Address review: rename files, move specs, remove aliases, add aarch64_utils dep

- Rename {.S,.ml} to poly_use_hint_{32,88}_aarch64_asm for PR #1058 consolidation
- Move mldsa_use_hint_{32,88}_spec to common/mldsa_specs.ml for x86 sharing
- Remove pointless IVAL_SMALL/VAL_IWORD_NUM aliases; use actual names
- Add aarch64_utils.ml to CI needs for both proofs
- Align comment style between _32 and _88 spec definitions
- Update Makefile, dump_bytecode, subroutine_signatures, README

Signed-off-by: Jake Massimo <jakemas@amazon.com>

Author: Ubuntu

.github/workflows/hol_light.yml

@@ -95,10 +95,10 @@ jobs:
             needs: ["aarch64_utils.ml"]
           - name: mldsa_poly_chknorm
             needs: ["aarch64_utils.ml"]
-          - name: mldsa_poly_use_hint_32
-            needs: ["mldsa_specs.ml", "subroutine_signatures.ml"]
-          - name: mldsa_poly_use_hint_88
-            needs: ["mldsa_specs.ml", "subroutine_signatures.ml"]
+          - name: poly_use_hint_32_aarch64_asm
+            needs: ["mldsa_specs.ml", "aarch64_utils.ml", "subroutine_signatures.ml"]
+          - name: poly_use_hint_88_aarch64_asm
+            needs: ["mldsa_specs.ml", "aarch64_utils.ml", "subroutine_signatures.ml"]
           - name: keccak_f1600_x1_scalar
             needs: ["keccak_spec.ml"]
           - name: keccak_f1600_x1_v84a

proofs/hol_light/README.md

@@ -54,8 +54,8 @@ echo '1+1;;' | nc -w 5 127.0.0.1 2012
 - ML-DSA Arithmetic:
   * AArch64 poly_caddq: [mldsa_poly_caddq.S](aarch64/mldsa/mldsa_poly_caddq.S)
   * AArch64 poly_chknorm: [mldsa_poly_chknorm.S](aarch64/mldsa/mldsa_poly_chknorm.S)
-  * AArch64 poly_use_hint (l=5,7): [mldsa_poly_use_hint_32.S](aarch64/mldsa/mldsa_poly_use_hint_32.S)
-  * AArch64 poly_use_hint (l=4): [mldsa_poly_use_hint_88.S](aarch64/mldsa/mldsa_poly_use_hint_88.S)
+  * AArch64 poly_use_hint (l=5,7): [poly_use_hint_32_aarch64_asm.S](aarch64/mldsa/poly_use_hint_32_aarch64_asm.S)
+  * AArch64 poly_use_hint (l=4): [poly_use_hint_88_aarch64_asm.S](aarch64/mldsa/poly_use_hint_88_aarch64_asm.S)
   * AArch64 pointwise multiplication: [mldsa_pointwise.S](aarch64/mldsa/mldsa_pointwise.S)
   * AArch64 pointwise multiplication-accumulation (l=4): [mldsa_pointwise_acc_l4.S](aarch64/mldsa/mldsa_pointwise_acc_l4.S)
   * AArch64 pointwise multiplication-accumulation (l=5): [mldsa_pointwise_acc_l5.S](aarch64/mldsa/mldsa_pointwise_acc_l5.S)

proofs/hol_light/aarch64/Makefile

@@ -57,8 +57,8 @@ OBJ = mldsa/mldsa_ntt.o \
       mldsa/mldsa_pointwise.o \
       mldsa/mldsa_poly_caddq.o \
       mldsa/mldsa_poly_chknorm.o                        \
-      mldsa/mldsa_poly_use_hint_32.o                    \
-      mldsa/mldsa_poly_use_hint_88.o                    \
+      mldsa/poly_use_hint_32_aarch64_asm.o              \
+      mldsa/poly_use_hint_88_aarch64_asm.o              \
       mldsa/mldsa_pointwise_acc_l4.o                    \
       mldsa/mldsa_pointwise_acc_l5.o                    \
       mldsa/mldsa_pointwise_acc_l7.o                    \

…t/aarch64/mldsa/mldsa_poly_use_hint_32.S …h64/mldsa/poly_use_hint_32_aarch64_asm.Sproofs/hol_light/aarch64/mldsa/mldsa_poly_use_hint_32.S renamed to proofs/hol_light/aarch64/mldsa/poly_use_hint_32_aarch64_asm.S proofs/hol_light/aarch64/mldsa/mldsa_poly_use_hint_32.S renamed to proofs/hol_light/aarch64/mldsa/poly_use_hint_32_aarch64_asm.S

