Add HOL Light poly_use_hint_32 and poly_use_hint_88 proofs with functional correctness

Add formal verification proofs for mldsa_poly_use_hint_32 and
mldsa_poly_use_hint_88 AArch64 NEON implementations. Both proofs
establish full functional correctness: the assembly output equals
word(mldsa_use_hint_XX_spec(val(input_a), val(input_h))) for each
element, matching the ML-DSA specification.

Both proofs work in HOL Light native compilation mode, using:
- Barrett reduction equivalence via general interval lemma
- Bridge lemmas for real_gt/int_gt type compatibility
- BITBLAST_RULE for word comparison bounds
- WORD_SUBWORD push-through for SIMD endgame

Also adds CI workflow entries, CBMC contracts, header declarations
for the use_hint assembly functions, and shared helper lemmas in
common/mldsa_specs.ml.

Signed-off-by: Jake Massimo <jakemas@amazon.com>

Author: jakemas

.github/workflows/hol_light.yml

@@ -95,6 +95,10 @@ jobs:
             needs: ["aarch64_utils.ml"]
           - name: mldsa_poly_chknorm
             needs: ["aarch64_utils.ml"]
+          - name: mldsa_poly_use_hint_32
+            needs: ["mldsa_specs.ml", "subroutine_signatures.ml"]
+          - name: mldsa_poly_use_hint_88
+            needs: ["mldsa_specs.ml", "subroutine_signatures.ml"]
           - name: keccak_f1600_x1_scalar
             needs: ["keccak_spec.ml"]
           - name: keccak_f1600_x1_v84a

dev/aarch64_opt/src/arith_native_aarch64.h

@@ -117,10 +117,32 @@ __contract__(
 
 #if !defined(MLD_CONFIG_NO_VERIFY_API)
 #define mld_poly_use_hint_32_asm MLD_NAMESPACE(poly_use_hint_32_asm)
-void mld_poly_use_hint_32_asm(int32_t *b, const int32_t *a, const int32_t *h);
+void mld_poly_use_hint_32_asm(int32_t *b, const int32_t *a, const int32_t *h)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_poly_use_hint_32.ml */
+__contract__(
+  requires(memory_no_alias(b, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(h, sizeof(int32_t) * MLDSA_N))
+  requires(array_bound(a, 0, MLDSA_N, 0, MLDSA_Q))
+  requires(array_bound(h, 0, MLDSA_N, 0, 2))
+  assigns(memory_slice(b, sizeof(int32_t) * MLDSA_N))
+  ensures(array_bound(b, 0, MLDSA_N, 0, 16))
+);
 
 #define mld_poly_use_hint_88_asm MLD_NAMESPACE(poly_use_hint_88_asm)
-void mld_poly_use_hint_88_asm(int32_t *b, const int32_t *a, const int32_t *h);
+void mld_poly_use_hint_88_asm(int32_t *b, const int32_t *a, const int32_t *h)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_poly_use_hint_88.ml */
+__contract__(
+  requires(memory_no_alias(b, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(h, sizeof(int32_t) * MLDSA_N))
+  requires(array_bound(a, 0, MLDSA_N, 0, MLDSA_Q))
+  requires(array_bound(h, 0, MLDSA_N, 0, 2))
+  assigns(memory_slice(b, sizeof(int32_t) * MLDSA_N))
+  ensures(array_bound(b, 0, MLDSA_N, 0, 44))
+);
 #endif /* !MLD_CONFIG_NO_VERIFY_API */
 
 #define mld_poly_chknorm_asm MLD_NAMESPACE(poly_chknorm_asm)

mldsa/src/native/aarch64/src/arith_native_aarch64.h

@@ -117,10 +117,32 @@ __contract__(
 
 #if !defined(MLD_CONFIG_NO_VERIFY_API)
 #define mld_poly_use_hint_32_asm MLD_NAMESPACE(poly_use_hint_32_asm)
-void mld_poly_use_hint_32_asm(int32_t *b, const int32_t *a, const int32_t *h);
+void mld_poly_use_hint_32_asm(int32_t *b, const int32_t *a, const int32_t *h)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_poly_use_hint_32.ml */
+__contract__(
+  requires(memory_no_alias(b, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(h, sizeof(int32_t) * MLDSA_N))
+  requires(array_bound(a, 0, MLDSA_N, 0, MLDSA_Q))
+  requires(array_bound(h, 0, MLDSA_N, 0, 2))
+  assigns(memory_slice(b, sizeof(int32_t) * MLDSA_N))
+  ensures(array_bound(b, 0, MLDSA_N, 0, 16))
+);
 
