Add HOL Light pointwise_acc proofs for AArch64 and x86_64

Port the ML-DSA pointwise multiplication-accumulation (l=4,5,7) and
their HOL Light proofs of correctness from s2n-bignum to mldsa-native,
for both AArch64 (NEON) and x86_64 (AVX2). Includes constant-time and
memory safety proofs for both architectures.

Ported from s2n-bignum PR #373.

Signed-off-by: Jake Massimo <jakemas@amazon.com>
Signed-off-by: Ubuntu <ubuntu@ip-172-31-29-57.us-west-2.compute.internal>

Author: jakemas

.github/workflows/hol_light.yml

@@ -85,6 +85,12 @@ jobs:
             needs: ["mldsa_specs.ml", "mldsa_zetas.ml", "aarch64_utils.ml", "subroutine_signatures.ml"]
           - name: mldsa_pointwise
             needs: ["mldsa_specs.ml", "aarch64_utils.ml", "subroutine_signatures.ml"]
+          - name: mldsa_pointwise_acc_l4
+            needs: ["mldsa_specs.ml", "aarch64_utils.ml", "subroutine_signatures.ml"]
+          - name: mldsa_pointwise_acc_l5
+            needs: ["mldsa_specs.ml", "aarch64_utils.ml", "subroutine_signatures.ml"]
+          - name: mldsa_pointwise_acc_l7
+            needs: ["mldsa_specs.ml", "aarch64_utils.ml", "subroutine_signatures.ml"]
           - name: mldsa_poly_caddq
             needs: ["aarch64_utils.ml"]
           - name: mldsa_poly_chknorm
@@ -185,6 +191,12 @@ jobs:
             needs: ["mldsa_specs.ml", "mldsa_utils.ml", "mldsa_zetas.ml"]
           - name: mldsa_pointwise
             needs: ["mldsa_specs.ml", "mldsa_utils.ml"]
+          - name: mldsa_pointwise_acc_l4
+            needs: ["mldsa_specs.ml", "mldsa_utils.ml", "mldsa_zetas.ml", "subroutine_signatures.ml"]
+          - name: mldsa_pointwise_acc_l5
+            needs: ["mldsa_specs.ml", "mldsa_utils.ml", "mldsa_zetas.ml", "subroutine_signatures.ml"]
+          - name: mldsa_pointwise_acc_l7
+            needs: ["mldsa_specs.ml", "mldsa_utils.ml", "mldsa_zetas.ml", "subroutine_signatures.ml"]
     name: x86_64 HOL Light proof for ${{ matrix.proof.name }}.S
     runs-on: pqcp-x64
     if: github.repository_owner == 'pq-code-package' && !github.event.pull_request.head.repo.fork

BIBLIOGRAPHY.md

@@ -254,6 +254,9 @@ source code and documentation.
   - [proofs/hol_light/x86_64/mldsa/mldsa_intt.S](proofs/hol_light/x86_64/mldsa/mldsa_intt.S)
   - [proofs/hol_light/x86_64/mldsa/mldsa_ntt.S](proofs/hol_light/x86_64/mldsa/mldsa_ntt.S)
   - [proofs/hol_light/x86_64/mldsa/mldsa_pointwise.S](proofs/hol_light/x86_64/mldsa/mldsa_pointwise.S)
+  - [proofs/hol_light/x86_64/mldsa/mldsa_pointwise_acc_l4.S](proofs/hol_light/x86_64/mldsa/mldsa_pointwise_acc_l4.S)
+  - [proofs/hol_light/x86_64/mldsa/mldsa_pointwise_acc_l5.S](proofs/hol_light/x86_64/mldsa/mldsa_pointwise_acc_l5.S)
+  - [proofs/hol_light/x86_64/mldsa/mldsa_pointwise_acc_l7.S](proofs/hol_light/x86_64/mldsa/mldsa_pointwise_acc_l7.S)
 
