Add HOL Light pointwise multiplication proofs for AArch64 and x86_64

Port the ML-DSA pointwise polynomial multiplication (Montgomery form)
and its HOL Light proofs of correctness from s2n-bignum to mldsa-native,
for both AArch64 (NEON) and x86_64 (AVX2).

The proofs verify the assembly implementations at the object-code level,
showing that output coefficients are congruent to the pointwise product
of the inputs modulo Q=8380417, with bounded output coefficients
(|output| <= Q-1). For AArch64, a constant-time and memory safety proof
is also included.

Ported from s2n-bignum commit ca6ec31a225a.

Signed-off-by: Jake Massimo <jakemas@amazon.com>

Author: jakemas

.github/workflows/hol_light.yml

@@ -83,6 +83,8 @@ jobs:
           # Dependencies on {name}.{S,ml} are implicit
           - name: mldsa_ntt
             needs: ["mldsa_specs.ml", "mldsa_zetas.ml", "aarch64_utils.ml", "subroutine_signatures.ml"]
+          - name: mldsa_pointwise
+            needs: ["mldsa_specs.ml", "aarch64_utils.ml", "subroutine_signatures.ml"]
           - name: mldsa_poly_caddq
             needs: ["aarch64_utils.ml"]
           - name: mldsa_poly_chknorm
@@ -171,6 +173,8 @@ jobs:
             needs: ["mldsa_specs.ml", "mldsa_utils.ml", "mldsa_zetas.ml"]
           - name: mldsa_intt
             needs: ["mldsa_specs.ml", "mldsa_utils.ml", "mldsa_zetas.ml"]
+          - name: mldsa_pointwise
+            needs: ["mldsa_specs.ml", "mldsa_utils.ml"]
     name: x86_64 HOL Light proof for ${{ matrix.proof.name }}.S
     runs-on: pqcp-x64
     if: github.repository_owner == 'pq-code-package' && !github.event.pull_request.head.repo.fork

BIBLIOGRAPHY.md

@@ -250,6 +250,7 @@ source code and documentation.
   - [mldsa/src/native/x86_64/src/rej_uniform_eta4_avx2.c](mldsa/src/native/x86_64/src/rej_uniform_eta4_avx2.c)
   - [proofs/hol_light/x86_64/mldsa/mldsa_intt.S](proofs/hol_light/x86_64/mldsa/mldsa_intt.S)
   - [proofs/hol_light/x86_64/mldsa/mldsa_ntt.S](proofs/hol_light/x86_64/mldsa/mldsa_ntt.S)
+  - [proofs/hol_light/x86_64/mldsa/mldsa_pointwise.S](proofs/hol_light/x86_64/mldsa/mldsa_pointwise.S)
 
 ### `Round3_Spec`
 

dev/aarch64_clean/src/arith_native_aarch64.h

@@ -129,8 +129,23 @@ void mld_polyz_unpack_19_asm(int32_t *r, const uint8_t *buf,
 
 #define mld_poly_pointwise_montgomery_asm \
   MLD_NAMESPACE(poly_pointwise_montgomery_asm)
-void mld_poly_pointwise_montgomery_asm(int32_t *, const int32_t *,
-                                       const int32_t *);
+void mld_poly_pointwise_montgomery_asm(int32_t *r, const int32_t *a,
+                                       const int32_t *b)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_pointwise.ml */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * MLDSA_N))
+  /* check-magic: off */
+  requires(array_abs_bound(a, 0, MLDSA_N, 75423753))
+  requires(array_abs_bound(b, 0, MLDSA_N, 75423753))
+  /* check-magic: on */
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  /* check-magic: off */
+  ensures(array_abs_bound(r, 0, MLDSA_N, 8380417))
+  /* check-magic: on */
+);
 
 #define mld_polyvecl_pointwise_acc_montgomery_l4_asm \
   MLD_NAMESPACE(polyvecl_pointwise_acc_montgomery_l4_asm)

dev/aarch64_opt/src/arith_native_aarch64.h

@@ -129,8 +129,23 @@ void mld_polyz_unpack_19_asm(int32_t *r, const uint8_t *buf,
 
