lowram: Per-row t0/t1 computation in keygen

Replace mld_compute_t0_t1_tr_from_sk_components with the per-row
mld_compute_t0k_t1k. Both keygen and pk_from_sk now process one
row at a time, packing t1[k] into pk and t0[k] into sk immediately,
which eliminates the full polyveck allocations for t0 and t1.

To express this cleanly, refactor mld_polyvecl_pointwise_acc_montgomery
to take (mat, k, v) instead of (u, v) and move it into polyvec_lazy
with eager and lazy variants. Add per-row pack helpers
mld_pack_sk_t0 / mld_pack_pk_t1, and split mld_pack_sk_rho_key_tr_s2_t0
to drop the t0 packing.

Drop now-dead mld_polyveck_add, mld_polyveck_pack_t0,
mld_polyveck_power2round and mld_pack_pk along with their CBMC proofs.

Update the affected CBMC proofs.

Signed-off-by: Matthias J. Kannwischer <matthias@zerorisc.com>

Author: mkannwischer

integration/opentitan/reduce_alloc.patch

@@ -10,21 +10,21 @@ diff --git a/sw/device/lib/crypto/include/mldsa.h b/sw/device/lib/crypto/include
 -  kOtcryptoMldsa44WorkBufferKeypairWords = 32992 / sizeof(uint32_t),
 -  kOtcryptoMldsa44WorkBufferSignWords = 32448 / sizeof(uint32_t),
 -  kOtcryptoMldsa44WorkBufferVerifyWords = 22464 / sizeof(uint32_t),
-+  kOtcryptoMldsa44WorkBufferKeypairWords = 14624 / sizeof(uint32_t),
++  kOtcryptoMldsa44WorkBufferKeypairWords = 12576 / sizeof(uint32_t),
 +  kOtcryptoMldsa44WorkBufferSignWords = 18208 / sizeof(uint32_t),
 +  kOtcryptoMldsa44WorkBufferVerifyWords = 20416 / sizeof(uint32_t),
 
 -  kOtcryptoMldsa65WorkBufferKeypairWords = 46304 / sizeof(uint32_t),
 -  kOtcryptoMldsa65WorkBufferSignWords = 44768 / sizeof(uint32_t),
 -  kOtcryptoMldsa65WorkBufferVerifyWords = 30720 / sizeof(uint32_t),
-+  kOtcryptoMldsa65WorkBufferKeypairWords = 20768 / sizeof(uint32_t),
++  kOtcryptoMldsa65WorkBufferKeypairWords = 15648 / sizeof(uint32_t),
 +  kOtcryptoMldsa65WorkBufferSignWords = 23360 / sizeof(uint32_t),
 +  kOtcryptoMldsa65WorkBufferVerifyWords = 27648 / sizeof(uint32_t),
 
 -  kOtcryptoMldsa87WorkBufferKeypairWords = 62688 / sizeof(uint32_t),
 -  kOtcryptoMldsa87WorkBufferSignWords = 59104 / sizeof(uint32_t),
 -  kOtcryptoMldsa87WorkBufferVerifyWords = 41216 / sizeof(uint32_t),
-+  kOtcryptoMldsa87WorkBufferKeypairWords = 26912 / sizeof(uint32_t),
++  kOtcryptoMldsa87WorkBufferKeypairWords = 19744 / sizeof(uint32_t),
 +  kOtcryptoMldsa87WorkBufferSignWords = 29504 / sizeof(uint32_t),
 +  kOtcryptoMldsa87WorkBufferVerifyWords = 36096 / sizeof(uint32_t),
  };

