
 #define MLD_USE_NATIVE_POLYZ_UNPACK_17
 #define MLD_USE_NATIVE_POLYZ_UNPACK_19
 #define MLD_USE_NATIVE_POINTWISE_MONTGOMERY
+#define MLD_USE_NATIVE_POLYVECL_POINTWISE_ACC_MONTGOMERY_L4
+#define MLD_USE_NATIVE_POLYVECL_POINTWISE_ACC_MONTGOMERY_L5
+#define MLD_USE_NATIVE_POLYVECL_POINTWISE_ACC_MONTGOMERY_L7
 
 #include "../../mldsa/src/native/api.h"
 
diff --git a/proofs/cbmc/polyvecl_pointwise_acc_montgomery_native/Makefile b/proofs/cbmc/polyvecl_pointwise_acc_montgomery_native/Makefile
@@ -0,0 +1,64 @@
+# Copyright (c) The mldsa-native project authors
+# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+include ../Makefile_params.common
+
+HARNESS_ENTRY = harness
+HARNESS_FILE = polyvecl_pointwise_acc_montgomery_native_harness
+
+# This should be a unique identifier for this proof, and will appear on the
+# Litani dashboard. It can be human-readable and contain spaces if you wish.
+PROOF_UID = polyvecl_pointwise_acc_montgomery_native
+
+DEFINES += -DMLD_CONFIG_USE_NATIVE_BACKEND_ARITH -DMLD_CONFIG_ARITH_BACKEND_FILE="\"dummy_backend.h\""
+INCLUDES +=
+
+REMOVE_FUNCTION_BODY +=
+UNWINDSET +=
+
+PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
+PROJECT_SOURCES += $(SRCDIR)/mldsa/src/polyvec.c
+
+CHECK_FUNCTION_CONTRACTS=$(MLD_NAMESPACE)polyvecl_pointwise_acc_montgomery
+USE_FUNCTION_CONTRACTS= mld_polyvecl_pointwise_acc_montgomery_c
+ifeq ($(MLD_CONFIG_PARAMETER_SET),44)
+	USE_FUNCTION_CONTRACTS+=mld_polyvecl_pointwise_acc_montgomery_l4_native
+else ifeq ($(MLD_CONFIG_PARAMETER_SET),65)
+	USE_FUNCTION_CONTRACTS+=mld_polyvecl_pointwise_acc_montgomery_l5_native
+else ifeq ($(MLD_CONFIG_PARAMETER_SET),87)
+	USE_FUNCTION_CONTRACTS+=mld_polyvecl_pointwise_acc_montgomery_l7_native
+endif
+APPLY_LOOP_CONTRACTS=on
+USE_DYNAMIC_FRAMES=1
+
+# Disable any setting of EXTERNAL_SAT_SOLVER, and choose SMT backend instead
+EXTERNAL_SAT_SOLVER=
+CBMCFLAGS=--external-smt2-solver $(PROOF_ROOT)/lib/z3_smt_only --z3
+CBMCFLAGS += --slice-formula
+CBMCFLAGS += --no-array-field-sensitivity
+
+FUNCTION_NAME = polyvecl_pointwise_acc_montgomery_native
+
+# If this proof is found to consume huge amounts of RAM, you can set the
+# EXPENSIVE variable. With new enough versions of the proof tools, this will
+# restrict the number of EXPENSIVE CBMC jobs running at once. See the
+# documentation in Makefile.common under the "Job Pools" heading for details.
+# EXPENSIVE = true
+
+# This function is large enough to need...
+CBMC_OBJECT_BITS = 12
+
+# If you require access to a file-local ("static") function or object to conduct
+# your proof, set the following (and do not include the original source file
+# ("mldsa/poly.c") in PROJECT_SOURCES).
+# REWRITTEN_SOURCES = $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i
+# include ../Makefile.common
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_SOURCE = $(SRCDIR)/mldsa/src/poly.c
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_FUNCTIONS = foo bar
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_OBJECTS = baz
+# Care is required with variables on the left-hand side: REWRITTEN_SOURCES must
+# be set before including Makefile.common, but any use of variables on the
+# left-hand side requires those variables to be defined. Hence, _SOURCE,
+# _FUNCTIONS, _OBJECTS is set after including Makefile.common.
+
+include ../Makefile.common
diff --git a/proofs/cbmc/polyvecl_pointwise_acc_montgomery_native/polyvecl_pointwise_acc_montgomery_native_harness.c b/proofs/cbmc/polyvecl_pointwise_acc_montgomery_native/polyvecl_pointwise_acc_montgomery_native_harness.c
@@ -0,0 +1,11 @@
+// Copyright (c) The mldsa-native project authors
+// SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+#include "polyvec.h"
+
+void harness(void)
+{
+  mld_poly *a;
+  mld_polyvecl *b, *c;
+  mld_polyvecl_pointwise_acc_montgomery(a, b, c);
+}
