CBMC: Add proofs on top of native functions (poly_decompose_native)

willieyz · mkannwischer · commit cbff48565ec2 · 2025-12-12T22:41:58.000+08:00
- This commit adds CBMC proofs for following the native function:
  `mld_poly_decompose_32_native`, `mld_poly_decompose_88_native`.
  called `poly_decompose_native`.

- This following changes are include:

  - Apply the same harness file and construct function contract reference
    from `poly_decompose`.

  - Use the following function contracts:
    - mld_poly_decompose_c
    - mld_poly_decompose_32_native
    - mld_poly_decompose_88_native

  - Add `MLD_USE_NATIVE_POLY_DECOMPOSE_32`,
    `MLD_USE_NATIVE_POLY_DECOMPOSE_88` in dummy_backend.h

Signed-off-by: willieyz &lt;willie.zhao@chelpis.com&gt;
diff --git a/mldsa/src/native/api.h b/mldsa/src/native/api.h
@@ -258,7 +258,20 @@ __contract__(
  *              - const int32_t *a: input polynomial
  **************************************************/
 static MLD_INLINE int mld_poly_decompose_32_native(int32_t *a1, int32_t *a0,
-                                                   const int32_t *a);
+                                                   const int32_t *a)
+__contract__(
+  requires(memory_no_alias(a1,  sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a0, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * MLDSA_N))
+  requires(array_bound(a, 0, MLDSA_N, 0, MLDSA_Q))
+  assigns(memory_slice(a1, sizeof(int32_t) * MLDSA_N))
+  assigns(memory_slice(a0, sizeof(int32_t) * MLDSA_N))
+  ensures(return_value == MLD_NATIVE_FUNC_FALLBACK || return_value == MLD_NATIVE_FUNC_SUCCESS)
+  ensures((return_value == MLD_NATIVE_FUNC_SUCCESS) ==> array_bound(a1, 0, MLDSA_N, 0, (MLDSA_Q-1)/(2*MLDSA_GAMMA2)))
+  ensures((return_value == MLD_NATIVE_FUNC_SUCCESS) ==> array_abs_bound(a0, 0, MLDSA_N, MLDSA_GAMMA2+1))
+  ensures((return_value == MLD_NATIVE_FUNC_FALLBACK) ==> array_bound(a, 0, MLDSA_N, 0, MLDSA_Q))
+  ensures((return_value == MLD_NATIVE_FUNC_FALLBACK) ==> array_unchanged(a, MLDSA_N))
+);
 #endif /* MLD_USE_NATIVE_POLY_DECOMPOSE_32 */
 
 #if defined(MLD_USE_NATIVE_POLY_DECOMPOSE_88)
@@ -279,7 +292,20 @@ static MLD_INLINE int mld_poly_decompose_32_native(int32_t *a1, int32_t *a0,
  *              - const int32_t *a: input polynomial
  **************************************************/
 static MLD_INLINE int mld_poly_decompose_88_native(int32_t *a1, int32_t *a0,
-                                                   const int32_t *a);
+                                                   const int32_t *a)
+__contract__(
+  requires(memory_no_alias(a1,  sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a0, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * MLDSA_N))
+  requires(array_bound(a, 0, MLDSA_N, 0, MLDSA_Q))
+  assigns(memory_slice(a1, sizeof(int32_t) * MLDSA_N))
+  assigns(memory_slice(a0, sizeof(int32_t) * MLDSA_N))
+  ensures(return_value == MLD_NATIVE_FUNC_FALLBACK || return_value == MLD_NATIVE_FUNC_SUCCESS)
+  ensures((return_value == MLD_NATIVE_FUNC_SUCCESS) ==> array_bound(a1, 0, MLDSA_N, 0, (MLDSA_Q-1)/(2*MLDSA_GAMMA2)))
+  ensures((return_value == MLD_NATIVE_FUNC_SUCCESS) ==> array_abs_bound(a0, 0, MLDSA_N, MLDSA_GAMMA2+1))
+  ensures((return_value == MLD_NATIVE_FUNC_FALLBACK) ==> array_bound(a, 0, MLDSA_N, 0, MLDSA_Q))
+  ensures((return_value == MLD_NATIVE_FUNC_FALLBACK) ==> array_unchanged(a, MLDSA_N))
+);
 #endif /* MLD_USE_NATIVE_POLY_DECOMPOSE_88 */
 
