CBMC: Add proof and spec for polyvec_matrix_expand

mkannwischer · rod-chapman · commit bf47bd09d88b · 2025-05-21T12:44:21.000+01:00
Resolves #137 Signed-off-by: willieyz <willie.zhao@chelpis.com> Correction to assigns() contracts following review. Also move local variable declaration inside scope of inner loop and remove from that loop's assigns contract. Signed-off-by: Rod Chapman <rodchap@amazon.com>
diff --git a/mldsa/polyvec.c b/mldsa/polyvec.c
@@ -23,19 +23,36 @@ void polyvec_matrix_expand(polyvecl mat[MLDSA_K],
   MLD_ALIGN uint8_t seed_ext[4][MLD_ALIGN_UP(MLDSA_SEEDBYTES + 2)];
 
   for (j = 0; j < 4; j++)
+  __loop__(
+    assigns(j, object_whole(seed_ext))
+    invariant(j <= 4)
+  )
   {
     memcpy(seed_ext[j], rho, MLDSA_SEEDBYTES);
   }
-
   /* Sample 4 matrix entries a time. */
   for (i = 0; i < (MLDSA_K * MLDSA_L / 4) * 4; i += 4)
+  __loop__(
+    assigns(i, j, object_whole(seed_ext), memory_slice(mat, MLDSA_K * sizeof(polyvecl)))
+    invariant(i <= (MLDSA_K * MLDSA_L / 4) * 4 && i % 4 == 0)
+    /* vectors 0 .. i / MLDSA_L are completely sampled */
+    invariant(forall(k1, 0, i / MLDSA_L, forall(l1, 0, MLDSA_L,
+      array_bound(mat[k1].vec[l1].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
+    /* last vector is sampled up to i % MLDSA_L */
+    invariant(forall(k2, i / MLDSA_L, i / MLDSA_L + 1, forall(l2, 0, i % MLDSA_L,
+      array_bound(mat[k2].vec[l2].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
+  )
   {
-    uint8_t x, y;
+    poly tmpvec[4];
 
     for (j = 0; j < 4; j++)
+    __loop__(
+      assigns(j, object_whole(seed_ext))
+      invariant(j <= 4)
+    )
     {
-      x = (i + j) / MLDSA_L;
-      y = (i + j) % MLDSA_L;
+      uint8_t x = (i + j) / MLDSA_L;
+      uint8_t y = (i + j) % MLDSA_L;
 
       seed_ext[j][MLDSA_SEEDBYTES + 0] = y;
       seed_ext[j][MLDSA_SEEDBYTES + 1] = x;
@@ -48,20 +65,43 @@ void polyvec_matrix_expand(polyvecl mat[MLDSA_K],
      * does not introduce any padding here. Need to refactor the data type to
      * polymat as in mlkem-native.
      */
-    poly_uniform_4x(&mat[(i) / MLDSA_L].vec[(i) % MLDSA_L], seed_ext);
+
+    /* Full struct assignment from local variables to simplify proof */
+    /* TODO: eliminate once CBMC resolves
+     * https://github.com/diffblue/cbmc/issues/8617 */
+    poly_uniform_4x(tmpvec, seed_ext);
+    mat[i / MLDSA_L].vec[i % MLDSA_L] = tmpvec[0];
+    mat[(i + 1) / MLDSA_L].vec[(i + 1) % MLDSA_L] = tmpvec[1];
+    mat[(i + 2) / MLDSA_L].vec[(i + 2) % MLDSA_L] = tmpvec[2];
+    mat[(i + 3) / MLDSA_L].vec[(i + 3) % MLDSA_L] = tmpvec[3];
   }
 
   /* For MLDSA_K=6, MLDSA_L=5, process the last two entries individually */
   while (i < MLDSA_K * MLDSA_L)
+  __loop__(
+    assigns(i, object_whole(seed_ext), memory_slice(mat, MLDSA_K * sizeof(polyvecl)))
+    invariant(i <= MLDSA_K * MLDSA_L)
+    /* vectors 0 .. i / MLDSA_L are completely sampled */
+    invariant(forall(k1, 0, i / MLDSA_L, forall(l1, 0, MLDSA_L,
+      array_bound(mat[k1].vec[l1].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
+    /* last vector is sampled up to i % MLDSA_L */
+    invariant(forall(k2, i / MLDSA_L, i / MLDSA_L + 1, forall(l2, 0, i % MLDSA_L,
+      array_bound(mat[k2].vec[l2].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
+  )
   {
-    uint8_t x, y;
-    x = i / MLDSA_L;
-    y = i % MLDSA_L;
+    poly tmp;
+    uint8_t x = i / MLDSA_L;
+    uint8_t y = i % MLDSA_L;
 
     seed_ext[0][MLDSA_SEEDBYTES + 0] = y;
     seed_ext[0][MLDSA_SEEDBYTES + 1] = x;
 