 ### `Round3_Spec`
 

dev/aarch64_clean/src/arith_native_aarch64.h

@@ -147,17 +147,56 @@ __contract__(
 
 #define mld_polyvecl_pointwise_acc_montgomery_l4_asm \
   MLD_NAMESPACE(polyvecl_pointwise_acc_montgomery_l4_asm)
-void mld_polyvecl_pointwise_acc_montgomery_l4_asm(int32_t *, const int32_t *,
-                                                  const int32_t *);
+void mld_polyvecl_pointwise_acc_montgomery_l4_asm(int32_t *r, const int32_t *a,
+                                                  const int32_t *b)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_pointwise_acc_l4.ml */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * 4 * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * 4 * MLDSA_N))
+  /* check-magic: off */
+  requires(array_abs_bound(a, 0, 4 * MLDSA_N, 8380417))
+  requires(array_abs_bound(b, 0, 4 * MLDSA_N, 75423753))
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  ensures(array_abs_bound(r, 0, MLDSA_N, 8380417))
+  /* check-magic: on */
+);
 
 #define mld_polyvecl_pointwise_acc_montgomery_l5_asm \
   MLD_NAMESPACE(polyvecl_pointwise_acc_montgomery_l5_asm)
-void mld_polyvecl_pointwise_acc_montgomery_l5_asm(int32_t *, const int32_t *,
-                                                  const int32_t *);
+void mld_polyvecl_pointwise_acc_montgomery_l5_asm(int32_t *r, const int32_t *a,
+                                                  const int32_t *b)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_pointwise_acc_l5.ml */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * 5 * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * 5 * MLDSA_N))
+  /* check-magic: off */
+  requires(array_abs_bound(a, 0, 5 * MLDSA_N, 8380417))
+  requires(array_abs_bound(b, 0, 5 * MLDSA_N, 75423753))
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  ensures(array_abs_bound(r, 0, MLDSA_N, 8380417))
+  /* check-magic: on */
+);
 
 #define mld_polyvecl_pointwise_acc_montgomery_l7_asm \
   MLD_NAMESPACE(polyvecl_pointwise_acc_montgomery_l7_asm)
-void mld_polyvecl_pointwise_acc_montgomery_l7_asm(int32_t *, const int32_t *,
-                                                  const int32_t *);
+void mld_polyvecl_pointwise_acc_montgomery_l7_asm(int32_t *r, const int32_t *a,
+                                                  const int32_t *b)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_pointwise_acc_l7.ml */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * 7 * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * 7 * MLDSA_N))
+  /* check-magic: off */
+  requires(array_abs_bound(a, 0, 7 * MLDSA_N, 8380417))
+  requires(array_abs_bound(b, 0, 7 * MLDSA_N, 75423753))
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  ensures(array_abs_bound(r, 0, MLDSA_N, 8380417))
+  /* check-magic: on */
+);
 
 #endif /* !MLD_NATIVE_AARCH64_SRC_ARITH_NATIVE_AARCH64_H */

dev/aarch64_opt/src/arith_native_aarch64.h

@@ -147,17 +147,56 @@ __contract__(
 
 #define mld_polyvecl_pointwise_acc_montgomery_l4_asm \
   MLD_NAMESPACE(polyvecl_pointwise_acc_montgomery_l4_asm)
-void mld_polyvecl_pointwise_acc_montgomery_l4_asm(int32_t *, const int32_t *,
-                                                  const int32_t *);
+void mld_polyvecl_pointwise_acc_montgomery_l4_asm(int32_t *r, const int32_t *a,
+                                                  const int32_t *b)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_pointwise_acc_l4.ml */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * 4 * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * 4 * MLDSA_N))
+  /* check-magic: off */
+  requires(array_abs_bound(a, 0, 4 * MLDSA_N, 8380417))
+  requires(array_abs_bound(b, 0, 4 * MLDSA_N, 75423753))
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  ensures(array_abs_bound(r, 0, MLDSA_N, 8380417))
+  /* check-magic: on */
+);
 