 #define mld_poly_use_hint_88_asm MLD_NAMESPACE(poly_use_hint_88_asm)
-void mld_poly_use_hint_88_asm(int32_t *b, const int32_t *a, const int32_t *h);
+void mld_poly_use_hint_88_asm(int32_t *b, const int32_t *a, const int32_t *h)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_poly_use_hint_88.ml */
+__contract__(
+  requires(memory_no_alias(b, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(h, sizeof(int32_t) * MLDSA_N))
+  requires(array_bound(a, 0, MLDSA_N, 0, MLDSA_Q))
+  requires(array_bound(h, 0, MLDSA_N, 0, 2))
+  assigns(memory_slice(b, sizeof(int32_t) * MLDSA_N))
+  ensures(array_bound(b, 0, MLDSA_N, 0, 44))
+);
 #endif /* !MLD_CONFIG_NO_VERIFY_API */
 
 #define mld_poly_chknorm_asm MLD_NAMESPACE(poly_chknorm_asm)

proofs/cbmc/poly_use_hint_native_aarch64/Makefile

@@ -0,0 +1,53 @@
+# Copyright (c) The mldsa-native project authors
+# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+include ../Makefile_params.common
+
+HARNESS_ENTRY = harness
+HARNESS_FILE = poly_use_hint_native_aarch64_harness
+
+# This should be a unique identifier for this proof, and will appear on the
+# Litani dashboard. It can be human-readable and contain spaces if you wish.
+PROOF_UID = poly_use_hint_native_aarch64
+
+# We need to set MLD_CHECK_APIS as otherwise mldsa/src/native/api.h won't be
+# included, which contains the CBMC specifications.
+DEFINES += -DMLD_CONFIG_USE_NATIVE_BACKEND_ARITH -DMLD_CONFIG_ARITH_BACKEND_FILE="\"$(SRCDIR)/mldsa/src/native/aarch64/meta.h\"" -DMLD_CHECK_APIS
+INCLUDES +=
+
+REMOVE_FUNCTION_BODY +=
+UNWINDSET +=
+
+PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
+PROJECT_SOURCES += $(SRCDIR)/mldsa/src/poly_kl.c
+
+ifeq ($(MLD_CONFIG_PARAMETER_SET),44)
+    CHECK_FUNCTION_CONTRACTS=mld_poly_use_hint_88_native
+    USE_FUNCTION_CONTRACTS=mld_poly_use_hint_88_asm
+else ifeq ($(MLD_CONFIG_PARAMETER_SET),65)
+    CHECK_FUNCTION_CONTRACTS=mld_poly_use_hint_32_native
+    USE_FUNCTION_CONTRACTS=mld_poly_use_hint_32_asm
+else ifeq ($(MLD_CONFIG_PARAMETER_SET),87)
+    CHECK_FUNCTION_CONTRACTS=mld_poly_use_hint_32_native
+    USE_FUNCTION_CONTRACTS=mld_poly_use_hint_32_asm
+endif
+USE_FUNCTION_CONTRACTS+=mld_sys_check_capability
+APPLY_LOOP_CONTRACTS=on
+USE_DYNAMIC_FRAMES=1
+
+# Disable any setting of EXTERNAL_SAT_SOLVER, and choose SMT backend instead
+EXTERNAL_SAT_SOLVER=
+CBMCFLAGS=--smt2
+
+FUNCTION_NAME = poly_use_hint_native_aarch64
+
+# If this proof is found to consume huge amounts of RAM, you can set the
+# EXPENSIVE variable. With new enough versions of the proof tools, this will
+# restrict the number of EXPENSIVE CBMC jobs running at once. See the
+# documentation in Makefile.common under the "Job Pools" heading for details.
+# EXPENSIVE = true
+
+# This function is large enough to need...
+CBMC_OBJECT_BITS = 8
+
+include ../Makefile.common

