HOL-Light: Add AArch64 poly_decompose_{32,88} correctness proofs

Add functional correctness proofs for the AArch64 assembly implementations
of poly_decompose for both GAMMA2 variants:
- poly_decompose_32 (GAMMA2 = (Q-1)/32 = 261888, used in ML-DSA-65/87)
- poly_decompose_88 (GAMMA2 = (Q-1)/88 = 95232, used in ML-DSA-44)

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

Author: mkannwischer

.github/workflows/hol_light.yml

@@ -115,6 +115,10 @@ jobs:
             needs: ["aarch64_utils.ml", "mldsa_polyz_unpack_consts.ml", "mldsa_specs.ml", "subroutine_signatures.ml"]
           - name: mldsa_polyz_unpack_19
             needs: ["aarch64_utils.ml", "mldsa_polyz_unpack_consts.ml", "mldsa_specs.ml", "subroutine_signatures.ml"]
+          - name: poly_decompose_32_aarch64_asm
+            needs: ["aarch64_utils.ml", "mldsa_specs.ml", "subroutine_signatures.ml"]
+          - name: poly_decompose_88_aarch64_asm
+            needs: ["aarch64_utils.ml", "mldsa_specs.ml", "subroutine_signatures.ml"]
     name: AArch64 HOL Light proof for ${{ matrix.proof.name }}.S
     runs-on: pqcp-arm64
     if: github.repository_owner == 'pq-code-package' && !github.event.pull_request.head.repo.fork

proofs/hol_light/README.md

@@ -57,6 +57,8 @@ echo '1+1;;' | nc -w 5 127.0.0.1 2012
   * AArch64 poly_chknorm: [mldsa_poly_chknorm.S](aarch64/mldsa/mldsa_poly_chknorm.S)
   * AArch64 poly_use_hint (l=5,7): [poly_use_hint_32_aarch64_asm.S](aarch64/mldsa/poly_use_hint_32_aarch64_asm.S)
   * AArch64 poly_use_hint (l=4): [poly_use_hint_88_aarch64_asm.S](aarch64/mldsa/poly_use_hint_88_aarch64_asm.S)
+  * AArch64 poly_decompose (l=5,7): [poly_decompose_32_aarch64_asm.S](aarch64/mldsa/poly_decompose_32_aarch64_asm.S)
+  * AArch64 poly_decompose (l=4): [poly_decompose_88_aarch64_asm.S](aarch64/mldsa/poly_decompose_88_aarch64_asm.S)
   * AArch64 pointwise multiplication: [mldsa_pointwise.S](aarch64/mldsa/mldsa_pointwise.S)
   * AArch64 pointwise multiplication-accumulation (l=4): [mldsa_pointwise_acc_l4.S](aarch64/mldsa/mldsa_pointwise_acc_l4.S)
   * AArch64 pointwise multiplication-accumulation (l=5): [mldsa_pointwise_acc_l5.S](aarch64/mldsa/mldsa_pointwise_acc_l5.S)

proofs/hol_light/aarch64/Makefile

@@ -57,6 +57,8 @@ OBJ = mldsa/mldsa_ntt.o \
       mldsa/mldsa_pointwise.o \
       mldsa/mldsa_poly_caddq.o \
       mldsa/mldsa_poly_chknorm.o                        \
+      mldsa/poly_decompose_32_aarch64_asm.o                   \
+      mldsa/poly_decompose_88_aarch64_asm.o                   \
       mldsa/mldsa_pointwise_acc_l4.o                    \
       mldsa/mldsa_pointwise_acc_l5.o                    \
       mldsa/mldsa_pointwise_acc_l7.o                    \