 #define mld_polyvecl_pointwise_acc_montgomery_l5_asm \
   MLD_NAMESPACE(polyvecl_pointwise_acc_montgomery_l5_asm)
-void mld_polyvecl_pointwise_acc_montgomery_l5_asm(int32_t *, const int32_t *,
-                                                  const int32_t *);
+void mld_polyvecl_pointwise_acc_montgomery_l5_asm(int32_t *r, const int32_t *a,
+                                                  const int32_t *b)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_pointwise_acc_l5.ml */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * 5 * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * 5 * MLDSA_N))
+  /* check-magic: off */
+  requires(array_abs_bound(a, 0, 5 * MLDSA_N, 8380417))
+  requires(array_abs_bound(b, 0, 5 * MLDSA_N, 75423753))
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  ensures(array_abs_bound(r, 0, MLDSA_N, 8380417))
+  /* check-magic: on */
+);
 
 #define mld_polyvecl_pointwise_acc_montgomery_l7_asm \
   MLD_NAMESPACE(polyvecl_pointwise_acc_montgomery_l7_asm)
-void mld_polyvecl_pointwise_acc_montgomery_l7_asm(int32_t *, const int32_t *,
-                                                  const int32_t *);
+void mld_polyvecl_pointwise_acc_montgomery_l7_asm(int32_t *r, const int32_t *a,
+                                                  const int32_t *b)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_pointwise_acc_l7.ml */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * 7 * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * 7 * MLDSA_N))
+  /* check-magic: off */
+  requires(array_abs_bound(a, 0, 7 * MLDSA_N, 8380417))
+  requires(array_abs_bound(b, 0, 7 * MLDSA_N, 75423753))
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  ensures(array_abs_bound(r, 0, MLDSA_N, 8380417))
+  /* check-magic: on */
+);
 
 #endif /* !MLD_NATIVE_AARCH64_SRC_ARITH_NATIVE_AARCH64_H */

dev/x86_64/src/arith_native_x86_64.h

@@ -123,16 +123,58 @@ __contract__(
 #define mld_pointwise_acc_l4_avx2 MLD_NAMESPACE(pointwise_acc_l4_avx2)
 void mld_pointwise_acc_l4_avx2(int32_t c[MLDSA_N], const int32_t a[4][MLDSA_N],
                                const int32_t b[4][MLDSA_N],
-                               const int32_t *qdata);
+                               const int32_t *qdata)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/x86_64/proofs/mldsa_pointwise_acc_l4.ml */
+__contract__(
+  requires(memory_no_alias(c, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * 4 * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * 4 * MLDSA_N))
+  /* check-magic: off */
+  requires(forall(l0, 0, 4, array_abs_bound(a[l0], 0, MLDSA_N, 8380417)))
+  requires(forall(l1, 0, 4, array_abs_bound(b[l1], 0, MLDSA_N, 75423753)))
+  requires(qdata == mld_qdata)
+  assigns(memory_slice(c, sizeof(int32_t) * MLDSA_N))
+  ensures(array_abs_bound(c, 0, MLDSA_N, 8380417))
+  /* check-magic: on */
+);
 
 #define mld_pointwise_acc_l5_avx2 MLD_NAMESPACE(pointwise_acc_l5_avx2)
 void mld_pointwise_acc_l5_avx2(int32_t c[MLDSA_N], const int32_t a[5][MLDSA_N],
                                const int32_t b[5][MLDSA_N],
-                               const int32_t *qdata);
+                               const int32_t *qdata)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/x86_64/proofs/mldsa_pointwise_acc_l5.ml */
+__contract__(
+  requires(memory_no_alias(c, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * 5 * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * 5 * MLDSA_N))
+  /* check-magic: off */
+  requires(forall(l0, 0, 5, array_abs_bound(a[l0], 0, MLDSA_N, 8380417)))
+  requires(forall(l1, 0, 5, array_abs_bound(b[l1], 0, MLDSA_N, 75423753)))
+  requires(qdata == mld_qdata)
+  assigns(memory_slice(c, sizeof(int32_t) * MLDSA_N))
+  ensures(array_abs_bound(c, 0, MLDSA_N, 8380417))
+  /* check-magic: on */
+);
 
