AArch64: Add rejection sampling HOL Light proofs and CBMC contract

dkostic · mkannwischer · commit cbc80f6adcfe · 2026-05-21T13:20:08.000+08:00
- HOL Light correctness proof
- HOL Light subroutine proof
- HOL Light memory-safety proof
- CBMC contract

Signed-off-by: dkostic &lt;dkostic@amazon.com&gt;
diff --git a/.github/workflows/hol_light.yml b/.github/workflows/hol_light.yml
@@ -121,6 +121,8 @@ jobs:
             needs: ["aarch64_utils.ml", "mldsa_specs.ml", "subroutine_signatures.ml"]
           - name: poly_decompose_88_aarch64_asm
             needs: ["aarch64_utils.ml", "mldsa_specs.ml", "subroutine_signatures.ml"]
+          - name: rej_uniform_aarch64_asm
+            needs: ["mldsa_specs.ml", "aarch64_utils.ml", "mldsa_rej_uniform_table.ml"]
     name: AArch64 HOL Light proof for ${{ matrix.proof.name }}.S
     runs-on: pqcp-arm64
     if: github.repository_owner == 'pq-code-package' && !github.event.pull_request.head.repo.fork
diff --git a/dev/aarch64_clean/src/arith_native_aarch64.h b/dev/aarch64_clean/src/arith_native_aarch64.h
@@ -95,7 +95,18 @@ __contract__(
 #define mld_rej_uniform_aarch64_asm MLD_NAMESPACE(rej_uniform_aarch64_asm)
 MLD_MUST_CHECK_RETURN_VALUE
 uint64_t mld_rej_uniform_aarch64_asm(int32_t *r, const uint8_t *buf,
-                                     unsigned buflen, const uint8_t *table);
+                                     unsigned buflen, const uint8_t *table)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/rej_uniform_aarch64_asm.ml. */
+__contract__(
+  requires(buflen % 24 == 0)
+  requires(memory_no_alias(buf, buflen))
+  requires(table == mld_rej_uniform_table)
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  ensures(return_value <= MLDSA_N)
+  ensures(array_bound(r, 0, (unsigned) return_value, 0, MLDSA_Q))
+);
 
 #if !defined(MLD_CONFIG_NO_KEYPAIR_API)
 #define mld_rej_uniform_eta2_aarch64_asm \
diff --git a/dev/aarch64_opt/src/arith_native_aarch64.h b/dev/aarch64_opt/src/arith_native_aarch64.h
@@ -95,7 +95,18 @@ __contract__(
 #define mld_rej_uniform_aarch64_asm MLD_NAMESPACE(rej_uniform_aarch64_asm)
 MLD_MUST_CHECK_RETURN_VALUE
 uint64_t mld_rej_uniform_aarch64_asm(int32_t *r, const uint8_t *buf,
-                                     unsigned buflen, const uint8_t *table);
+                                     unsigned buflen, const uint8_t *table)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/rej_uniform_aarch64_asm.ml. */
+__contract__(
+  requires(buflen % 24 == 0)
+  requires(memory_no_alias(buf, buflen))
+  requires(table == mld_rej_uniform_table)
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  ensures(return_value <= MLDSA_N)
+  ensures(array_bound(r, 0, (unsigned) return_value, 0, MLDSA_Q))
+);
 
 #if !defined(MLD_CONFIG_NO_KEYPAIR_API)
 #define mld_rej_uniform_eta2_aarch64_asm \
diff --git a/mldsa/src/native/aarch64/src/arith_native_aarch64.h b/mldsa/src/native/aarch64/src/arith_native_aarch64.h
@@ -95,7 +95,18 @@ __contract__(
 #define mld_rej_uniform_aarch64_asm MLD_NAMESPACE(rej_uniform_aarch64_asm)
 MLD_MUST_CHECK_RETURN_VALUE
 uint64_t mld_rej_uniform_aarch64_asm(int32_t *r, const uint8_t *buf,
-                                     unsigned buflen, const uint8_t *table);
+                                     unsigned buflen, const uint8_t *table)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/rej_uniform_aarch64_asm.ml. */
+__contract__(
+  requires(buflen % 24 == 0)
+  requires(memory_no_alias(buf, buflen))
+  requires(table == mld_rej_uniform_table)
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  ensures(return_value <= MLDSA_N)
+  ensures(array_bound(r, 0, (unsigned) return_value, 0, MLDSA_Q))
+);
 
 #if !defined(MLD_CONFIG_NO_KEYPAIR_API)
 #define mld_rej_uniform_eta2_aarch64_asm \
diff --git a/proofs/cbmc/rej_uniform_native_aarch64/Makefile b/proofs/cbmc/rej_uniform_native_aarch64/Makefile
@@ -0,0 +1,57 @@
+# Copyright (c) The mldsa-native project authors
+# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+include ../Makefile_params.common
+
+HARNESS_ENTRY = harness
+HARNESS_FILE = rej_uniform_native_aarch64_harness
+
+# This should be a unique identifier for this proof, and will appear on the
+# Litani dashboard. It can be human-readable and contain spaces if you wish.