proofs/hol_light/aarch64/mldsa/poly_decompose_32_aarch64_asm.S

@@ -0,0 +1,81 @@
+/*
+ * Copyright (c) The mldsa-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+
+
+/*
+ * WARNING: This file is auto-derived from the mldsa-native source file
+ *   dev/aarch64_opt/src/poly_decompose_32_asm.S using scripts/simpasm. Do not modify it directly.
+ */
+
+.text
+.balign 4
+#ifdef __APPLE__
+.global _PQCP_MLDSA_NATIVE_MLDSA44_poly_decompose_32_asm
+_PQCP_MLDSA_NATIVE_MLDSA44_poly_decompose_32_asm:
+#else
+.global PQCP_MLDSA_NATIVE_MLDSA44_poly_decompose_32_asm
+PQCP_MLDSA_NATIVE_MLDSA44_poly_decompose_32_asm:
+#endif
+
+        .cfi_startproc
+        mov w4, #0xe001             // =57345
+        movk w4, #0x7f, lsl #16
+        dup v20.4s, w4
+        mov w5, #0xe100             // =57600
+        movk w5, #0x7b, lsl #16
+        dup v21.4s, w5
+        mov w7, #0xfe00             // =65024
+        movk w7, #0x7, lsl #16
+        dup v22.4s, w7
+        mov w11, #0x401             // =1025
+        movk w11, #0x4010, lsl #16
+        dup v23.4s, w11
+        mov x3, #0x10               // =16
+
+Lpoly_decompose_32_loop:
+        ldr q0, [x1]
+        ldr q1, [x1, #0x10]
+        ldr q2, [x1, #0x20]
+        ldr q3, [x1, #0x30]
+        sqdmulh v5.4s, v1.4s, v23.4s
+        srshr v5.4s, v5.4s, #0x12
+        cmgt v24.4s, v1.4s, v21.4s
+        mls v1.4s, v5.4s, v22.4s
+        bic v5.16b, v5.16b, v24.16b
+        add v1.4s, v1.4s, v24.4s
+        sqdmulh v6.4s, v2.4s, v23.4s
+        srshr v6.4s, v6.4s, #0x12
+        cmgt v24.4s, v2.4s, v21.4s
+        mls v2.4s, v6.4s, v22.4s
+        bic v6.16b, v6.16b, v24.16b
+        add v2.4s, v2.4s, v24.4s
+        sqdmulh v7.4s, v3.4s, v23.4s
+        srshr v7.4s, v7.4s, #0x12
+        cmgt v24.4s, v3.4s, v21.4s
+        mls v3.4s, v7.4s, v22.4s
+        bic v7.16b, v7.16b, v24.16b
+        add v3.4s, v3.4s, v24.4s
+        sqdmulh v4.4s, v0.4s, v23.4s
+        srshr v4.4s, v4.4s, #0x12
+        cmgt v24.4s, v0.4s, v21.4s
+        mls v0.4s, v4.4s, v22.4s
+        bic v4.16b, v4.16b, v24.16b
+        add v0.4s, v0.4s, v24.4s
+        str q5, [x0, #0x10]
+        str q6, [x0, #0x20]
+        str q7, [x0, #0x30]
+        str q4, [x0], #0x40
+        str q1, [x1, #0x10]
+        str q2, [x1, #0x20]
+        str q3, [x1, #0x30]
+        str q0, [x1], #0x40
+        subs x3, x3, #0x1
+        b.ne Lpoly_decompose_32_loop
+        ret
+        .cfi_endproc
+
+#if defined(__ELF__)
+.section .note.GNU-stack,"",%progbits
+#endif