 #define mld_pointwise_acc_l7_avx2 MLD_NAMESPACE(pointwise_acc_l7_avx2)
 void mld_pointwise_acc_l7_avx2(int32_t c[MLDSA_N], const int32_t a[7][MLDSA_N],
                                const int32_t b[7][MLDSA_N],
-                               const int32_t *qdata);
+                               const int32_t *qdata)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/x86_64/proofs/mldsa_pointwise_acc_l7.ml */
+__contract__(
+  requires(memory_no_alias(c, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * 7 * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * 7 * MLDSA_N))
+  /* check-magic: off */
+  requires(forall(l0, 0, 7, array_abs_bound(a[l0], 0, MLDSA_N, 8380417)))
+  requires(forall(l1, 0, 7, array_abs_bound(b[l1], 0, MLDSA_N, 75423753)))
+  requires(qdata == mld_qdata)
+  assigns(memory_slice(c, sizeof(int32_t) * MLDSA_N))
+  ensures(array_abs_bound(c, 0, MLDSA_N, 8380417))
+  /* check-magic: on */
+);
 
 #endif /* !MLD_NATIVE_X86_64_SRC_ARITH_NATIVE_X86_64_H */

mldsa/src/native/aarch64/src/arith_native_aarch64.h

@@ -147,17 +147,56 @@ __contract__(
 
 #define mld_polyvecl_pointwise_acc_montgomery_l4_asm \
   MLD_NAMESPACE(polyvecl_pointwise_acc_montgomery_l4_asm)
-void mld_polyvecl_pointwise_acc_montgomery_l4_asm(int32_t *, const int32_t *,
-                                                  const int32_t *);
+void mld_polyvecl_pointwise_acc_montgomery_l4_asm(int32_t *r, const int32_t *a,
+                                                  const int32_t *b)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_pointwise_acc_l4.ml */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * 4 * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * 4 * MLDSA_N))
+  /* check-magic: off */
+  requires(array_abs_bound(a, 0, 4 * MLDSA_N, 8380417))
+  requires(array_abs_bound(b, 0, 4 * MLDSA_N, 75423753))
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  ensures(array_abs_bound(r, 0, MLDSA_N, 8380417))
+  /* check-magic: on */
+);
 
 #define mld_polyvecl_pointwise_acc_montgomery_l5_asm \
   MLD_NAMESPACE(polyvecl_pointwise_acc_montgomery_l5_asm)
-void mld_polyvecl_pointwise_acc_montgomery_l5_asm(int32_t *, const int32_t *,
-                                                  const int32_t *);
+void mld_polyvecl_pointwise_acc_montgomery_l5_asm(int32_t *r, const int32_t *a,
+                                                  const int32_t *b)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_pointwise_acc_l5.ml */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * 5 * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * 5 * MLDSA_N))
+  /* check-magic: off */
+  requires(array_abs_bound(a, 0, 5 * MLDSA_N, 8380417))
+  requires(array_abs_bound(b, 0, 5 * MLDSA_N, 75423753))
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  ensures(array_abs_bound(r, 0, MLDSA_N, 8380417))
+  /* check-magic: on */
+);
 
 #define mld_polyvecl_pointwise_acc_montgomery_l7_asm \
   MLD_NAMESPACE(polyvecl_pointwise_acc_montgomery_l7_asm)
-void mld_polyvecl_pointwise_acc_montgomery_l7_asm(int32_t *, const int32_t *,
-                                                  const int32_t *);
+void mld_polyvecl_pointwise_acc_montgomery_l7_asm(int32_t *r, const int32_t *a,
+                                                  const int32_t *b)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_pointwise_acc_l7.ml */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * 7 * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * 7 * MLDSA_N))
+  /* check-magic: off */
+  requires(array_abs_bound(a, 0, 7 * MLDSA_N, 8380417))
+  requires(array_abs_bound(b, 0, 7 * MLDSA_N, 75423753))
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  ensures(array_abs_bound(r, 0, MLDSA_N, 8380417))
+  /* check-magic: on */
+);
 