@@ -30,12 +30,12 @@ print_string "=== bytecode start: aarch64/mldsa/mldsa_poly_caddq.o ===\n";;
 print_literal_from_elf "aarch64/mldsa/mldsa_poly_caddq.o";;
 print_string "==== bytecode end =====================================\n\n";;
 
-print_string "=== bytecode start: aarch64/mldsa/mldsa_poly_use_hint_32.o ===\n";;
-print_literal_from_elf "aarch64/mldsa/mldsa_poly_use_hint_32.o";;
+print_string "=== bytecode start: aarch64/mldsa/poly_use_hint_32_aarch64_asm.o ===\n";;
+print_literal_from_elf "aarch64/mldsa/poly_use_hint_32_aarch64_asm.o";;
 print_string "==== bytecode end =====================================\n\n";;
 
-print_string "=== bytecode start: aarch64/mldsa/mldsa_poly_use_hint_88.o ===\n";;
-print_literal_from_elf "aarch64/mldsa/mldsa_poly_use_hint_88.o";;
+print_string "=== bytecode start: aarch64/mldsa/poly_use_hint_88_aarch64_asm.o ===\n";;
+print_literal_from_elf "aarch64/mldsa/poly_use_hint_88_aarch64_asm.o";;
 print_string "==== bytecode end =====================================\n\n";;
 
 print_string "=== bytecode start: aarch64/mldsa/mldsa_poly_chknorm.o ===\n";;

…t/aarch64/mldsa/mldsa_poly_use_hint_88.S …h64/mldsa/poly_use_hint_88_aarch64_asm.Sproofs/hol_light/aarch64/mldsa/mldsa_poly_use_hint_88.S renamed to proofs/hol_light/aarch64/mldsa/poly_use_hint_88_aarch64_asm.S proofs/hol_light/aarch64/mldsa/mldsa_poly_use_hint_88.S renamed to proofs/hol_light/aarch64/mldsa/poly_use_hint_88_aarch64_asm.S

@@ -13,11 +13,11 @@ needs "common/mldsa_specs.ml";;
 needs "aarch64/proofs/aarch64_utils.ml";;
 
 
-(**** print_literal_from_elf "aarch64/mldsa/mldsa_poly_use_hint_32.o";;
+(**** print_literal_from_elf "aarch64/mldsa/poly_use_hint_32_aarch64_asm.o";;
  ****)
 
-let mldsa_poly_use_hint_32_mc = define_assert_from_elf
- "mldsa_poly_use_hint_32_mc" "aarch64/mldsa/mldsa_poly_use_hint_32.o"
+let poly_use_hint_32_aarch64_asm_mc = define_assert_from_elf
+ "poly_use_hint_32_aarch64_asm_mc" "aarch64/mldsa/poly_use_hint_32_aarch64_asm.o"
 (*** BYTECODE START ***)
 [
   0x529c0024;       (* arm_MOV W4 (rvalue (word 57345)) *)
@@ -92,32 +92,7 @@ let mldsa_poly_use_hint_32_mc = define_assert_from_elf
 ];;
 (*** BYTECODE END ***)
 
-let MLDSA_USE_HINT_EXEC = ARM_MK_EXEC_RULE mldsa_poly_use_hint_32_mc;;
-
-(* ========================================================================= *)
-(* Functional specification: UseHint for ML-DSA parameter sets 65/87         *)
-(*                                                                           *)
-(* Constants:                                                                *)
-(*   Q = 8380417                                                             *)
-(*   GAMMA2 = (Q-1)/32 = 261888                                              *)
-(*   2*GAMMA2 = 523776                                                       *)
-(*   Output range: [0, 15]                                                   *)
-(*                                                                           *)
-(* This is the per-coefficient UseHint function from FIPS 204 Algorithm 38:  *)
-(*   1. decompose: a1 = round_half_down(a / 523776), a0 = a - a1*523776     *)
-(*   2. if hint=0: return a1 mod 16                                          *)
-(*   3. if a0 > 0: return (a1 + 1) mod 16                                    *)
-(*   4. if a0 <= 0: return (a1 - 1) mod 16                                   *)
-(* ========================================================================= *)
-
-let mldsa_use_hint_32_spec = new_definition
-  `mldsa_use_hint_32_spec (a:num) (h:num) =
-   let a1 = ((((a + 127) DIV 128) * 1025 + 2097152) DIV 4194304) MOD 16 in
-   let a0:int = &a - &a1 * &523776 in
-   let a0' = if a0 > &4190208 then a0 - &8380417 else a0 in
-   if h = 0 then a1
-   else if a0' > &0 then (a1 + 1) MOD 16
-   else (a1 + 15) MOD 16`;;
+let POLY_USE_HINT_32_AARCH64_ASM_EXEC = ARM_MK_EXEC_RULE poly_use_hint_32_aarch64_asm_mc;;
 
