HOL-Light/x86_64: Replace Keccakx4 intrinsics with AVX2 assembly and prove correct

- Ports pq-code-package/mlkem-native#1576

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

Author: mkannwischer

.github/workflows/hol_light.yml

@@ -165,6 +165,8 @@ jobs:
             needs: ["mldsa_specs.ml", "mldsa_utils.ml", "mldsa_zetas.ml"]
           - name: mldsa_intt
             needs: ["mldsa_specs.ml", "mldsa_utils.ml", "mldsa_zetas.ml"]
+          - name: keccak_f1600_x4_avx2
+            needs: ["keccak_utils.ml", "keccak_spec.ml", "keccak_f1600_x4_avx2_constants.ml", "keccak_constants.ml"]
     name: x86_64 HOL Light proof for ${{ matrix.proof.name }}.S
     runs-on: pqcp-x64
     if: github.repository_owner == 'pq-code-package' && !github.event.pull_request.head.repo.fork

README.md

@@ -65,6 +65,7 @@ HOL-Light functional correctness proofs can be found in [proofs/hol_light](proof
 
 - AArch64 poly_caddq [poly_caddq_asm.S](mldsa/src/native/aarch64/src/poly_caddq_asm.S)
 - x86_64 NTT [ntt.S](mldsa/src/native/x86_64/src/ntt.S)
+- x86_64 4-fold Keccak-F1600 using AVX2 [keccak_f1600_x4_avx2.S](mldsa/src/fips202/native/x86_64/src/keccak_f1600_x4_avx2.S)
 
 These proofs utilize the verification infrastructure in [s2n-bignum](https://github.com/awslabs/s2n-bignum).
 

dev/fips202/aarch64/src/keccakf1600_round_constants.c

@@ -1,9 +1,14 @@
 /*
- * Copyright (c) The mlkem-native project authors
  * Copyright (c) The mldsa-native project authors
  * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
  */
 
+/*
+ * WARNING: This file is auto-generated from scripts/autogen
+ *          in the mldsa-native repository.
+ *          Do not modify it directly.
+ */
+
 #include "../../../../common.h"
 
 #if (defined(MLD_FIPS202_AARCH64_NEED_X1_SCALAR) ||                  \

mldsa/src/fips202/native/x86_64/xkcp.h dev/fips202/x86_64/keccak_f1600_x4_avx2.hmldsa/src/fips202/native/x86_64/xkcp.h renamed to dev/fips202/x86_64/keccak_f1600_x4_avx2.h

@@ -4,28 +4,31 @@
  * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
  */
 
-#ifndef MLD_FIPS202_NATIVE_X86_64_XKCP_H
-#define MLD_FIPS202_NATIVE_X86_64_XKCP_H
+#ifndef MLD_DEV_FIPS202_X86_64_KECCAK_F1600_X4_AVX2_H
+#define MLD_DEV_FIPS202_X86_64_KECCAK_F1600_X4_AVX2_H
 
 #include "../../../common.h"
 
-#define MLD_FIPS202_X86_64_XKCP
+#define MLD_FIPS202_X86_64_NEED_X4_AVX2
+
+/* Part of backend API */
+#define MLD_USE_FIPS202_X4_NATIVE
 
 #if !defined(__ASSEMBLER__)
 #include "../api.h"
-#include "src/KeccakP_1600_times4_SIMD256.h"
-
-#define MLD_USE_FIPS202_X4_NATIVE
+#include "src/fips202_native_x86_64.h"
 MLD_MUST_CHECK_RETURN_VALUE
 static MLD_INLINE int mld_keccak_f1600_x4_native(uint64_t *state)
 {
   if (!mld_sys_check_capability(MLD_SYS_CAP_AVX2))
   {
     return MLD_NATIVE_FUNC_FALLBACK;
   }
-  mld_keccakf1600x4_permute24(state);
+
+  mld_keccak_f1600_x4_avx2(state, mld_keccakf1600_round_constants,
+                           mld_keccak_rho8, mld_keccak_rho56);
   return MLD_NATIVE_FUNC_SUCCESS;
 }
 #endif /* !__ASSEMBLER__ */
 
-#endif /* !MLD_FIPS202_NATIVE_X86_64_XKCP_H */
+#endif /* !MLD_DEV_FIPS202_X86_64_KECCAK_F1600_X4_AVX2_H */

dev/fips202/x86_64/src/fips202_native_x86_64.h

@@ -0,0 +1,42 @@
+/*
+ * Copyright (c) The mlkem-native project authors
+ * Copyright (c) The mldsa-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+
+#ifndef MLD_DEV_FIPS202_X86_64_SRC_FIPS202_NATIVE_X86_64_H
+#define MLD_DEV_FIPS202_X86_64_SRC_FIPS202_NATIVE_X86_64_H
+
+#include "../../../../cbmc.h"
+#include "../../../../common.h"
+
+/* TODO: Reconsider whether this check is needed -- x86_64 is always
+ * little-endian, so the backend selection already implies this. */
+#ifndef MLD_SYS_LITTLE_ENDIAN
+#error Expecting a little-endian platform
+#endif
+
+#define mld_keccakf1600_round_constants \
+  MLD_NAMESPACE(keccakf1600_round_constants)
+extern const uint64_t mld_keccakf1600_round_constants[];
+
+#define mld_keccak_rho8 MLD_NAMESPACE(keccak_rho8)
+extern const uint64_t mld_keccak_rho8[];
+
+#define mld_keccak_rho56 MLD_NAMESPACE(keccak_rho56)
+extern const uint64_t mld_keccak_rho56[];
+
+#define mld_keccak_f1600_x4_avx2 MLD_NAMESPACE(keccak_f1600_x4_avx2)
+void mld_keccak_f1600_x4_avx2(uint64_t states[100], const uint64_t rc[24],
+                              const uint64_t rho8[4], const uint64_t rho56[4])
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/x86_64/proofs/keccak_f1600_x4_avx2.ml */
+__contract__(
+  requires(memory_no_alias(states, sizeof(uint64_t) * 25 * 4))
+  requires(rc == mld_keccakf1600_round_constants)
+  requires(rho8 == mld_keccak_rho8)
+  requires(rho56 == mld_keccak_rho56)
+  assigns(memory_slice(states, sizeof(uint64_t) * 25 * 4))
+);
+
+#endif /* !MLD_DEV_FIPS202_X86_64_SRC_FIPS202_NATIVE_X86_64_H */