CBMC/AArch64: Add contracts and proof poly_decompose asm functions

mkannwischer · mkannwischer · commit c1725f36e31a · 2026-05-05T12:15:09.000+08:00
Signed-off-by: Matthias J. Kannwischer &lt;matthias@kannwischer.eu&gt;
diff --git a/dev/aarch64_clean/src/arith_native_aarch64.h b/dev/aarch64_clean/src/arith_native_aarch64.h
@@ -98,10 +98,36 @@ uint64_t mld_rej_uniform_eta4_asm(int32_t *r, const uint8_t *buf,
 
 #if !defined(MLD_CONFIG_NO_SIGN_API)
 #define mld_poly_decompose_32_asm MLD_NAMESPACE(poly_decompose_32_asm)
-void mld_poly_decompose_32_asm(int32_t *a1, int32_t *a0);
+void mld_poly_decompose_32_asm(int32_t *a1, int32_t *a0)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/poly_decompose_32_aarch64_asm.ml */
+__contract__(
+  requires(memory_no_alias(a1, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a0, sizeof(int32_t) * MLDSA_N))
+  requires(array_bound(a0, 0, MLDSA_N, 0, MLDSA_Q))
+  assigns(memory_slice(a1, sizeof(int32_t) * MLDSA_N))
+  assigns(memory_slice(a0, sizeof(int32_t) * MLDSA_N))
+  /* check-magic: 16 == (MLDSA_Q - 1) / (2 * ((MLDSA_Q - 1) / 32)) */
+  ensures(array_bound(a1, 0, MLDSA_N, 0, 16))
+  /* check-magic: 261889 == (MLDSA_Q - 1) / 32 + 1 */
+  ensures(array_abs_bound(a0, 0, MLDSA_N, 261889))
+);
 
 #define mld_poly_decompose_88_asm MLD_NAMESPACE(poly_decompose_88_asm)
-void mld_poly_decompose_88_asm(int32_t *a1, int32_t *a0);
+void mld_poly_decompose_88_asm(int32_t *a1, int32_t *a0)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/poly_decompose_88_aarch64_asm.ml */
+__contract__(
+  requires(memory_no_alias(a1, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a0, sizeof(int32_t) * MLDSA_N))
+  requires(array_bound(a0, 0, MLDSA_N, 0, MLDSA_Q))
+  assigns(memory_slice(a1, sizeof(int32_t) * MLDSA_N))
+  assigns(memory_slice(a0, sizeof(int32_t) * MLDSA_N))
+  /* check-magic: 44 == (MLDSA_Q - 1) / (2 * ((MLDSA_Q - 1) / 88)) */
+  ensures(array_bound(a1, 0, MLDSA_N, 0, 44))
+  /* check-magic: 95233 == (MLDSA_Q - 1) / 88 + 1 */
+  ensures(array_abs_bound(a0, 0, MLDSA_N, 95233))
+);
 #endif /* !MLD_CONFIG_NO_SIGN_API */
 
 #define mld_poly_caddq_asm MLD_NAMESPACE(poly_caddq_asm)
diff --git a/dev/aarch64_opt/src/arith_native_aarch64.h b/dev/aarch64_opt/src/arith_native_aarch64.h
@@ -98,10 +98,36 @@ uint64_t mld_rej_uniform_eta4_asm(int32_t *r, const uint8_t *buf,
 
 #if !defined(MLD_CONFIG_NO_SIGN_API)
 #define mld_poly_decompose_32_asm MLD_NAMESPACE(poly_decompose_32_asm)
-void mld_poly_decompose_32_asm(int32_t *a1, int32_t *a0);
+void mld_poly_decompose_32_asm(int32_t *a1, int32_t *a0)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/poly_decompose_32_aarch64_asm.ml */
+__contract__(
+  requires(memory_no_alias(a1, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a0, sizeof(int32_t) * MLDSA_N))
+  requires(array_bound(a0, 0, MLDSA_N, 0, MLDSA_Q))
+  assigns(memory_slice(a1, sizeof(int32_t) * MLDSA_N))
+  assigns(memory_slice(a0, sizeof(int32_t) * MLDSA_N))
+  /* check-magic: 16 == (MLDSA_Q - 1) / (2 * ((MLDSA_Q - 1) / 32)) */
+  ensures(array_bound(a1, 0, MLDSA_N, 0, 16))
+  /* check-magic: 261889 == (MLDSA_Q - 1) / 32 + 1 */
+  ensures(array_abs_bound(a0, 0, MLDSA_N, 261889))
+);
 