proofs/cbmc/poly_use_hint_native_aarch64/poly_use_hint_native_aarch64_harness.c

@@ -0,0 +1,24 @@
+// Copyright (c) The mldsa-native project authors
+// SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+#include <stdint.h>
+#include "cbmc.h"
+#include "params.h"
+
+#if MLDSA_GAMMA2 == ((MLDSA_Q - 1) / 88)
+int mld_poly_use_hint_88_native(int32_t *b, const int32_t *a, const int32_t *h);
+#else
+int mld_poly_use_hint_32_native(int32_t *b, const int32_t *a, const int32_t *h);
+#endif
+
+void harness(void)
+{
+  int32_t *b, *a, *h;
+  int t;
+
+#if MLDSA_GAMMA2 == ((MLDSA_Q - 1) / 88)
+  t = mld_poly_use_hint_88_native(b, a, h);
+#else
+  t = mld_poly_use_hint_32_native(b, a, h);
+#endif
+}

proofs/hol_light/README.md

@@ -54,6 +54,8 @@ echo '1+1;;' | nc -w 5 127.0.0.1 2012
 - ML-DSA Arithmetic:
   * AArch64 poly_caddq: [mldsa_poly_caddq.S](aarch64/mldsa/mldsa_poly_caddq.S)
   * AArch64 poly_chknorm: [mldsa_poly_chknorm.S](aarch64/mldsa/mldsa_poly_chknorm.S)
+  * AArch64 poly_use_hint (l=5,7): [mldsa_poly_use_hint_32.S](aarch64/mldsa/mldsa_poly_use_hint_32.S)
+  * AArch64 poly_use_hint (l=4): [mldsa_poly_use_hint_88.S](aarch64/mldsa/mldsa_poly_use_hint_88.S)
   * AArch64 pointwise multiplication: [mldsa_pointwise.S](aarch64/mldsa/mldsa_pointwise.S)
   * AArch64 pointwise multiplication-accumulation (l=4): [mldsa_pointwise_acc_l4.S](aarch64/mldsa/mldsa_pointwise_acc_l4.S)
   * AArch64 pointwise multiplication-accumulation (l=5): [mldsa_pointwise_acc_l5.S](aarch64/mldsa/mldsa_pointwise_acc_l5.S)

proofs/hol_light/aarch64/Makefile

@@ -57,6 +57,8 @@ OBJ = mldsa/mldsa_ntt.o \
       mldsa/mldsa_pointwise.o \
       mldsa/mldsa_poly_caddq.o \
       mldsa/mldsa_poly_chknorm.o                        \
+      mldsa/mldsa_poly_use_hint_32.o                    \
+      mldsa/mldsa_poly_use_hint_88.o                    \
       mldsa/mldsa_pointwise_acc_l4.o                    \
       mldsa/mldsa_pointwise_acc_l5.o                    \
       mldsa/mldsa_pointwise_acc_l7.o                    \