+PROOF_UID = rej_uniform_native_aarch64
+
+# We need to set MLD_CHECK_APIS as otherwise mldsa/src/native/api.h won't be
+# included, which contains the CBMC specifications.
+DEFINES += -DMLD_CONFIG_USE_NATIVE_BACKEND_ARITH -DMLD_CONFIG_ARITH_BACKEND_FILE="\"$(SRCDIR)/mldsa/src/native/aarch64/meta.h\"" -DMLD_CHECK_APIS
+INCLUDES +=
+
+REMOVE_FUNCTION_BODY +=
+UNWINDSET +=
+
+PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
+PROJECT_SOURCES += $(SRCDIR)/mldsa/src/poly.c $(SRCDIR)/mldsa/src/native/aarch64/src/rej_uniform_table.c
+
+CHECK_FUNCTION_CONTRACTS=mld_rej_uniform_native
+USE_FUNCTION_CONTRACTS=mld_rej_uniform_aarch64_asm
+APPLY_LOOP_CONTRACTS=on
+USE_DYNAMIC_FRAMES=1
+
+# Disable any setting of EXTERNAL_SAT_SOLVER, and choose SMT backend instead
+EXTERNAL_SAT_SOLVER=
+CBMCFLAGS=--smt2
+
+FUNCTION_NAME = rej_uniform_native_aarch64
+
+# If this proof is found to consume huge amounts of RAM, you can set the
+# EXPENSIVE variable. With new enough versions of the proof tools, this will
+# restrict the number of EXPENSIVE CBMC jobs running at once. See the
+# documentation in Makefile.common under the "Job Pools" heading for details.
+# EXPENSIVE = true
+
+# This function is large enough to need...
+CBMC_OBJECT_BITS = 8
+
+# If you require access to a file-local ("static") function or object to conduct
+# your proof, set the following (and do not include the original source file
+# ("mldsa/src/poly.c") in PROJECT_SOURCES).
+# REWRITTEN_SOURCES = $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i
+# include ../Makefile.common
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_SOURCE = $(SRCDIR)/mldsa/src/poly.c
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_FUNCTIONS = foo bar
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_OBJECTS = baz
+# Care is required with variables on the left-hand side: REWRITTEN_SOURCES must
+# be set before including Makefile.common, but any use of variables on the
+# left-hand side requires those variables to be defined. Hence, _SOURCE,
+# _FUNCTIONS, _OBJECTS is set after including Makefile.common.