mldsa/mldsa_native.c

@@ -257,12 +257,13 @@
 #undef mld_memset
 /* mldsa/src/packing.h */
 #undef MLD_PACKING_H
-#undef mld_pack_pk
+#undef mld_pack_pk_t1
 #undef mld_pack_sig_c
 #undef mld_pack_sig_h_poly
 #undef mld_pack_sig_z
-#undef mld_pack_sk_rho_key_tr_s2_t0
+#undef mld_pack_sk_rho_key_tr_s2
 #undef mld_pack_sk_s1
+#undef mld_pack_sk_t0
 #undef mld_unpack_pk
 #undef mld_unpack_sig
 #undef mld_unpack_sk
@@ -313,17 +314,14 @@
 /* mldsa/src/polyvec.h */
 #undef MLD_POLYVEC_H
 #undef mld_polyveck
-#undef mld_polyveck_add
 #undef mld_polyveck_caddq
 #undef mld_polyveck_chknorm
 #undef mld_polyveck_decompose
 #undef mld_polyveck_invntt_tomont
 #undef mld_polyveck_ntt
 #undef mld_polyveck_pack_eta
-#undef mld_polyveck_pack_t0
 #undef mld_polyveck_pack_w1
 #undef mld_polyveck_pointwise_poly_montgomery
-#undef mld_polyveck_power2round
 #undef mld_polyveck_reduce
 #undef mld_polyveck_shiftl
 #undef mld_polyveck_sub
@@ -334,7 +332,6 @@
 #undef mld_polyvecl_chknorm
 #undef mld_polyvecl_ntt
 #undef mld_polyvecl_pack_eta
-#undef mld_polyvecl_pointwise_acc_montgomery
 #undef mld_polyvecl_uniform_gamma1
 #undef mld_polyvecl_unpack_eta
 #undef mld_polyvecl_unpack_z
@@ -352,6 +349,9 @@
 #undef mld_polyvec_matrix_pointwise_montgomery
 #undef mld_polyvec_matrix_pointwise_montgomery_eager
 #undef mld_polyvec_matrix_pointwise_montgomery_lazy
+#undef mld_polyvecl_pointwise_acc_montgomery
+#undef mld_polyvecl_pointwise_acc_montgomery_eager
+#undef mld_polyvecl_pointwise_acc_montgomery_lazy
 #undef mld_sk_s1hat
 #undef mld_sk_s1hat_eager
 #undef mld_sk_s1hat_get_poly