 #if defined(MLD_USE_NATIVE_POLY_CADDQ)
diff --git a/mldsa/src/poly_kl.c b/mldsa/src/poly_kl.c
@@ -75,7 +75,6 @@ void mld_poly_decompose(mld_poly *a1, mld_poly *a0, const mld_poly *a)
 #if defined(MLD_USE_NATIVE_POLY_DECOMPOSE_88) && MLD_CONFIG_PARAMETER_SET == 44
   int ret;
   mld_assert_bound(a->coeffs, MLDSA_N, 0, MLDSA_Q);
-  /* TODO: proof */
   ret = mld_poly_decompose_88_native(a1->coeffs, a0->coeffs, a->coeffs);
   if (ret == MLD_NATIVE_FUNC_SUCCESS)
   {
@@ -88,7 +87,6 @@ void mld_poly_decompose(mld_poly *a1, mld_poly *a0, const mld_poly *a)
     (MLD_CONFIG_PARAMETER_SET == 65 || MLD_CONFIG_PARAMETER_SET == 87)
   int ret;
   mld_assert_bound(a->coeffs, MLDSA_N, 0, MLDSA_Q);
-  /* TODO: proof */
   ret = mld_poly_decompose_32_native(a1->coeffs, a0->coeffs, a->coeffs);
   if (ret == MLD_NATIVE_FUNC_SUCCESS)
   {
diff --git a/proofs/cbmc/dummy_backend.h b/proofs/cbmc/dummy_backend.h
@@ -12,6 +12,8 @@
 #define MLD_USE_NATIVE_REJ_UNIFORM
 #define MLD_USE_NATIVE_REJ_UNIFORM_ETA2
 #define MLD_USE_NATIVE_REJ_UNIFORM_ETA4
+#define MLD_USE_NATIVE_POLY_DECOMPOSE_32
+#define MLD_USE_NATIVE_POLY_DECOMPOSE_88
 
 #include "../../mldsa/src/native/api.h"
 
diff --git a/proofs/cbmc/poly_decompose_native/Makefile b/proofs/cbmc/poly_decompose_native/Makefile
@@ -0,0 +1,62 @@
+# Copyright (c) The mldsa-native project authors
+# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+include ../Makefile_params.common
+
+HARNESS_ENTRY = harness
+HARNESS_FILE = poly_decompose_native_harness
+
+# This should be a unique identifier for this proof, and will appear on the
+# Litani dashboard. It can be human-readable and contain spaces if you wish.
+PROOF_UID = poly_decompose_native
+
+DEFINES += -DMLD_CONFIG_USE_NATIVE_BACKEND_ARITH -DMLD_CONFIG_ARITH_BACKEND_FILE="\"dummy_backend.h\""
+INCLUDES +=
+
+REMOVE_FUNCTION_BODY +=
+UNWINDSET +=
+
+PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
+PROJECT_SOURCES += $(SRCDIR)/mldsa/src/poly_kl.c
+
+CHECK_FUNCTION_CONTRACTS=$(MLD_NAMESPACE)poly_decompose
+USE_FUNCTION_CONTRACTS= mld_poly_decompose_c
+ifeq ($(MLD_CONFIG_PARAMETER_SET),44)
+	USE_FUNCTION_CONTRACTS+=mld_poly_decompose_88_native
+else ifeq ($(MLD_CONFIG_PARAMETER_SET),65)
+	USE_FUNCTION_CONTRACTS+=mld_poly_decompose_32_native
+else ifeq ($(MLD_CONFIG_PARAMETER_SET),87)
+	USE_FUNCTION_CONTRACTS+=mld_poly_decompose_32_native
+endif
+APPLY_LOOP_CONTRACTS=on
+USE_DYNAMIC_FRAMES=1
+
+# Disable any setting of EXTERNAL_SAT_SOLVER, and choose SMT backend instead
+EXTERNAL_SAT_SOLVER=
+CBMCFLAGS=--smt2
+
+FUNCTION_NAME = poly_decompose_native
+
+# If this proof is found to consume huge amounts of RAM, you can set the
+# EXPENSIVE variable. With new enough versions of the proof tools, this will
+# restrict the number of EXPENSIVE CBMC jobs running at once. See the
+# documentation in Makefile.common under the "Job Pools" heading for details.
+# EXPENSIVE = true
+
+# This function is large enough to need...
+CBMC_OBJECT_BITS = 8
+
+# If you require access to a file-local ("static") function or object to conduct
+# your proof, set the following (and do not include the original source file
+# ("mldsa/poly.c") in PROJECT_SOURCES).
+# REWRITTEN_SOURCES = $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i
+# include ../Makefile.common
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_SOURCE = $(SRCDIR)/mldsa/src/poly.c
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_FUNCTIONS = foo bar
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_OBJECTS = baz
+# Care is required with variables on the left-hand side: REWRITTEN_SOURCES must
+# be set before including Makefile.common, but any use of variables on the
+# left-hand side requires those variables to be defined. Hence, _SOURCE,
+# _FUNCTIONS, _OBJECTS is set after including Makefile.common.
+
+include ../Makefile.common
diff --git a/proofs/cbmc/poly_decompose_native/poly_decompose_native_harness.c b/proofs/cbmc/poly_decompose_native/poly_decompose_native_harness.c
@@ -0,0 +1,11 @@
+// Copyright (c) The mldsa-native project authors
+// SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+#include "poly_kl.h"
+
+
+void harness(void)
+{
+  mld_poly *a0, *a1, *a;
+  mld_poly_decompose(a1, a0, a);
+}