 #define mld_poly_decompose_88_asm MLD_NAMESPACE(poly_decompose_88_asm)
-void mld_poly_decompose_88_asm(int32_t *a1, int32_t *a0);
+void mld_poly_decompose_88_asm(int32_t *a1, int32_t *a0)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/poly_decompose_88_aarch64_asm.ml */
+__contract__(
+  requires(memory_no_alias(a1, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a0, sizeof(int32_t) * MLDSA_N))
+  requires(array_bound(a0, 0, MLDSA_N, 0, MLDSA_Q))
+  assigns(memory_slice(a1, sizeof(int32_t) * MLDSA_N))
+  assigns(memory_slice(a0, sizeof(int32_t) * MLDSA_N))
+  /* check-magic: 44 == (MLDSA_Q - 1) / (2 * ((MLDSA_Q - 1) / 88)) */
+  ensures(array_bound(a1, 0, MLDSA_N, 0, 44))
+  /* check-magic: 95233 == (MLDSA_Q - 1) / 88 + 1 */
+  ensures(array_abs_bound(a0, 0, MLDSA_N, 95233))
+);
 #endif /* !MLD_CONFIG_NO_SIGN_API */
 
 #define mld_poly_caddq_asm MLD_NAMESPACE(poly_caddq_asm)
diff --git a/mldsa/src/native/aarch64/src/arith_native_aarch64.h b/mldsa/src/native/aarch64/src/arith_native_aarch64.h
@@ -98,10 +98,36 @@ uint64_t mld_rej_uniform_eta4_asm(int32_t *r, const uint8_t *buf,
 
 #if !defined(MLD_CONFIG_NO_SIGN_API)
 #define mld_poly_decompose_32_asm MLD_NAMESPACE(poly_decompose_32_asm)
-void mld_poly_decompose_32_asm(int32_t *a1, int32_t *a0);
+void mld_poly_decompose_32_asm(int32_t *a1, int32_t *a0)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/poly_decompose_32_aarch64_asm.ml */
+__contract__(
+  requires(memory_no_alias(a1, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a0, sizeof(int32_t) * MLDSA_N))
+  requires(array_bound(a0, 0, MLDSA_N, 0, MLDSA_Q))
+  assigns(memory_slice(a1, sizeof(int32_t) * MLDSA_N))
+  assigns(memory_slice(a0, sizeof(int32_t) * MLDSA_N))
+  /* check-magic: 16 == (MLDSA_Q - 1) / (2 * ((MLDSA_Q - 1) / 32)) */
+  ensures(array_bound(a1, 0, MLDSA_N, 0, 16))
+  /* check-magic: 261889 == (MLDSA_Q - 1) / 32 + 1 */
+  ensures(array_abs_bound(a0, 0, MLDSA_N, 261889))
+);
 
 #define mld_poly_decompose_88_asm MLD_NAMESPACE(poly_decompose_88_asm)
-void mld_poly_decompose_88_asm(int32_t *a1, int32_t *a0);
+void mld_poly_decompose_88_asm(int32_t *a1, int32_t *a0)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/poly_decompose_88_aarch64_asm.ml */
+__contract__(
+  requires(memory_no_alias(a1, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a0, sizeof(int32_t) * MLDSA_N))
+  requires(array_bound(a0, 0, MLDSA_N, 0, MLDSA_Q))
+  assigns(memory_slice(a1, sizeof(int32_t) * MLDSA_N))
+  assigns(memory_slice(a0, sizeof(int32_t) * MLDSA_N))
+  /* check-magic: 44 == (MLDSA_Q - 1) / (2 * ((MLDSA_Q - 1) / 88)) */
+  ensures(array_bound(a1, 0, MLDSA_N, 0, 44))
+  /* check-magic: 95233 == (MLDSA_Q - 1) / 88 + 1 */
+  ensures(array_abs_bound(a0, 0, MLDSA_N, 95233))
+);
 #endif /* !MLD_CONFIG_NO_SIGN_API */
 