mldsa/mldsa_native.h

@@ -912,35 +912,35 @@ int MLD_API_NAMESPACE(pk_from_sk)(
  */
 /* check-magic: off */
 #if defined(MLD_API_LEGACY_CONFIG) || !defined(MLD_CONFIG_REDUCE_RAM)
-#define MLD_TOTAL_ALLOC_44_KEYPAIR_NO_PCT 33024
+#define MLD_TOTAL_ALLOC_44_KEYPAIR_NO_PCT 26880
 #define MLD_TOTAL_ALLOC_44_KEYPAIR_PCT 52544
-#define MLD_TOTAL_ALLOC_44_PK_FROM_SK 41152
+#define MLD_TOTAL_ALLOC_44_PK_FROM_SK 27232
 #define MLD_TOTAL_ALLOC_44_SIGN 48800
 #define MLD_TOTAL_ALLOC_44_VERIFY 38816
-#define MLD_TOTAL_ALLOC_65_KEYPAIR_NO_PCT 54528
+#define MLD_TOTAL_ALLOC_65_KEYPAIR_NO_PCT 44288
 #define MLD_TOTAL_ALLOC_65_KEYPAIR_PCT 79712
-#define MLD_TOTAL_ALLOC_65_PK_FROM_SK 65728
+#define MLD_TOTAL_ALLOC_65_PK_FROM_SK 44640
 #define MLD_TOTAL_ALLOC_65_SIGN 74432
 #define MLD_TOTAL_ALLOC_65_VERIFY 62432
-#define MLD_TOTAL_ALLOC_87_KEYPAIR_NO_PCT 89344
+#define MLD_TOTAL_ALLOC_87_KEYPAIR_NO_PCT 75008
 #define MLD_TOTAL_ALLOC_87_KEYPAIR_PCT 122624
-#define MLD_TOTAL_ALLOC_87_PK_FROM_SK 104640
+#define MLD_TOTAL_ALLOC_87_PK_FROM_SK 75360
 #define MLD_TOTAL_ALLOC_87_SIGN 115392
 #define MLD_TOTAL_ALLOC_87_VERIFY 99552
 #else /* MLD_API_LEGACY_CONFIG || !MLD_CONFIG_REDUCE_RAM */
-#define MLD_TOTAL_ALLOC_44_KEYPAIR_NO_PCT 14624
+#define MLD_TOTAL_ALLOC_44_KEYPAIR_NO_PCT 12576
 #define MLD_TOTAL_ALLOC_44_KEYPAIR_PCT 24160
-#define MLD_TOTAL_ALLOC_44_PK_FROM_SK 26848
+#define MLD_TOTAL_ALLOC_44_PK_FROM_SK 12928
 #define MLD_TOTAL_ALLOC_44_SIGN 18208
 #define MLD_TOTAL_ALLOC_44_VERIFY 20416
-#define MLD_TOTAL_ALLOC_65_KEYPAIR_NO_PCT 20768
+#define MLD_TOTAL_ALLOC_65_KEYPAIR_NO_PCT 15648
 #define MLD_TOTAL_ALLOC_65_KEYPAIR_PCT 32928
-#define MLD_TOTAL_ALLOC_65_PK_FROM_SK 37088
+#define MLD_TOTAL_ALLOC_65_PK_FROM_SK 16000
 #define MLD_TOTAL_ALLOC_65_SIGN 23360
 #define MLD_TOTAL_ALLOC_65_VERIFY 27648
-#define MLD_TOTAL_ALLOC_87_KEYPAIR_NO_PCT 26912
+#define MLD_TOTAL_ALLOC_87_KEYPAIR_NO_PCT 19744
 #define MLD_TOTAL_ALLOC_87_KEYPAIR_PCT 43328
-#define MLD_TOTAL_ALLOC_87_PK_FROM_SK 49376
+#define MLD_TOTAL_ALLOC_87_PK_FROM_SK 20096
 #define MLD_TOTAL_ALLOC_87_SIGN 29504
 #define MLD_TOTAL_ALLOC_87_VERIFY 36096
 #endif /* !(MLD_API_LEGACY_CONFIG || !MLD_CONFIG_REDUCE_RAM) */

mldsa/mldsa_native_asm.S

@@ -261,12 +261,13 @@
 #undef mld_memset
 /* mldsa/src/packing.h */
 #undef MLD_PACKING_H
-#undef mld_pack_pk
+#undef mld_pack_pk_t1
 #undef mld_pack_sig_c
 #undef mld_pack_sig_h_poly
 #undef mld_pack_sig_z
-#undef mld_pack_sk_rho_key_tr_s2_t0
+#undef mld_pack_sk_rho_key_tr_s2
 #undef mld_pack_sk_s1
+#undef mld_pack_sk_t0
 #undef mld_unpack_pk
 #undef mld_unpack_sig
 #undef mld_unpack_sk
@@ -317,17 +318,14 @@
 /* mldsa/src/polyvec.h */
 #undef MLD_POLYVEC_H
 #undef mld_polyveck
-#undef mld_polyveck_add
 #undef mld_polyveck_caddq
 #undef mld_polyveck_chknorm
 #undef mld_polyveck_decompose
 #undef mld_polyveck_invntt_tomont
 #undef mld_polyveck_ntt
 #undef mld_polyveck_pack_eta
-#undef mld_polyveck_pack_t0
 #undef mld_polyveck_pack_w1
 #undef mld_polyveck_pointwise_poly_montgomery
-#undef mld_polyveck_power2round
 #undef mld_polyveck_reduce
 #undef mld_polyveck_shiftl
 #undef mld_polyveck_sub
@@ -338,7 +336,6 @@
 #undef mld_polyvecl_chknorm
 #undef mld_polyvecl_ntt
 #undef mld_polyvecl_pack_eta
-#undef mld_polyvecl_pointwise_acc_montgomery
 #undef mld_polyvecl_uniform_gamma1
 #undef mld_polyvecl_unpack_eta
 #undef mld_polyvecl_unpack_z
@@ -356,6 +353,9 @@
 #undef mld_polyvec_matrix_pointwise_montgomery
 #undef mld_polyvec_matrix_pointwise_montgomery_eager
 #undef mld_polyvec_matrix_pointwise_montgomery_lazy
+#undef mld_polyvecl_pointwise_acc_montgomery
+#undef mld_polyvecl_pointwise_acc_montgomery_eager
+#undef mld_polyvecl_pointwise_acc_montgomery_lazy
 #undef mld_sk_s1hat
 #undef mld_sk_s1hat_eager
 #undef mld_sk_s1hat_get_poly