proofs/hol_light/aarch64/mldsa/poly_decompose_88_aarch64_asm.S

@@ -0,0 +1,81 @@
+/*
+ * Copyright (c) The mldsa-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+
+
+/*
+ * WARNING: This file is auto-derived from the mldsa-native source file
+ *   dev/aarch64_opt/src/poly_decompose_88_asm.S using scripts/simpasm. Do not modify it directly.
+ */
+
+.text
+.balign 4
+#ifdef __APPLE__
+.global _PQCP_MLDSA_NATIVE_MLDSA44_poly_decompose_88_asm
+_PQCP_MLDSA_NATIVE_MLDSA44_poly_decompose_88_asm:
+#else
+.global PQCP_MLDSA_NATIVE_MLDSA44_poly_decompose_88_asm
+PQCP_MLDSA_NATIVE_MLDSA44_poly_decompose_88_asm:
+#endif
+
+        .cfi_startproc
+        mov w4, #0xe001             // =57345
+        movk w4, #0x7f, lsl #16
+        dup v20.4s, w4
+        mov w5, #0x6c00             // =27648
+        movk w5, #0x7e, lsl #16
+        dup v21.4s, w5
+        mov w7, #0xe800             // =59392
+        movk w7, #0x2, lsl #16
+        dup v22.4s, w7
+        mov w11, #0x581             // =1409
+        movk w11, #0x5816, lsl #16
+        dup v23.4s, w11
+        mov x3, #0x10               // =16
+
+Lpoly_decompose_88_loop:
+        ldr q0, [x1]
+        ldr q1, [x1, #0x10]
+        ldr q2, [x1, #0x20]
+        ldr q3, [x1, #0x30]
+        sqdmulh v5.4s, v1.4s, v23.4s
+        srshr v5.4s, v5.4s, #0x11
+        cmgt v24.4s, v1.4s, v21.4s
+        mls v1.4s, v5.4s, v22.4s
+        bic v5.16b, v5.16b, v24.16b
+        add v1.4s, v1.4s, v24.4s
+        sqdmulh v6.4s, v2.4s, v23.4s
+        srshr v6.4s, v6.4s, #0x11
+        cmgt v24.4s, v2.4s, v21.4s
+        mls v2.4s, v6.4s, v22.4s
+        bic v6.16b, v6.16b, v24.16b
+        add v2.4s, v2.4s, v24.4s
+        sqdmulh v7.4s, v3.4s, v23.4s
+        srshr v7.4s, v7.4s, #0x11
+        cmgt v24.4s, v3.4s, v21.4s
+        mls v3.4s, v7.4s, v22.4s
+        bic v7.16b, v7.16b, v24.16b
+        add v3.4s, v3.4s, v24.4s
+        sqdmulh v4.4s, v0.4s, v23.4s
+        srshr v4.4s, v4.4s, #0x11
+        cmgt v24.4s, v0.4s, v21.4s
+        mls v0.4s, v4.4s, v22.4s
+        bic v4.16b, v4.16b, v24.16b
+        add v0.4s, v0.4s, v24.4s
+        str q5, [x0, #0x10]
+        str q6, [x0, #0x20]
+        str q7, [x0, #0x30]
+        str q4, [x0], #0x40
+        str q1, [x1, #0x10]
+        str q2, [x1, #0x20]
+        str q3, [x1, #0x30]
+        str q0, [x1], #0x40
+        subs x3, x3, #0x1
+        b.ne Lpoly_decompose_88_loop
+        ret
+        .cfi_endproc
+
+#if defined(__ELF__)
+.section .note.GNU-stack,"",%progbits
+#endif

proofs/hol_light/aarch64/proofs/dump_bytecode.ml

@@ -42,6 +42,14 @@ print_string "=== bytecode start: aarch64/mldsa/mldsa_poly_chknorm.o ===\n";;
 print_literal_from_elf "aarch64/mldsa/mldsa_poly_chknorm.o";;
 print_string "==== bytecode end =====================================\n\n";;
 
+print_string "=== bytecode start: aarch64/mldsa/poly_decompose_32_aarch64_asm.o ===\n";;
+print_literal_from_elf "aarch64/mldsa/poly_decompose_32_aarch64_asm.o";;
+print_string "==== bytecode end =====================================\n\n";;
+
+print_string "=== bytecode start: aarch64/mldsa/poly_decompose_88_aarch64_asm.o ===\n";;
+print_literal_from_elf "aarch64/mldsa/poly_decompose_88_aarch64_asm.o";;
+print_string "==== bytecode end =====================================\n\n";;
+
 print_string "=== bytecode start: aarch64/mldsa/mldsa_polyz_unpack_17.o ===\n";;
 print_literal_from_elf "aarch64/mldsa/mldsa_polyz_unpack_17.o";;
 print_string "==== bytecode end =====================================\n\n";;