 #define mld_poly_caddq_asm MLD_NAMESPACE(poly_caddq_asm)
diff --git a/proofs/cbmc/poly_decompose_32_native_aarch64/Makefile b/proofs/cbmc/poly_decompose_32_native_aarch64/Makefile
@@ -0,0 +1,66 @@
+# Copyright (c) The mldsa-native project authors
+# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+include ../Makefile_params.common
+
+HARNESS_ENTRY = harness
+HARNESS_FILE = poly_decompose_32_native_aarch64_harness
+
+# This should be a unique identifier for this proof, and will appear on the
+# Litani dashboard. It can be human-readable and contain spaces if you wish.
+PROOF_UID = poly_decompose_32_native_aarch64
+
+# We need to set MLD_CHECK_APIS as otherwise mldsa/src/native/api.h won't be
+# included, which contains the CBMC specifications.
+DEFINES += -DMLD_CONFIG_USE_NATIVE_BACKEND_ARITH -DMLD_CONFIG_ARITH_BACKEND_FILE="\"$(SRCDIR)/mldsa/src/native/aarch64/meta.h\"" -DMLD_CHECK_APIS
+INCLUDES +=
+
+REMOVE_FUNCTION_BODY +=
+UNWINDSET +=
+
+PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
+PROJECT_SOURCES += $(SRCDIR)/mldsa/src/poly_kl.c
+
+# poly_decompose_32 is only used with ML-DSA-65 and ML-DSA-87
+ifeq ($(MLD_CONFIG_PARAMETER_SET),65)
+CHECK_FUNCTION_CONTRACTS=mld_poly_decompose_32_native
+USE_FUNCTION_CONTRACTS = mld_poly_decompose_32_asm
+else ifeq ($(MLD_CONFIG_PARAMETER_SET),87)
+CHECK_FUNCTION_CONTRACTS=mld_poly_decompose_32_native
+USE_FUNCTION_CONTRACTS = mld_poly_decompose_32_asm
+else
+CHECK_FUNCTION_CONTRACTS=
+USE_FUNCTION_CONTRACTS =
+endif
+APPLY_LOOP_CONTRACTS=on
+USE_DYNAMIC_FRAMES=1
+
+# Disable any setting of EXTERNAL_SAT_SOLVER, and choose SMT backend instead
+EXTERNAL_SAT_SOLVER=
+CBMCFLAGS=--smt2
+
+FUNCTION_NAME = poly_decompose_32_native_aarch64
+
+# If this proof is found to consume huge amounts of RAM, you can set the
+# EXPENSIVE variable. With new enough versions of the proof tools, this will
+# restrict the number of EXPENSIVE CBMC jobs running at once. See the
+# documentation in Makefile.common under the "Job Pools" heading for details.
+# EXPENSIVE = true
+
+# This function is large enough to need...
+CBMC_OBJECT_BITS = 8
+
+# If you require access to a file-local ("static") function or object to conduct
+# your proof, set the following (and do not include the original source file
+# ("mldsa/poly_kl.c") in PROJECT_SOURCES).
+# REWRITTEN_SOURCES = $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i
+# include ../Makefile.common
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_SOURCE = $(SRCDIR)/mldsa/src/poly_kl.c
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_FUNCTIONS = foo bar
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_OBJECTS = baz
+# Care is required with variables on the left-hand side: REWRITTEN_SOURCES must
+# be set before including Makefile.common, but any use of variables on the
+# left-hand side requires those variables to be defined. Hence, _SOURCE,
+# _FUNCTIONS, _OBJECTS is set after including Makefile.common.
+
+include ../Makefile.common
diff --git a/proofs/cbmc/poly_decompose_32_native_aarch64/poly_decompose_32_native_aarch64_harness.c b/proofs/cbmc/poly_decompose_32_native_aarch64/poly_decompose_32_native_aarch64_harness.c
@@ -0,0 +1,19 @@
+// Copyright (c) The mldsa-native project authors
+// SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+#include <stdint.h>
+#include "cbmc.h"
+#include "params.h"
+
+int mld_poly_decompose_32_native(int32_t *a1, int32_t *a0);
+
+void harness(void)
+{
+  /* mld_poly_decompose_32_native is only defined for ML-DSA-65 and ML-DSA-87 */
+#if MLD_CONFIG_PARAMETER_SET == 65 || MLD_CONFIG_PARAMETER_SET == 87
+  int32_t *a1;