mldsa/src/packing.c

@@ -16,25 +16,6 @@
 #define mld_unpack_hints MLD_ADD_PARAM_SET(mld_unpack_hints)
 /* End of parameter set namespacing */
 
-MLD_INTERNAL_API
-void mld_pack_pk(uint8_t pk[MLDSA_CRYPTO_PUBLICKEYBYTES],
-                 const uint8_t rho[MLDSA_SEEDBYTES], const mld_polyveck *t1)
-{
-  unsigned int i;
-
-  mld_memcpy(pk, rho, MLDSA_SEEDBYTES);
-  for (i = 0; i < MLDSA_K; ++i)
-  __loop__(
-    assigns(i, memory_slice(pk, MLDSA_CRYPTO_PUBLICKEYBYTES))
-    invariant(i <= MLDSA_K)
-    decreases(MLDSA_K - i)
-  )
-  {
-    mld_polyt1_pack(pk + MLDSA_SEEDBYTES + i * MLDSA_POLYT1_PACKEDBYTES,
-                    &t1->vec[i]);
-  }
-}
-
 MLD_INTERNAL_API
 void mld_unpack_pk(uint8_t rho[MLDSA_SEEDBYTES], mld_polyveck *t1,
                    const uint8_t pk[MLDSA_CRYPTO_PUBLICKEYBYTES])
@@ -58,12 +39,11 @@ void mld_pack_sk_s1(uint8_t sk[MLDSA_CRYPTO_SECRETKEYBYTES],
 }
 
 MLD_INTERNAL_API
-void mld_pack_sk_rho_key_tr_s2_t0(uint8_t sk[MLDSA_CRYPTO_SECRETKEYBYTES],
-                                  const uint8_t rho[MLDSA_SEEDBYTES],
-                                  const uint8_t tr[MLDSA_TRBYTES],
-                                  const uint8_t key[MLDSA_SEEDBYTES],
-                                  const mld_polyveck *t0,
-                                  const mld_polyveck *s2)
+void mld_pack_sk_rho_key_tr_s2(uint8_t sk[MLDSA_CRYPTO_SECRETKEYBYTES],
+                               const uint8_t rho[MLDSA_SEEDBYTES],
+                               const uint8_t tr[MLDSA_TRBYTES],
+                               const uint8_t key[MLDSA_SEEDBYTES],
+                               const mld_polyveck *s2)
 {
   mld_memcpy(sk, rho, MLDSA_SEEDBYTES);
   sk += MLDSA_SEEDBYTES;
@@ -78,9 +58,26 @@ void mld_pack_sk_rho_key_tr_s2_t0(uint8_t sk[MLDSA_CRYPTO_SECRETKEYBYTES],
   sk += MLDSA_L * MLDSA_POLYETA_PACKEDBYTES;
 
   mld_polyveck_pack_eta(sk, s2);
-  sk += MLDSA_K * MLDSA_POLYETA_PACKEDBYTES;
 