proofs/hol_light/aarch64/mldsa/mldsa_poly_use_hint_32.S

@@ -0,0 +1,98 @@
+/*
+ * Copyright (c) The mldsa-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+
+
+/*
+ * WARNING: This file is auto-derived from the mldsa-native source file
+ *   dev/aarch64_opt/src/poly_use_hint_32_asm.S using scripts/simpasm. Do not modify it directly.
+ */
+
+.text
+.balign 4
+#ifdef __APPLE__
+.global _PQCP_MLDSA_NATIVE_MLDSA44_poly_use_hint_32_asm
+_PQCP_MLDSA_NATIVE_MLDSA44_poly_use_hint_32_asm:
+#else
+.global PQCP_MLDSA_NATIVE_MLDSA44_poly_use_hint_32_asm
+PQCP_MLDSA_NATIVE_MLDSA44_poly_use_hint_32_asm:
+#endif
+
+        .cfi_startproc
+        mov w4, #0xe001             // =57345
+        movk w4, #0x7f, lsl #16
+        dup v20.4s, w4
+        mov w5, #0xe100             // =57600
+        movk w5, #0x7b, lsl #16
+        dup v21.4s, w5
+        mov w7, #0xfe00             // =65024
+        movk w7, #0x7, lsl #16
+        dup v22.4s, w7
+        mov w11, #0x401             // =1025
+        movk w11, #0x4010, lsl #16
+        dup v23.4s, w11
+        movi v24.4s, #0xf
+        mov x3, #0x10               // =16
+
+Lpoly_use_hint_32_loop:
+        ldr q1, [x1, #0x10]
+        ldr q2, [x1, #0x20]
+        ldr q3, [x1, #0x30]
+        ldr q0, [x1], #0x40
+        ldr q5, [x2, #0x10]
+        ldr q6, [x2, #0x20]
+        ldr q7, [x2, #0x30]
+        ldr q4, [x2], #0x40
+        sqdmulh v17.4s, v1.4s, v23.4s
+        srshr v17.4s, v17.4s, #0x12
+        cmgt v25.4s, v1.4s, v21.4s
+        mls v1.4s, v17.4s, v22.4s
+        bic v17.16b, v17.16b, v25.16b
+        add v1.4s, v1.4s, v25.4s
+        cmle v1.4s, v1.4s, #0
+        orr v1.4s, #0x1
+        mla v17.4s, v1.4s, v5.4s
+        and v17.16b, v17.16b, v24.16b
+        sqdmulh v18.4s, v2.4s, v23.4s
+        srshr v18.4s, v18.4s, #0x12
+        cmgt v25.4s, v2.4s, v21.4s
+        mls v2.4s, v18.4s, v22.4s
+        bic v18.16b, v18.16b, v25.16b
+        add v2.4s, v2.4s, v25.4s
+        cmle v2.4s, v2.4s, #0
+        orr v2.4s, #0x1
+        mla v18.4s, v2.4s, v6.4s
+        and v18.16b, v18.16b, v24.16b
+        sqdmulh v19.4s, v3.4s, v23.4s
+        srshr v19.4s, v19.4s, #0x12
+        cmgt v25.4s, v3.4s, v21.4s
+        mls v3.4s, v19.4s, v22.4s
+        bic v19.16b, v19.16b, v25.16b
+        add v3.4s, v3.4s, v25.4s
+        cmle v3.4s, v3.4s, #0
+        orr v3.4s, #0x1
+        mla v19.4s, v3.4s, v7.4s
+        and v19.16b, v19.16b, v24.16b
+        sqdmulh v16.4s, v0.4s, v23.4s
+        srshr v16.4s, v16.4s, #0x12
+        cmgt v25.4s, v0.4s, v21.4s
+        mls v0.4s, v16.4s, v22.4s
+        bic v16.16b, v16.16b, v25.16b
+        add v0.4s, v0.4s, v25.4s
+        cmle v0.4s, v0.4s, #0
+        orr v0.4s, #0x1
+        mla v16.4s, v0.4s, v4.4s
+        and v16.16b, v16.16b, v24.16b
+        str q17, [x0, #0x10]
+        str q18, [x0, #0x20]
+        str q19, [x0, #0x30]
+        str q16, [x0], #0x40
+        subs x3, x3, #0x1
+        b.ne Lpoly_use_hint_32_loop
+        ret
+        .cfi_endproc
+
+#if defined(__ELF__)
+.section .note.GNU-stack,"",%progbits
+#endif

