sign: Compute h incrementally to reduce stack usage

Instead of allocating a full polyveck for h in attempt_signature_generation,
compute cs2, ct0, and hints one polynomial at a time using scratch polys.

This eliminates the polyveck h from the yh_u union, replacing
mld_pack_sig_c_h with incremental packing via mld_pack_sig_c and
mld_pack_sig_h_poly.
This is a prerequisite for also eliminating y in a follow up.

Signed-off-by: Matthias J. Kannwischer <matthias@zerorisc.com>

Author: mkannwischer

integration/opentitan/reduce_alloc.patch

@@ -17,13 +17,13 @@ index be11f20..26351ee 100644
 -  kOtcryptoMldsa65WorkBufferKeypairWords = 46304 / sizeof(uint32_t),
 -  kOtcryptoMldsa65WorkBufferSignWords = 44768 / sizeof(uint32_t),
 +  kOtcryptoMldsa65WorkBufferKeypairWords = 40224 / sizeof(uint32_t),
-+  kOtcryptoMldsa65WorkBufferSignWords = 27456 / sizeof(uint32_t),
++  kOtcryptoMldsa65WorkBufferSignWords = 26432 / sizeof(uint32_t),
    kOtcryptoMldsa65WorkBufferVerifyWords = 30720 / sizeof(uint32_t),
 
 -  kOtcryptoMldsa87WorkBufferKeypairWords = 62688 / sizeof(uint32_t),
 -  kOtcryptoMldsa87WorkBufferSignWords = 59104 / sizeof(uint32_t),
 +  kOtcryptoMldsa87WorkBufferKeypairWords = 54560 / sizeof(uint32_t),
-+  kOtcryptoMldsa87WorkBufferSignWords = 35648 / sizeof(uint32_t),
++  kOtcryptoMldsa87WorkBufferSignWords = 34624 / sizeof(uint32_t),
    kOtcryptoMldsa87WorkBufferVerifyWords = 41216 / sizeof(uint32_t),
  };
 

mldsa/mldsa_native.c

@@ -257,7 +257,8 @@
 /* mldsa/src/packing.h */
 #undef MLD_PACKING_H
 #undef mld_pack_pk
-#undef mld_pack_sig_c_h
+#undef mld_pack_sig_c
+#undef mld_pack_sig_h_poly
 #undef mld_pack_sig_z
 #undef mld_pack_sk
 #undef mld_unpack_pk
@@ -319,7 +320,6 @@
 #undef mld_polyveck_chknorm
 #undef mld_polyveck_decompose
 #undef mld_polyveck_invntt_tomont
-#undef mld_polyveck_make_hint
 #undef mld_polyveck_ntt
 #undef mld_polyveck_pack_eta
 #undef mld_polyveck_pack_t0