+
+include ../Makefile.common
diff --git a/proofs/cbmc/rej_uniform_native_aarch64/rej_uniform_native_aarch64_harness.c b/proofs/cbmc/rej_uniform_native_aarch64/rej_uniform_native_aarch64_harness.c
@@ -0,0 +1,20 @@
+// Copyright (c) The mldsa-native project authors
+// SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+#include <stdint.h>
+#include "cbmc.h"
+#include "params.h"
+
+
+int mld_rej_uniform_native(int32_t *r, unsigned len, const uint8_t *buf,
+                           unsigned buflen);
+
+void harness(void)
+{
+  int32_t *r;
+  unsigned len;
+  const uint8_t *buf;
+  unsigned buflen;
+
+  mld_rej_uniform_native(r, len, buf, buflen);
+}
diff --git a/proofs/hol_light/README.md b/proofs/hol_light/README.md
@@ -125,6 +125,7 @@ echo '1+1;;' | nc -w 5 127.0.0.1 2012
   * AArch64 pointwise multiplication-accumulation (l=4): [mld_polyvecl_pointwise_acc_montgomery_l4_aarch64_asm.S](aarch64/mldsa/mld_polyvecl_pointwise_acc_montgomery_l4_aarch64_asm.S)
   * AArch64 pointwise multiplication-accumulation (l=5): [mld_polyvecl_pointwise_acc_montgomery_l5_aarch64_asm.S](aarch64/mldsa/mld_polyvecl_pointwise_acc_montgomery_l5_aarch64_asm.S)
   * AArch64 pointwise multiplication-accumulation (l=7): [mld_polyvecl_pointwise_acc_montgomery_l7_aarch64_asm.S](aarch64/mldsa/mld_polyvecl_pointwise_acc_montgomery_l7_aarch64_asm.S)
+  * AArch64 rejection sampling: [rej_uniform_aarch64_asm.S](aarch64/mldsa/rej_uniform_aarch64_asm.S)
 - FIPS202:
   * Keccak-F1600 using lazy rotations[^HYBRID]: [keccak_f1600_x1_scalar_aarch64_asm.S](aarch64/mldsa/keccak_f1600_x1_scalar_aarch64_asm.S)
   * Keccak-F1600 using v8.4-A SHA3 instructions: [keccak_f1600_x1_v84a_aarch64_asm.S](aarch64/mldsa/keccak_f1600_x1_v84a_aarch64_asm.S)
diff --git a/proofs/hol_light/aarch64/Makefile b/proofs/hol_light/aarch64/Makefile
@@ -71,7 +71,8 @@ OBJ = mldsa/intt_aarch64_asm.o \
       mldsa/polyz_unpack_17_aarch64_asm.o \
       mldsa/polyz_unpack_19_aarch64_asm.o \
       mldsa/poly_use_hint_32_aarch64_asm.o \
-      mldsa/poly_use_hint_88_aarch64_asm.o
+      mldsa/poly_use_hint_88_aarch64_asm.o \
+      mldsa/rej_uniform_aarch64_asm.o
 
 # According to
 # https://developer.apple.com/documentation/xcode/writing-arm64-code-for-apple-platforms,
diff --git a/proofs/hol_light/aarch64/mldsa/rej_uniform_aarch64_asm.S b/proofs/hol_light/aarch64/mldsa/rej_uniform_aarch64_asm.S
@@ -0,0 +1,187 @@
+/*
+ * Copyright (c) The mldsa-native project authors
+ * Copyright (c) The mlkem-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+
+
+/*
+ * WARNING: This file is auto-derived from the mldsa-native source file
+ *   dev/aarch64_opt/src/rej_uniform_aarch64_asm.S using scripts/simpasm. Do not modify it directly.