-  mld_polyveck_pack_t0(sk, t0);
+  /* t0 packed per row by the caller via mld_pack_sk_t0 */
+}
+
+MLD_INTERNAL_API
+void mld_pack_sk_t0(uint8_t sk[MLDSA_CRYPTO_SECRETKEYBYTES], unsigned int k,
+                    const mld_poly *t0k)
+{
+  mld_polyt0_pack(sk + 2 * MLDSA_SEEDBYTES + MLDSA_TRBYTES +
+                      MLDSA_L * MLDSA_POLYETA_PACKEDBYTES +
+                      MLDSA_K * MLDSA_POLYETA_PACKEDBYTES +
+                      k * MLDSA_POLYT0_PACKEDBYTES,
+                  t0k);
+}
+
+MLD_INTERNAL_API
+void mld_pack_pk_t1(uint8_t pk[MLDSA_CRYPTO_PUBLICKEYBYTES], unsigned int k,
+                    const mld_poly *t1k)
+{
+  mld_polyt1_pack(pk + MLDSA_SEEDBYTES + k * MLDSA_POLYT1_PACKEDBYTES, t1k);
 }
 
 MLD_INTERNAL_API

mldsa/src/packing.h

@@ -8,28 +8,6 @@
 #include "polyvec.h"
 #include "polyvec_lazy.h"
 
-#define mld_pack_pk MLD_NAMESPACE_KL(pack_pk)
-/*************************************************
- * Name:        mld_pack_pk
- *
- * Description: Bit-pack public key pk = (rho, t1).
- *
- * Arguments:   - uint8_t pk[]: output byte array
- *              - const uint8_t rho[]: byte array containing rho
- *              - const mld_polyveck *t1: pointer to vector t1
- **************************************************/
-MLD_INTERNAL_API
-void mld_pack_pk(uint8_t pk[MLDSA_CRYPTO_PUBLICKEYBYTES],
-                 const uint8_t rho[MLDSA_SEEDBYTES], const mld_polyveck *t1)
-__contract__(
-  requires(memory_no_alias(pk, MLDSA_CRYPTO_PUBLICKEYBYTES))
-  requires(memory_no_alias(rho, MLDSA_SEEDBYTES))
-  requires(memory_no_alias(t1, sizeof(mld_polyveck)))
-  requires(forall(k0, 0, MLDSA_K,
-    array_bound(t1->vec[k0].coeffs, 0, MLDSA_N, 0, 1 << 10)))
-  assigns(memory_slice(pk, MLDSA_CRYPTO_PUBLICKEYBYTES))
-);
-
 
 #define mld_pack_sk_s1 MLD_NAMESPACE_KL(pack_sk_s1)
 /*************************************************
@@ -51,41 +29,82 @@ __contract__(
   assigns(memory_slice(sk, MLDSA_CRYPTO_SECRETKEYBYTES))
 );
 
-#define mld_pack_sk_rho_key_tr_s2_t0 MLD_NAMESPACE_KL(pack_sk_rho_key_tr_s2_t0)
+#define mld_pack_sk_rho_key_tr_s2 MLD_NAMESPACE_KL(pack_sk_rho_key_tr_s2)
 /*************************************************
- * Name:        mld_pack_sk_rho_key_tr_s2_t0
+ * Name:        mld_pack_sk_rho_key_tr_s2
  *
- * Description: Bit-pack rho, key, tr, s2, t0 into the secret key.
+ * Description: Bit-pack rho, key, tr, s2 into the secret key.
  *              s1 must already be packed via mld_pack_sk_s1.
+ *              t0 is packed per row by the caller (see
+ *              mld_pack_sk_t0).
  *
  * Arguments:   - uint8_t sk[]: output byte array
  *              - const uint8_t rho[]: byte array containing rho
  *              - const uint8_t tr[]: byte array containing tr
  *              - const uint8_t key[]: byte array containing key
- *              - const mld_polyveck *t0: pointer to vector t0
  *              - const mld_polyveck *s2: pointer to vector s2
  **************************************************/
 MLD_INTERNAL_API
-void mld_pack_sk_rho_key_tr_s2_t0(uint8_t sk[MLDSA_CRYPTO_SECRETKEYBYTES],
-                                  const uint8_t rho[MLDSA_SEEDBYTES],
-                                  const uint8_t tr[MLDSA_TRBYTES],
-                                  const uint8_t key[MLDSA_SEEDBYTES],
-                                  const mld_polyveck *t0,
-                                  const mld_polyveck *s2)
+void mld_pack_sk_rho_key_tr_s2(uint8_t sk[MLDSA_CRYPTO_SECRETKEYBYTES],
+                               const uint8_t rho[MLDSA_SEEDBYTES],
+                               const uint8_t tr[MLDSA_TRBYTES],
+                               const uint8_t key[MLDSA_SEEDBYTES],
+                               const mld_polyveck *s2)
 __contract__(
   requires(memory_no_alias(sk, MLDSA_CRYPTO_SECRETKEYBYTES))
   requires(memory_no_alias(rho, MLDSA_SEEDBYTES))
   requires(memory_no_alias(tr, MLDSA_TRBYTES))
   requires(memory_no_alias(key, MLDSA_SEEDBYTES))
-  requires(memory_no_alias(t0, sizeof(mld_polyveck)))
   requires(memory_no_alias(s2, sizeof(mld_polyveck)))
-  requires(forall(k0, 0, MLDSA_K,
-    array_bound(t0->vec[k0].coeffs, 0, MLDSA_N, -(1<<(MLDSA_D-1)) + 1, (1<<(MLDSA_D-1)) + 1)))
   requires(forall(k2, 0, MLDSA_K,
     array_abs_bound(s2->vec[k2].coeffs, 0, MLDSA_N, MLDSA_ETA + 1)))
   assigns(memory_slice(sk, MLDSA_CRYPTO_SECRETKEYBYTES))
 );
 