mldsa/mldsa_native.h

@@ -913,19 +913,19 @@ int MLD_API_NAMESPACE(pk_from_sk)(
 /* check-magic: off */
 #if defined(MLD_API_LEGACY_CONFIG) || !defined(MLD_CONFIG_REDUCE_RAM)
 #define MLD_TOTAL_ALLOC_44_KEYPAIR_NO_PCT 41216
-#define MLD_TOTAL_ALLOC_44_KEYPAIR_PCT 56640
+#define MLD_TOTAL_ALLOC_44_KEYPAIR_PCT 52544
 #define MLD_TOTAL_ALLOC_44_PK_FROM_SK 45248
-#define MLD_TOTAL_ALLOC_44_SIGN 52896
+#define MLD_TOTAL_ALLOC_44_SIGN 48800
 #define MLD_TOTAL_ALLOC_44_VERIFY 38816
 #define MLD_TOTAL_ALLOC_65_KEYPAIR_NO_PCT 65792
-#define MLD_TOTAL_ALLOC_65_KEYPAIR_PCT 85856
+#define MLD_TOTAL_ALLOC_65_KEYPAIR_PCT 79712
 #define MLD_TOTAL_ALLOC_65_PK_FROM_SK 71872
-#define MLD_TOTAL_ALLOC_65_SIGN 80576
+#define MLD_TOTAL_ALLOC_65_SIGN 74432
 #define MLD_TOTAL_ALLOC_65_VERIFY 62432
 #define MLD_TOTAL_ALLOC_87_KEYPAIR_NO_PCT 104704
-#define MLD_TOTAL_ALLOC_87_KEYPAIR_PCT 130816
+#define MLD_TOTAL_ALLOC_87_KEYPAIR_PCT 122624
 #define MLD_TOTAL_ALLOC_87_PK_FROM_SK 112832
-#define MLD_TOTAL_ALLOC_87_SIGN 123584
+#define MLD_TOTAL_ALLOC_87_SIGN 115392
 #define MLD_TOTAL_ALLOC_87_VERIFY 99552
 #else /* MLD_API_LEGACY_CONFIG || !MLD_CONFIG_REDUCE_RAM */
 #define MLD_TOTAL_ALLOC_44_KEYPAIR_NO_PCT 28960
@@ -936,12 +936,12 @@ int MLD_API_NAMESPACE(pk_from_sk)(
 #define MLD_TOTAL_ALLOC_65_KEYPAIR_NO_PCT 40224
 #define MLD_TOTAL_ALLOC_65_KEYPAIR_PCT 40224
 #define MLD_TOTAL_ALLOC_65_PK_FROM_SK 46304
-#define MLD_TOTAL_ALLOC_65_SIGN 27456
+#define MLD_TOTAL_ALLOC_65_SIGN 26432
 #define MLD_TOTAL_ALLOC_65_VERIFY 30720
 #define MLD_TOTAL_ALLOC_87_KEYPAIR_NO_PCT 54560
 #define MLD_TOTAL_ALLOC_87_KEYPAIR_PCT 54560
 #define MLD_TOTAL_ALLOC_87_PK_FROM_SK 62688
-#define MLD_TOTAL_ALLOC_87_SIGN 35648
+#define MLD_TOTAL_ALLOC_87_SIGN 34624
 #define MLD_TOTAL_ALLOC_87_VERIFY 41216
 #endif /* !(MLD_API_LEGACY_CONFIG || !MLD_CONFIG_REDUCE_RAM) */
 /* check-magic: on */

mldsa/mldsa_native_asm.S

@@ -262,7 +262,8 @@
 /* mldsa/src/packing.h */
 #undef MLD_PACKING_H
 #undef mld_pack_pk
-#undef mld_pack_sig_c_h
+#undef mld_pack_sig_c
+#undef mld_pack_sig_h_poly
 #undef mld_pack_sig_z
 #undef mld_pack_sk
 #undef mld_unpack_pk
@@ -324,7 +325,6 @@
 #undef mld_polyveck_chknorm
 #undef mld_polyveck_decompose
 #undef mld_polyveck_invntt_tomont
-#undef mld_polyveck_make_hint
 #undef mld_polyveck_ntt
 #undef mld_polyveck_pack_eta
 #undef mld_polyveck_pack_t0

mldsa/src/packing.c

@@ -100,75 +100,51 @@ void mld_unpack_sk(uint8_t rho[MLDSA_SEEDBYTES], uint8_t tr[MLDSA_TRBYTES],
 }
 
 MLD_INTERNAL_API
-void mld_pack_sig_c_h(uint8_t sig[MLDSA_CRYPTO_BYTES],
-                      const uint8_t c[MLDSA_CTILDEBYTES], const mld_polyveck *h,
-                      const unsigned int number_of_hints)
+void mld_pack_sig_c(uint8_t sig[MLDSA_CRYPTO_BYTES],
+                    const uint8_t c[MLDSA_CTILDEBYTES])
 {
-  unsigned int i, j, k;
-
   mld_memcpy(sig, c, MLDSA_CTILDEBYTES);
-  sig += MLDSA_CTILDEBYTES;
-
-  /* skip z component - packed via mld_pack_sig_z */
-  sig += MLDSA_L * MLDSA_POLYZ_PACKEDBYTES;
+}
 