proofs/hol_light/aarch64/mldsa/mldsa_poly_use_hint_88.S

@@ -0,0 +1,106 @@
+/*
+ * Copyright (c) The mldsa-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+
+
+/*
+ * WARNING: This file is auto-derived from the mldsa-native source file
+ *   dev/aarch64_opt/src/poly_use_hint_88_asm.S using scripts/simpasm. Do not modify it directly.
+ */
+
+.text
+.balign 4
+#ifdef __APPLE__
+.global _PQCP_MLDSA_NATIVE_MLDSA44_poly_use_hint_88_asm
+_PQCP_MLDSA_NATIVE_MLDSA44_poly_use_hint_88_asm:
+#else
+.global PQCP_MLDSA_NATIVE_MLDSA44_poly_use_hint_88_asm
+PQCP_MLDSA_NATIVE_MLDSA44_poly_use_hint_88_asm:
+#endif
+
+        .cfi_startproc
+        mov w4, #0xe001             // =57345
+        movk w4, #0x7f, lsl #16
+        dup v20.4s, w4
+        mov w5, #0x6c00             // =27648
+        movk w5, #0x7e, lsl #16
+        dup v21.4s, w5
+        mov w7, #0xe800             // =59392
+        movk w7, #0x2, lsl #16
+        dup v22.4s, w7
+        mov w11, #0x581             // =1409
+        movk w11, #0x5816, lsl #16
+        dup v23.4s, w11
+        movi v24.4s, #0x2b
+        mov x3, #0x10               // =16
+
+Lpoly_use_hint_88_loop:
+        ldr q1, [x1, #0x10]
+        ldr q2, [x1, #0x20]
+        ldr q3, [x1, #0x30]
+        ldr q0, [x1], #0x40
+        ldr q5, [x2, #0x10]
+        ldr q6, [x2, #0x20]
+        ldr q7, [x2, #0x30]
+        ldr q4, [x2], #0x40
+        sqdmulh v17.4s, v1.4s, v23.4s
+        srshr v17.4s, v17.4s, #0x11
+        cmgt v25.4s, v1.4s, v21.4s
+        mls v1.4s, v17.4s, v22.4s
+        bic v17.16b, v17.16b, v25.16b
+        add v1.4s, v1.4s, v25.4s
+        cmle v1.4s, v1.4s, #0
+        orr v1.4s, #0x1
+        mla v17.4s, v1.4s, v5.4s
+        cmgt v25.4s, v17.4s, v24.4s
+        bic v17.16b, v17.16b, v25.16b
+        umin v17.4s, v17.4s, v24.4s
+        sqdmulh v18.4s, v2.4s, v23.4s
+        srshr v18.4s, v18.4s, #0x11
+        cmgt v25.4s, v2.4s, v21.4s
+        mls v2.4s, v18.4s, v22.4s
+        bic v18.16b, v18.16b, v25.16b
+        add v2.4s, v2.4s, v25.4s
+        cmle v2.4s, v2.4s, #0
+        orr v2.4s, #0x1
+        mla v18.4s, v2.4s, v6.4s
+        cmgt v25.4s, v18.4s, v24.4s
+        bic v18.16b, v18.16b, v25.16b
+        umin v18.4s, v18.4s, v24.4s
+        sqdmulh v19.4s, v3.4s, v23.4s
+        srshr v19.4s, v19.4s, #0x11
+        cmgt v25.4s, v3.4s, v21.4s
+        mls v3.4s, v19.4s, v22.4s
+        bic v19.16b, v19.16b, v25.16b
+        add v3.4s, v3.4s, v25.4s
+        cmle v3.4s, v3.4s, #0
+        orr v3.4s, #0x1
+        mla v19.4s, v3.4s, v7.4s
+        cmgt v25.4s, v19.4s, v24.4s
+        bic v19.16b, v19.16b, v25.16b
+        umin v19.4s, v19.4s, v24.4s
+        sqdmulh v16.4s, v0.4s, v23.4s
+        srshr v16.4s, v16.4s, #0x11
+        cmgt v25.4s, v0.4s, v21.4s
+        mls v0.4s, v16.4s, v22.4s
+        bic v16.16b, v16.16b, v25.16b
+        add v0.4s, v0.4s, v25.4s
+        cmle v0.4s, v0.4s, #0
+        orr v0.4s, #0x1
+        mla v16.4s, v0.4s, v4.4s
+        cmgt v25.4s, v16.4s, v24.4s
+        bic v16.16b, v16.16b, v25.16b
+        umin v16.4s, v16.4s, v24.4s
+        str q17, [x0, #0x10]
+        str q18, [x0, #0x20]
+        str q19, [x0, #0x30]
+        str q16, [x0], #0x40
+        subs x3, x3, #0x1
+        b.ne Lpoly_use_hint_88_loop
+        ret
+        .cfi_endproc
+
+#if defined(__ELF__)
+.section .note.GNU-stack,"",%progbits
+#endif

proofs/hol_light/aarch64/proofs/dump_bytecode.ml

@@ -30,6 +30,14 @@ print_string "=== bytecode start: aarch64/mldsa/mldsa_poly_caddq.o ===\n";;
 print_literal_from_elf "aarch64/mldsa/mldsa_poly_caddq.o";;
 print_string "==== bytecode end =====================================\n\n";;
 
+print_string "=== bytecode start: aarch64/mldsa/mldsa_poly_use_hint_32.o ===\n";;
+print_literal_from_elf "aarch64/mldsa/mldsa_poly_use_hint_32.o";;
+print_string "==== bytecode end =====================================\n\n";;
+
+print_string "=== bytecode start: aarch64/mldsa/mldsa_poly_use_hint_88.o ===\n";;
+print_literal_from_elf "aarch64/mldsa/mldsa_poly_use_hint_88.o";;
+print_string "==== bytecode end =====================================\n\n";;
+
 print_string "=== bytecode start: aarch64/mldsa/mldsa_poly_chknorm.o ===\n";;
 print_literal_from_elf "aarch64/mldsa/mldsa_poly_chknorm.o";;
 print_string "==== bytecode end =====================================\n\n";;