 #define mld_poly_pointwise_montgomery_asm \
   MLD_NAMESPACE(poly_pointwise_montgomery_asm)
-void mld_poly_pointwise_montgomery_asm(int32_t *, const int32_t *,
-                                       const int32_t *);
+void mld_poly_pointwise_montgomery_asm(int32_t *r, const int32_t *a,
+                                       const int32_t *b)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_pointwise.ml */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * MLDSA_N))
+  /* check-magic: off */
+  requires(array_abs_bound(a, 0, MLDSA_N, 75423753))
+  requires(array_abs_bound(b, 0, MLDSA_N, 75423753))
+  /* check-magic: on */
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  /* check-magic: off */
+  ensures(array_abs_bound(r, 0, MLDSA_N, 8380417))
+  /* check-magic: on */
+);
 
 #define mld_polyvecl_pointwise_acc_montgomery_l4_asm \
   MLD_NAMESPACE(polyvecl_pointwise_acc_montgomery_l4_asm)

dev/x86_64/src/arith_native_x86_64.h

@@ -104,7 +104,23 @@ void mld_polyz_unpack_19_avx2(int32_t *r, const uint8_t *a);
 
 #define mld_pointwise_avx2 MLD_NAMESPACE(pointwise_avx2)
 void mld_pointwise_avx2(int32_t *c, const int32_t *a, const int32_t *b,
-                        const int32_t *qdata);
+                        const int32_t *qdata)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/x86_64/proofs/mldsa_pointwise.ml */
+__contract__(
+  requires(memory_no_alias(c, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * MLDSA_N))
+  /* check-magic: off */
+  requires(array_abs_bound(a, 0, MLDSA_N, 75423753))
+  requires(array_abs_bound(b, 0, MLDSA_N, 75423753))
+  /* check-magic: on */
+  requires(qdata == mld_qdata)
+  assigns(memory_slice(c, sizeof(int32_t) * MLDSA_N))
+  /* check-magic: off */
+  ensures(array_abs_bound(c, 0, MLDSA_N, 8380417))
+  /* check-magic: on */
+);
 
 #define mld_pointwise_acc_l4_avx2 MLD_NAMESPACE(pointwise_acc_l4_avx2)
 void mld_pointwise_acc_l4_avx2(int32_t c[MLDSA_N], const int32_t a[4][MLDSA_N],

mldsa/src/native/aarch64/src/arith_native_aarch64.h

@@ -129,8 +129,23 @@ void mld_polyz_unpack_19_asm(int32_t *r, const uint8_t *buf,
 
 #define mld_poly_pointwise_montgomery_asm \
   MLD_NAMESPACE(poly_pointwise_montgomery_asm)
-void mld_poly_pointwise_montgomery_asm(int32_t *, const int32_t *,
-                                       const int32_t *);
+void mld_poly_pointwise_montgomery_asm(int32_t *r, const int32_t *a,
+                                       const int32_t *b)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_pointwise.ml */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * MLDSA_N))
+  /* check-magic: off */
+  requires(array_abs_bound(a, 0, MLDSA_N, 75423753))
+  requires(array_abs_bound(b, 0, MLDSA_N, 75423753))
+  /* check-magic: on */
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  /* check-magic: off */
+  ensures(array_abs_bound(r, 0, MLDSA_N, 8380417))
+  /* check-magic: on */
+);
 
 #define mld_polyvecl_pointwise_acc_montgomery_l4_asm \
   MLD_NAMESPACE(polyvecl_pointwise_acc_montgomery_l4_asm)

mldsa/src/native/x86_64/src/arith_native_x86_64.h

@@ -104,7 +104,23 @@ void mld_polyz_unpack_19_avx2(int32_t *r, const uint8_t *a);
 
 #define mld_pointwise_avx2 MLD_NAMESPACE(pointwise_avx2)
 void mld_pointwise_avx2(int32_t *c, const int32_t *a, const int32_t *b,
-                        const int32_t *qdata);
+                        const int32_t *qdata)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/x86_64/proofs/mldsa_pointwise.ml */
+__contract__(
+  requires(memory_no_alias(c, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(a, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(b, sizeof(int32_t) * MLDSA_N))
+  /* check-magic: off */
+  requires(array_abs_bound(a, 0, MLDSA_N, 75423753))
+  requires(array_abs_bound(b, 0, MLDSA_N, 75423753))
+  /* check-magic: on */
+  requires(qdata == mld_qdata)
+  assigns(memory_slice(c, sizeof(int32_t) * MLDSA_N))
+  /* check-magic: off */
+  ensures(array_abs_bound(c, 0, MLDSA_N, 8380417))
+  /* check-magic: on */
+);
 