-  /* Encode hints h */
+MLD_INTERNAL_API
+void mld_pack_sig_h_poly(uint8_t sig[MLDSA_CRYPTO_BYTES], const mld_poly *h,
+                         unsigned int k, unsigned int n)
+{
+  unsigned int j;
 
-  /* The final section of sig[] is MLDSA_POLYVECH_PACKEDBYTES long, where
-   * MLDSA_POLYVECH_PACKEDBYTES = MLDSA_OMEGA + MLDSA_K
+  /* The hint section of sig[] is MLDSA_POLYVECH_PACKEDBYTES long, where
+   * MLDSA_POLYVECH_PACKEDBYTES = MLDSA_OMEGA + MLDSA_K.
    *
    * The first OMEGA bytes record the index numbers of the coefficients
-   * that are not equal to 0
+   * that are not equal to 0.
    *
    * The final K bytes record a running tally of the number of hints
-   * coming from each of the K polynomials in h.
-   *
-   * The pre-condition tells us that number_of_hints <= OMEGA, so some
-   * bytes may not be written, so we initialize all of them to zero
-   * to start.
-   */
-  mld_memset(sig, 0, MLDSA_POLYVECH_PACKEDBYTES);
-
-  k = 0;
-  /* For each polynomial in h... */
-  for (i = 0; i < MLDSA_K; ++i)
+   * coming from each of the K polynomials in h. */
+  uint8_t *sig_h = sig + MLDSA_CTILDEBYTES + MLDSA_L * MLDSA_POLYZ_PACKEDBYTES;
+
+  /* For each coefficient in this polynomial, record it as a hint */
+  /* if its value is not zero. */
+  for (j = 0; j < MLDSA_N; j++)
   __loop__(
-    assigns(i, j, k, memory_slice(sig, MLDSA_POLYVECH_PACKEDBYTES))
-    invariant(i <= MLDSA_K)
-    invariant(k <= number_of_hints)
-    invariant(number_of_hints <= MLDSA_OMEGA)
-    decreases(MLDSA_K - i)
+    assigns(j, n, memory_slice(sig_h, MLDSA_POLYVECH_PACKEDBYTES))
+    invariant(j <= MLDSA_N)
+    invariant(n <= MLDSA_OMEGA)
+    decreases(MLDSA_N - j)
   )
   {
-    /* For each coefficient in that polynomial, record it as as hint */
-    /* if its value is not zero */
-    for (j = 0; j < MLDSA_N; ++j)
-    __loop__(
-      assigns(j, k, memory_slice(sig, MLDSA_POLYVECH_PACKEDBYTES))
-      invariant(i <= MLDSA_K)
-      invariant(j <= MLDSA_N)
-      invariant(k <= number_of_hints)
-      invariant(number_of_hints <= MLDSA_OMEGA)
-      decreases(MLDSA_N - j)
-    )
+    /* The reference implementation implicitly relies on the total */
+    /* number of hints being less than OMEGA, assuming h is valid. */
+    /* In mldsa-native, we check this explicitly to ease proof of  */
+    /* type safety.                                                */
+    if (h->coeffs[j] != 0 && n < MLDSA_OMEGA)
     {
-      /* The reference implementation implicitly relies on the total */
-      /* number of hints being less than OMEGA, assuming h is valid. */
-      /* In mldsa-native, we check this explicitly to ease proof of  */
-      /* type safety.                                                */
-      if (h->vec[i].coeffs[j] != 0 && k < number_of_hints)
-      {
-        /* The enclosing if condition AND the loop invariant infer  */
-        /* that k < MLDSA_OMEGA, so writing to sig[k] is safe and k */
-        /* can be incremented.                                      */
-        sig[k++] = (uint8_t)j;
-      }
+      sig_h[n] = (uint8_t)j;
+      n++;
     }
-    /* Having recorded all the hints for this polynomial, also   */
-    /* record the running tally into the correct "slot" for that */
-    /* coefficient in the final K bytes                          */
-    sig[MLDSA_OMEGA + i] = (uint8_t)k;
   }
+  /* Record the running tally into the correct slot for this     */
+  /* polynomial in the final K bytes.                            */
+  sig_h[MLDSA_OMEGA + k] = (uint8_t)n;
 }
 