+ */
+
+.text
+.balign 4
+#ifdef __APPLE__
+.global _PQCP_MLDSA_NATIVE_MLDSA44_rej_uniform_aarch64_asm
+_PQCP_MLDSA_NATIVE_MLDSA44_rej_uniform_aarch64_asm:
+#else
+.global PQCP_MLDSA_NATIVE_MLDSA44_rej_uniform_aarch64_asm
+PQCP_MLDSA_NATIVE_MLDSA44_rej_uniform_aarch64_asm:
+#endif
+
+        .cfi_startproc
+        sub sp, sp, #0x440
+        .cfi_adjust_cfa_offset 0x440
+        mov x7, #0x1                // =1
+        movk x7, #0x2, lsl #32
+        mov v31.d[0], x7
+        mov x7, #0x4                // =4
+        movk x7, #0x8, lsl #32
+        mov v31.d[1], x7
+        mov w7, #0xe001             // =57345
+        movk w7, #0x7f, lsl #16
+        dup v30.4s, w7
+        mov x8, sp
+        mov x7, x8
+        mov x11, #0x0               // =0
+        eor v16.16b, v16.16b, v16.16b
+
+Lrej_uniform_initial_zero:
+        str q16, [x7], #0x40
+        stur q16, [x7, #-0x30]
+        stur q16, [x7, #-0x20]
+        stur q16, [x7, #-0x10]
+        add x11, x11, #0x10
+        cmp x11, #0x100
+        b.lt Lrej_uniform_initial_zero
+        mov x7, x8
+        mov x9, #0x0                // =0
+        mov x4, #0x100              // =256
+        cmp x2, #0x30
+        b.lo Lrej_uniform_loop48_end
+
+Lrej_uniform_loop48:
+        cmp x9, x4
+        b.hs Lrej_uniform_memory_copy
+        sub x2, x2, #0x30
+        ld3 { v0.16b, v1.16b, v2.16b }, [x1], #48
+        movi v4.16b, #0x80
+        bic v2.16b, v2.16b, v4.16b
+        zip1 v4.16b, v0.16b, v1.16b
+        zip2 v5.16b, v0.16b, v1.16b
+        ushll v6.8h, v2.8b, #0x0
+        ushll2 v7.8h, v2.16b, #0x0
+        zip1 v16.8h, v4.8h, v6.8h
+        zip2 v17.8h, v4.8h, v6.8h
+        zip1 v18.8h, v5.8h, v7.8h
+        zip2 v19.8h, v5.8h, v7.8h
+        cmhi v4.4s, v30.4s, v16.4s
+        cmhi v5.4s, v30.4s, v17.4s
+        cmhi v6.4s, v30.4s, v18.4s
+        cmhi v7.4s, v30.4s, v19.4s
+        and v4.16b, v4.16b, v31.16b
+        and v5.16b, v5.16b, v31.16b
+        and v6.16b, v6.16b, v31.16b
+        and v7.16b, v7.16b, v31.16b
+        uaddlv d20, v4.4s
+        uaddlv d21, v5.4s
+        uaddlv d22, v6.4s
+        uaddlv d23, v7.4s
+        fmov x12, d20
+        fmov x13, d21
+        fmov x14, d22
+        fmov x15, d23
+        ldr q24, [x3, x12, lsl #4]
+        ldr q25, [x3, x13, lsl #4]
+        ldr q26, [x3, x14, lsl #4]
+        ldr q27, [x3, x15, lsl #4]
+        cnt v4.16b, v4.16b
+        cnt v5.16b, v5.16b
+        cnt v6.16b, v6.16b
+        cnt v7.16b, v7.16b
+        uaddlv d20, v4.4s
+        uaddlv d21, v5.4s
+        uaddlv d22, v6.4s
+        uaddlv d23, v7.4s
+        fmov x12, d20
+        fmov x13, d21
+        fmov x14, d22
+        fmov x15, d23
+        tbl v16.16b, { v16.16b }, v24.16b
+        tbl v17.16b, { v17.16b }, v25.16b
+        tbl v18.16b, { v18.16b }, v26.16b
+        tbl v19.16b, { v19.16b }, v27.16b
+        st1 { v16.4s }, [x7]
+        add x7, x7, x12, lsl #2
+        st1 { v17.4s }, [x7]
+        add x7, x7, x13, lsl #2
+        st1 { v18.4s }, [x7]
+        add x7, x7, x14, lsl #2
+        st1 { v19.4s }, [x7]
+        add x7, x7, x15, lsl #2
+        add x12, x12, x13