-    poly_uniform(&mat[i / MLDSA_L].vec[i % MLDSA_L], seed_ext[0]);
+
+    /* Full struct assignment from local variables to simplify proof */
+    /* TODO: eliminate once CBMC resolves
+     * https://github.com/diffblue/cbmc/issues/8617 */
+    poly_uniform(&tmp, seed_ext[0]);
+    mat[i / MLDSA_L].vec[i % MLDSA_L] = tmp;
 
     i++;
   }
diff --git a/mldsa/polyvec.h b/mldsa/polyvec.h
@@ -606,7 +606,16 @@ __contract__(
  *              - const uint8_t rho[]: byte array containing seed rho
  **************************************************/
 void polyvec_matrix_expand(polyvecl mat[MLDSA_K],
-                           const uint8_t rho[MLDSA_SEEDBYTES]);
+                           const uint8_t rho[MLDSA_SEEDBYTES])
+__contract__(
+  requires(memory_no_alias(mat, MLDSA_K * sizeof(polyvecl)))
+  requires(memory_no_alias(rho, MLDSA_SEEDBYTES))
+  assigns(memory_slice(mat, MLDSA_K * sizeof(polyvecl)))
+  ensures(forall(k1, 0, MLDSA_K, forall(l1, 0, MLDSA_L,
+    array_bound(mat[k1].vec[l1].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
+);
+
+
 
 #define polyvec_matrix_pointwise_montgomery \
   MLD_NAMESPACE(polyvec_matrix_pointwise_montgomery)
diff --git a/proofs/cbmc/polyvec_matrix_expand/Makefile b/proofs/cbmc/polyvec_matrix_expand/Makefile
@@ -0,0 +1,55 @@
+# Copyright (c) The mldsa-native project authors
+# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+include ../Makefile_params.common
+
+HARNESS_ENTRY = harness
+HARNESS_FILE = polyvec_matrix_expand_harness
+
+# This should be a unique identifier for this proof, and will appear on the
+# Litani dashboard. It can be human-readable and contain spaces if you wish.
+PROOF_UID = polyvec_matrix_expand
+
+DEFINES +=
+INCLUDES +=
+
+REMOVE_FUNCTION_BODY +=
+UNWINDSET += 
+
+PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
+PROJECT_SOURCES += $(SRCDIR)/mldsa/polyvec.c
+
+CHECK_FUNCTION_CONTRACTS=$(MLD_NAMESPACE)polyvec_matrix_expand
+USE_FUNCTION_CONTRACTS=$(MLD_NAMESPACE)poly_uniform_4x $(MLD_NAMESPACE)poly_uniform
+APPLY_LOOP_CONTRACTS=on
+USE_DYNAMIC_FRAMES=1
+
+# Disable any setting of EXTERNAL_SAT_SOLVER, and choose SMT backend instead
+EXTERNAL_SAT_SOLVER=
+CBMCFLAGS=--smt2
+
+FUNCTION_NAME = polyvec_matrix_expand
+
+# If this proof is found to consume huge amounts of RAM, you can set the
+# EXPENSIVE variable. With new enough versions of the proof tools, this will
+# restrict the number of EXPENSIVE CBMC jobs running at once. See the
+# documentation in Makefile.common under the "Job Pools" heading for details.
+# EXPENSIVE = true
+
+# This function is large enough to need...
+CBMC_OBJECT_BITS = 8
+
+# If you require access to a file-local ("static") function or object to conduct
+# your proof, set the following (and do not include the original source file
+# ("mldsa/poly.c") in PROJECT_SOURCES).
+# REWRITTEN_SOURCES = $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i
+# include ../Makefile.common
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_SOURCE = $(SRCDIR)/mldsa/poly.c
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_FUNCTIONS = foo bar
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_OBJECTS = baz
+# Care is required with variables on the left-hand side: REWRITTEN_SOURCES must
+# be set before including Makefile.common, but any use of variables on the
+# left-hand side requires those variables to be defined. Hence, _SOURCE,
+# _FUNCTIONS, _OBJECTS is set after including Makefile.common.
+
+include ../Makefile.common
diff --git a/proofs/cbmc/polyvec_matrix_expand/polyvec_matrix_expand_harness.c b/proofs/cbmc/polyvec_matrix_expand/polyvec_matrix_expand_harness.c
@@ -0,0 +1,12 @@
+// Copyright (c) The mldsa-native project authors
+// SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+#include "polyvec.h"
+
+void harness(void)
+{
+  polyvecl *mat;
+  uint8_t *rho;
+
+  polyvec_matrix_expand(mat, rho);
+}