 MLD_INTERNAL_API

mldsa/src/packing.h

@@ -69,35 +69,46 @@ __contract__(
 );
 
 
-#define mld_pack_sig_c_h MLD_NAMESPACE_KL(pack_sig_c_h)
+#define mld_pack_sig_c MLD_NAMESPACE_KL(pack_sig_c)
 /*************************************************
- * Name:        mld_pack_sig_c_h
+ * Name:        mld_pack_sig_c
  *
- * Description: Bit-pack c and h component of sig = (c, z, h).
- *              The z component is packed separately using mld_pack_sig_z.
+ * Description: Bit-pack challenge c into sig = (c, z, h).
  *
  * Arguments:   - uint8_t sig[]: output byte array
- *              - const uint8_t *c:  pointer to challenge hash length
- *                                   MLDSA_SEEDBYTES
- *              - const mld_polyveck *h: pointer to hint vector h
- *              - const unsigned int number_of_hints: total
- *                                   hints in *h
- *
- * Note that the number_of_hints argument is not present
- * in the reference implementation. It is added here to ease
- * proof of type safety.
+ *              - const uint8_t *c: pointer to challenge hash
  **************************************************/
 MLD_INTERNAL_API
-void mld_pack_sig_c_h(uint8_t sig[MLDSA_CRYPTO_BYTES],
-                      const uint8_t c[MLDSA_CTILDEBYTES], const mld_polyveck *h,
-                      const unsigned int number_of_hints)
+void mld_pack_sig_c(uint8_t sig[MLDSA_CRYPTO_BYTES],
+                    const uint8_t c[MLDSA_CTILDEBYTES])
 __contract__(
   requires(memory_no_alias(sig, MLDSA_CRYPTO_BYTES))
   requires(memory_no_alias(c, MLDSA_CTILDEBYTES))
-  requires(memory_no_alias(h, sizeof(mld_polyveck)))
-  requires(forall(k1, 0, MLDSA_K,
-    array_bound(h->vec[k1].coeffs, 0, MLDSA_N, 0, 2)))
-  requires(number_of_hints <= MLDSA_OMEGA)
+  assigns(memory_slice(sig, MLDSA_CRYPTO_BYTES))
+);
+
+#define mld_pack_sig_h_poly MLD_NAMESPACE_KL(pack_sig_h_poly)
+/*************************************************
+ * Name:        mld_pack_sig_h_poly
+ *
+ * Description: Pack hints for one polynomial into the hint section of sig.
+ *              Must be called once per polynomial in order k = 0, ..., K-1.
+ *              The hint section of sig must be zeroed before the first call.
+ *
+ * Arguments:   - uint8_t sig[]: byte array containing signature
+ *              - const mld_poly *h: pointer to hint polynomial (0/1 coeffs)
+ *              - unsigned int k: index of polynomial in vector (0..K-1)
+ *              - unsigned int n: total number of hints written so far
+ **************************************************/
+MLD_INTERNAL_API
+void mld_pack_sig_h_poly(uint8_t sig[MLDSA_CRYPTO_BYTES], const mld_poly *h,
+                         unsigned int k, unsigned int n)
+__contract__(
+  requires(memory_no_alias(sig, MLDSA_CRYPTO_BYTES))
+  requires(memory_no_alias(h, sizeof(mld_poly)))
+  requires(k < MLDSA_K)
+  requires(n <= MLDSA_OMEGA)
+  requires(array_bound(h->coeffs, 0, MLDSA_N, 0, 2))
   assigns(memory_slice(sig, MLDSA_CRYPTO_BYTES))
 );
 