+        add x14, x14, x15
+        add x9, x9, x12
+        add x9, x9, x14
+        cmp x2, #0x30
+        b.hs Lrej_uniform_loop48
+
+Lrej_uniform_loop48_end:
+        cmp x9, x4
+        b.hs Lrej_uniform_memory_copy
+        cmp x2, #0x18
+        b.lo Lrej_uniform_memory_copy
+        sub x2, x2, #0x18
+        ld3 { v0.8b, v1.8b, v2.8b }, [x1], #24
+        movi v4.16b, #0x80
+        bic v2.16b, v2.16b, v4.16b
+        zip1 v4.16b, v0.16b, v1.16b
+        ushll v6.8h, v2.8b, #0x0
+        zip1 v16.8h, v4.8h, v6.8h
+        zip2 v17.8h, v4.8h, v6.8h
+        cmhi v4.4s, v30.4s, v16.4s
+        cmhi v5.4s, v30.4s, v17.4s
+        and v4.16b, v4.16b, v31.16b
+        and v5.16b, v5.16b, v31.16b
+        uaddlv d20, v4.4s
+        uaddlv d21, v5.4s
+        fmov x12, d20
+        fmov x13, d21
+        ldr q24, [x3, x12, lsl #4]
+        ldr q25, [x3, x13, lsl #4]
+        cnt v4.16b, v4.16b
+        cnt v5.16b, v5.16b
+        uaddlv d20, v4.4s
+        uaddlv d21, v5.4s
+        fmov x12, d20
+        fmov x13, d21
+        tbl v16.16b, { v16.16b }, v24.16b
+        tbl v17.16b, { v17.16b }, v25.16b
+        st1 { v16.4s }, [x7]
+        add x7, x7, x12, lsl #2
+        st1 { v17.4s }, [x7]
+        add x7, x7, x13, lsl #2
+        add x9, x9, x12
+        add x9, x9, x13
+
+Lrej_uniform_memory_copy:
+        cmp x9, x4
+        csel x9, x9, x4, lo
+        mov x11, #0x0               // =0
+        mov x7, x8
+
+Lrej_uniform_final_copy:
+        ldr q16, [x7], #0x40
+        ldur q17, [x7, #-0x30]
+        ldur q18, [x7, #-0x20]
+        ldur q19, [x7, #-0x10]
+        str q16, [x0], #0x40
+        stur q17, [x0, #-0x30]
+        stur q18, [x0, #-0x20]
+        stur q19, [x0, #-0x10]
+        add x11, x11, #0x10
+        cmp x11, #0x100
+        b.lt Lrej_uniform_final_copy
+        mov x0, x9
+        b Lrej_uniform_return
+
+Lrej_uniform_return:
+        add sp, sp, #0x440
+        .cfi_adjust_cfa_offset -0x440
+        ret
+        .cfi_endproc
+
+#if defined(__ELF__)
+.section .note.GNU-stack,"",%progbits
+#endif
diff --git a/proofs/hol_light/aarch64/proofs/dump_bytecode.ml b/proofs/hol_light/aarch64/proofs/dump_bytecode.ml
@@ -61,3 +61,7 @@ print_string "==== bytecode end =====================================\n\n";;
 print_string "=== bytecode start: aarch64/mldsa/polyz_unpack_19_aarch64_asm.o ===\n";;
 print_literal_from_elf "aarch64/mldsa/polyz_unpack_19_aarch64_asm.o";;
 print_string "==== bytecode end =====================================\n\n";;
+
+print_string "=== bytecode start: aarch64/mldsa/rej_uniform_aarch64_asm.o ===\n";;
+print_literal_from_elf "aarch64/mldsa/rej_uniform_aarch64_asm.o";;
+print_string "==== bytecode end =====================================\n\n";;
diff --git a/proofs/hol_light/aarch64/proofs/mldsa_rej_uniform_table.ml b/proofs/hol_light/aarch64/proofs/mldsa_rej_uniform_table.ml
diff --git a/proofs/hol_light/aarch64/proofs/rej_uniform_aarch64_asm.ml b/proofs/hol_light/aarch64/proofs/rej_uniform_aarch64_asm.ml
diff --git a/proofs/hol_light/common/mldsa_specs.ml b/proofs/hol_light/common/mldsa_specs.ml
diff --git a/scripts/autogen b/scripts/autogen