 #define mld_pointwise_acc_l4_avx2 MLD_NAMESPACE(pointwise_acc_l4_avx2)
 void mld_pointwise_acc_l4_avx2(int32_t c[MLDSA_N], const int32_t a[4][MLDSA_N],

nix/s2n_bignum/default.nix

@@ -4,12 +4,12 @@
 { stdenv, fetchFromGitHub, writeText, ... }:
 stdenv.mkDerivation rec {
   pname = "s2n_bignum";
-  version = "3bfe68deb9fbdaf23be0a927c362a87a799adc28";
+  version = "ca6ec31a225aaac11813d4055bbc55a0251b9452";
   src = fetchFromGitHub {
     owner = "awslabs";
     repo = "s2n-bignum";
     rev = "${version}";
-    hash = "sha256-C3SdYZ/PhfTmHefz3klO3l/lbEgtA8Hq9wjDmjd+Fek=";
+    hash = "sha256-60gaEW0Afkn/Ukd4wZAab0Nz7XkbWvN4+Q+LgqUv0Ho=";
   };
   setupHook = writeText "setup-hook.sh" ''
     export S2N_BIGNUM_DIR="$1"

proofs/cbmc/pointwise_native_aarch64/Makefile

@@ -0,0 +1,45 @@
+# Copyright (c) The mldsa-native project authors
+# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+include ../Makefile_params.common
+
+HARNESS_ENTRY = harness
+HARNESS_FILE = pointwise_native_aarch64_harness
+
+# This should be a unique identifier for this proof, and will appear on the
+# Litani dashboard. It can be human-readable and contain spaces if you wish.
+PROOF_UID = pointwise_native_aarch64
+
+# We need to set MLD_CHECK_APIS as otherwise mldsa/src/native/api.h won't be
+# included, which contains the CBMC specifications.
+DEFINES += -DMLD_CONFIG_USE_NATIVE_BACKEND_ARITH -DMLD_CONFIG_ARITH_BACKEND_FILE="\"$(SRCDIR)/mldsa/src/native/aarch64/meta.h\"" -DMLD_CHECK_APIS
+INCLUDES +=
+
+REMOVE_FUNCTION_BODY +=
+UNWINDSET +=
+
+PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
+PROJECT_SOURCES += $(SRCDIR)/mldsa/src/poly.c
+
+CHECK_FUNCTION_CONTRACTS=mld_poly_pointwise_montgomery_native
+USE_FUNCTION_CONTRACTS=mld_poly_pointwise_montgomery_asm
+USE_FUNCTION_CONTRACTS+=mld_sys_check_capability
+APPLY_LOOP_CONTRACTS=on
+USE_DYNAMIC_FRAMES=1
+
+# Disable any setting of EXTERNAL_SAT_SOLVER, and choose SMT backend instead
+EXTERNAL_SAT_SOLVER=
+CBMCFLAGS=--smt2
+
+FUNCTION_NAME = pointwise_native_aarch64
+
+# If this proof is found to consume huge amounts of RAM, you can set the
+# EXPENSIVE variable. With new enough versions of the proof tools, this will
+# restrict the number of EXPENSIVE CBMC jobs running at once. See the
+# documentation in Makefile.common under the "Job Pools" heading for details.
+# EXPENSIVE = true
+
+# This function is large enough to need...
+CBMC_OBJECT_BITS = 8
+
+include ../Makefile.common

proofs/cbmc/pointwise_native_aarch64/pointwise_native_aarch64_harness.c

@@ -0,0 +1,18 @@
+// Copyright (c) The mldsa-native project authors
+// SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+#include <stdint.h>
+#include "cbmc.h"
+#include "params.h"
+
+
+int mld_poly_pointwise_montgomery_native(int32_t c[MLDSA_N],
+                                         const int32_t a[MLDSA_N],
+                                         const int32_t b[MLDSA_N]);
+
+void harness(void)
+{
+  int32_t *c, *a, *b;
+  int t;
+  t = mld_poly_pointwise_montgomery_native(c, a, b);
+}