@@ -107,7 +118,7 @@ __contract__(
  *
  * Description: Bit-pack single polynomial of z component of sig = (c, z, h).
  *              The c and h components are packed separately using
- *              mld_pack_sig_c_h.
+ *              mld_pack_sig_c and mld_pack_sig_h_poly.
  *
  * Arguments:   - uint8_t sig[]: output byte array
  *              - const mld_poly *zi: pointer to a single polynomial in z

mldsa/src/polyvec.c

@@ -696,28 +696,6 @@ void mld_polyveck_decompose(mld_polyveck *v1, mld_polyveck *v0)
   mld_assert_abs_bound_2d(v0->vec, MLDSA_K, MLDSA_N, MLDSA_GAMMA2 + 1);
 }
 
-MLD_INTERNAL_API
-unsigned int mld_polyveck_make_hint(mld_polyveck *h, const mld_polyveck *v0,
-                                    const mld_polyveck *v1)
-{
-  unsigned int i, s = 0;
-
-  for (i = 0; i < MLDSA_K; ++i)
-  __loop__(
-    assigns(i, s, memory_slice(h, sizeof(mld_polyveck)))
-    invariant(i <= MLDSA_K)
-    invariant(s <= i * MLDSA_N)
-    invariant(forall(k1, 0, i, array_bound(h->vec[k1].coeffs, 0, MLDSA_N, 0, 2)))
-    decreases(MLDSA_K - i)
-  )
-  {
-    s += mld_poly_make_hint(&h->vec[i], &v0->vec[i], &v1->vec[i]);
-  }
-
-  mld_assert_bound_2d(h->vec, MLDSA_K, MLDSA_N, 0, 2);
-  return s;
-}
-
 MLD_INTERNAL_API
 void mld_polyveck_use_hint(mld_polyveck *w, const mld_polyveck *u,
                            const mld_polyveck *h)

mldsa/src/polyvec.h

@@ -413,31 +413,6 @@ __contract__(
                  array_abs_bound(v0->vec[k2].coeffs, 0, MLDSA_N, MLDSA_GAMMA2+1)))
 );
 
-#define mld_polyveck_make_hint MLD_NAMESPACE_KL(polyveck_make_hint)
-/*************************************************
- * Name:        mld_polyveck_make_hint
- *
- * Description: Compute hint vector.
- *
- * Arguments:   - mld_polyveck *h: pointer to output vector
- *              - const mld_polyveck *v0: pointer to low part of input vector
- *              - const mld_polyveck *v1: pointer to high part of input vector
- *
- * Returns number of 1 bits.
- **************************************************/
-MLD_INTERNAL_API
-MLD_MUST_CHECK_RETURN_VALUE
-unsigned int mld_polyveck_make_hint(mld_polyveck *h, const mld_polyveck *v0,
-                                    const mld_polyveck *v1)
-__contract__(
-  requires(memory_no_alias(h,  sizeof(mld_polyveck)))
-  requires(memory_no_alias(v0, sizeof(mld_polyveck)))
-  requires(memory_no_alias(v1, sizeof(mld_polyveck)))
-  assigns(memory_slice(h, sizeof(mld_polyveck)))
-  ensures(return_value <= MLDSA_N * MLDSA_K)
-  ensures(forall(k1, 0, MLDSA_K, array_bound(h->vec[k1].coeffs, 0, MLDSA_N, 0, 2)))
-);
-
 #define mld_polyveck_use_hint MLD_NAMESPACE_KL(polyveck_use_hint)
 /*************************************************
  * Name:        mld_polyveck_use_hint