+#define mld_pack_sk_t0 MLD_NAMESPACE_KL(pack_sk_t0)
+/*************************************************
+ * Name:        mld_pack_sk_t0
+ *
+ * Description: Bit-pack a single t0 polynomial t0[k] at the
+ *              corresponding offset in the secret key.
+ *
+ * Arguments:   - uint8_t sk[]: output byte array (full secret key)
+ *              - unsigned int k: row index, must be < MLDSA_K
+ *              - const mld_poly *t0k: pointer to t0[k]
+ **************************************************/
+MLD_INTERNAL_API
+void mld_pack_sk_t0(uint8_t sk[MLDSA_CRYPTO_SECRETKEYBYTES], unsigned int k,
+                    const mld_poly *t0k)
+__contract__(
+  requires(memory_no_alias(sk, MLDSA_CRYPTO_SECRETKEYBYTES))
+  requires(memory_no_alias(t0k, sizeof(mld_poly)))
+  requires(k < MLDSA_K)
+  requires(array_bound(t0k->coeffs, 0, MLDSA_N, -(1<<(MLDSA_D-1)) + 1, (1<<(MLDSA_D-1)) + 1))
+  assigns(memory_slice(sk, MLDSA_CRYPTO_SECRETKEYBYTES))
+);
+
+#define mld_pack_pk_t1 MLD_NAMESPACE_KL(pack_pk_t1)
+/*************************************************
+ * Name:        mld_pack_pk_t1
+ *
+ * Description: Bit-pack a single t1 polynomial t1[k] at the
+ *              corresponding offset in the public key.
+ *
+ * Arguments:   - uint8_t pk[]: output byte array (full public key)
+ *              - unsigned int k: row index, must be < MLDSA_K
+ *              - const mld_poly *t1k: pointer to t1[k]
+ **************************************************/
+MLD_INTERNAL_API
+void mld_pack_pk_t1(uint8_t pk[MLDSA_CRYPTO_PUBLICKEYBYTES], unsigned int k,
+                    const mld_poly *t1k)
+__contract__(
+  requires(memory_no_alias(pk, MLDSA_CRYPTO_PUBLICKEYBYTES))
+  requires(memory_no_alias(t1k, sizeof(mld_poly)))
+  requires(k < MLDSA_K)
+  requires(array_bound(t1k->coeffs, 0, MLDSA_N, 0, 1 << 10))
+  assigns(memory_slice(pk, MLDSA_CRYPTO_PUBLICKEYBYTES))
+);
+
 
 #define mld_pack_sig_c MLD_NAMESPACE_KL(pack_sig_c)
 /*************************************************