+  int32_t *a0;
+  int t;
+  t = mld_poly_decompose_32_native(a1, a0);
+#endif /* MLD_CONFIG_PARAMETER_SET == 65 || MLD_CONFIG_PARAMETER_SET == 87 */
+}
diff --git a/proofs/cbmc/poly_decompose_88_native_aarch64/Makefile b/proofs/cbmc/poly_decompose_88_native_aarch64/Makefile
@@ -0,0 +1,63 @@
+# Copyright (c) The mldsa-native project authors
+# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+include ../Makefile_params.common
+
+HARNESS_ENTRY = harness
+HARNESS_FILE = poly_decompose_88_native_aarch64_harness
+
+# This should be a unique identifier for this proof, and will appear on the
+# Litani dashboard. It can be human-readable and contain spaces if you wish.
+PROOF_UID = poly_decompose_88_native_aarch64
+
+# We need to set MLD_CHECK_APIS as otherwise mldsa/src/native/api.h won't be
+# included, which contains the CBMC specifications.
+DEFINES += -DMLD_CONFIG_USE_NATIVE_BACKEND_ARITH -DMLD_CONFIG_ARITH_BACKEND_FILE="\"$(SRCDIR)/mldsa/src/native/aarch64/meta.h\"" -DMLD_CHECK_APIS
+INCLUDES +=
+
+REMOVE_FUNCTION_BODY +=
+UNWINDSET +=
+
+PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
+PROJECT_SOURCES += $(SRCDIR)/mldsa/src/poly_kl.c
+
+# poly_decompose_88 is only used with ML-DSA-44
+ifeq ($(MLD_CONFIG_PARAMETER_SET),44)
+CHECK_FUNCTION_CONTRACTS=mld_poly_decompose_88_native
+USE_FUNCTION_CONTRACTS = mld_poly_decompose_88_asm
+else
+CHECK_FUNCTION_CONTRACTS=
+USE_FUNCTION_CONTRACTS =
+endif
+APPLY_LOOP_CONTRACTS=on
+USE_DYNAMIC_FRAMES=1
+
+# Disable any setting of EXTERNAL_SAT_SOLVER, and choose SMT backend instead
+EXTERNAL_SAT_SOLVER=
+CBMCFLAGS=--smt2
+
+FUNCTION_NAME = poly_decompose_88_native_aarch64
+
+# If this proof is found to consume huge amounts of RAM, you can set the
+# EXPENSIVE variable. With new enough versions of the proof tools, this will
+# restrict the number of EXPENSIVE CBMC jobs running at once. See the
+# documentation in Makefile.common under the "Job Pools" heading for details.
+# EXPENSIVE = true
+
+# This function is large enough to need...
+CBMC_OBJECT_BITS = 8
+
+# If you require access to a file-local ("static") function or object to conduct
+# your proof, set the following (and do not include the original source file
+# ("mldsa/poly_kl.c") in PROJECT_SOURCES).
+# REWRITTEN_SOURCES = $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i
+# include ../Makefile.common
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_SOURCE = $(SRCDIR)/mldsa/src/poly_kl.c
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_FUNCTIONS = foo bar
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_OBJECTS = baz
+# Care is required with variables on the left-hand side: REWRITTEN_SOURCES must
+# be set before including Makefile.common, but any use of variables on the
+# left-hand side requires those variables to be defined. Hence, _SOURCE,
+# _FUNCTIONS, _OBJECTS is set after including Makefile.common.
+
+include ../Makefile.common
diff --git a/proofs/cbmc/poly_decompose_88_native_aarch64/poly_decompose_88_native_aarch64_harness.c b/proofs/cbmc/poly_decompose_88_native_aarch64/poly_decompose_88_native_aarch64_harness.c
@@ -0,0 +1,19 @@
+// Copyright (c) The mldsa-native project authors
+// SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+#include <stdint.h>
+#include "cbmc.h"
+#include "params.h"
+
+int mld_poly_decompose_88_native(int32_t *a1, int32_t *a0);
+
+void harness(void)
+{
+  /* mld_poly_decompose_88_native is only defined for ML-DSA-44 */
+#if MLD_CONFIG_PARAMETER_SET == 44
+  int32_t *a1;
+  int32_t *a0;
+  int t;
+  t = mld_poly_decompose_88_native(a1, a0);
+#endif /* MLD_CONFIG_PARAMETER_SET == 44 */
+}