 #endif /* !MLD_NATIVE_AARCH64_SRC_ARITH_NATIVE_AARCH64_H */

mldsa/src/native/x86_64/src/arith_native_x86_64.h

@@ -123,16 +123,58 @@ __contract__(
 #define mld_pointwise_acc_l4_avx2 MLD_NAMESPACE(pointwise_acc_l4_avx2)
 void mld_pointwise_acc_l4_avx2(int32_t c[MLDSA_N], const int32_t a[4][MLDSA_N],
                                const int32_t b[4][MLDSA_N],
-                               const int32_t *qdata);
+                               const int32_t *qdata)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/x86_64/proofs/mldsa_pointwise_acc_l4.ml */
+__contract__(
+  requires(memory_no_alias(c, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * 4 * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * 4 * MLDSA_N))
+  /* check-magic: off */
+  requires(forall(l0, 0, 4, array_abs_bound(a[l0], 0, MLDSA_N, 8380417)))
+  requires(forall(l1, 0, 4, array_abs_bound(b[l1], 0, MLDSA_N, 75423753)))
+  requires(qdata == mld_qdata)
+  assigns(memory_slice(c, sizeof(int32_t) * MLDSA_N))
+  ensures(array_abs_bound(c, 0, MLDSA_N, 8380417))
+  /* check-magic: on */
+);
 
 #define mld_pointwise_acc_l5_avx2 MLD_NAMESPACE(pointwise_acc_l5_avx2)
 void mld_pointwise_acc_l5_avx2(int32_t c[MLDSA_N], const int32_t a[5][MLDSA_N],
                                const int32_t b[5][MLDSA_N],
-                               const int32_t *qdata);
+                               const int32_t *qdata)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/x86_64/proofs/mldsa_pointwise_acc_l5.ml */
+__contract__(
+  requires(memory_no_alias(c, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * 5 * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * 5 * MLDSA_N))
+  /* check-magic: off */
+  requires(forall(l0, 0, 5, array_abs_bound(a[l0], 0, MLDSA_N, 8380417)))
+  requires(forall(l1, 0, 5, array_abs_bound(b[l1], 0, MLDSA_N, 75423753)))
+  requires(qdata == mld_qdata)
+  assigns(memory_slice(c, sizeof(int32_t) * MLDSA_N))
+  ensures(array_abs_bound(c, 0, MLDSA_N, 8380417))
+  /* check-magic: on */
+);
 
 #define mld_pointwise_acc_l7_avx2 MLD_NAMESPACE(pointwise_acc_l7_avx2)
 void mld_pointwise_acc_l7_avx2(int32_t c[MLDSA_N], const int32_t a[7][MLDSA_N],
                                const int32_t b[7][MLDSA_N],
-                               const int32_t *qdata);
+                               const int32_t *qdata)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/x86_64/proofs/mldsa_pointwise_acc_l7.ml */
+__contract__(
+  requires(memory_no_alias(c, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * 7 * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * 7 * MLDSA_N))
+  /* check-magic: off */
+  requires(forall(l0, 0, 7, array_abs_bound(a[l0], 0, MLDSA_N, 8380417)))
+  requires(forall(l1, 0, 7, array_abs_bound(b[l1], 0, MLDSA_N, 75423753)))
+  requires(qdata == mld_qdata)
+  assigns(memory_slice(c, sizeof(int32_t) * MLDSA_N))
+  ensures(array_abs_bound(c, 0, MLDSA_N, 8380417))
+  /* check-magic: on */
+);
 
 #endif /* !MLD_NATIVE_X86_64_SRC_ARITH_NATIVE_X86_64_H */