 (* Per-element word function matching the assembly computation *)
 let mldsa_use_hint_32_asm = new_definition
@@ -133,16 +108,13 @@ let mldsa_use_hint_32_asm = new_definition
 (* Functional correctness helper lemmas                                       *)
 (* ========================================================================= *)
 
-let IVAL_SMALL = MLDSA_IVAL_VAL;;
-let VAL_IWORD_NUM = VAL_IWORD_NUM_32;;
-
 let WORD_2SMULH_NOSATURATE_32 = prove(
   `!a:int32. val a < 8380417
    ==> word_2smulh a (word 1074791425:int32) : int32 =
        iword((&2 * &(val a) * &1074791425) div &2 pow 32)`,
   GEN_TAC THEN DISCH_TAC THEN
   REWRITE_TAC[word_2smulh; DIMINDEX_32] THEN
-  ASM_SIMP_TAC[IVAL_SMALL] THEN
+  ASM_SIMP_TAC[MLDSA_IVAL_VAL] THEN
   CONV_TAC WORD_REDUCE_CONV THEN
   REWRITE_TAC[iword_saturate; word_INT_MIN; word_INT_MAX; DIMINDEX_32] THEN
   CONV_TAC NUM_REDUCE_CONV THEN CONV_TAC WORD_REDUCE_CONV THEN
@@ -172,11 +144,11 @@ let VAL_DECOMPOSE_A1 = prove(
    [MATCH_MP_TAC(ARITH_RULE `x <= y ==> x < y + 1`) THEN
     MATCH_MP_TAC DIV_MONO THEN ASM_ARITH_TAC; CONV_TAC NUM_REDUCE_CONV]; ALL_TAC] THEN
   REWRITE_TAC[INT_OF_NUM_CLAUSES] THEN SIMP_TAC[INT_OF_NUM_DIV] THEN
-  CONV_TAC NUM_REDUCE_CONV THEN ASM_SIMP_TAC[VAL_IWORD_NUM] THEN
+  CONV_TAC NUM_REDUCE_CONV THEN ASM_SIMP_TAC[VAL_IWORD_NUM_32] THEN
   ABBREV_TAC `t:int32 = iword(&((2 * val(a:int32) * 1074791425) DIV 4294967296))` THEN
   SUBGOAL_THEN `val(t:int32) = (2 * val(a:int32) * 1074791425) DIV 4294967296`
     ASSUME_TAC THENL
-  [EXPAND_TAC "t" THEN MATCH_MP_TAC VAL_IWORD_NUM THEN ASM_REWRITE_TAC[]; ALL_TAC] THEN
+  [EXPAND_TAC "t" THEN MATCH_MP_TAC VAL_IWORD_NUM_32 THEN ASM_REWRITE_TAC[]; ALL_TAC] THEN
   SUBGOAL_THEN `val(t:int32) < 2147483648` ASSUME_TAC THENL
   [ASM_REWRITE_TAC[]; ALL_TAC] THEN
   REWRITE_TAC[word_ishr_round] THEN CONV_TAC NUM_REDUCE_CONV THEN CONV_TAC INT_REDUCE_CONV THEN
@@ -190,7 +162,7 @@ let VAL_DECOMPOSE_A1 = prove(
    TRANS_TAC LT_TRANS `(4194303 + 131072) DIV 262144 + 1` THEN CONJ_TAC THENL
    [MATCH_MP_TAC(ARITH_RULE `x <= y ==> x < y + 1`) THEN
     MATCH_MP_TAC DIV_MONO THEN ASM_ARITH_TAC; CONV_TAC NUM_REDUCE_CONV]; ALL_TAC] THEN
-  ASM_SIMP_TAC[VAL_IWORD_NUM] THEN MATCH_MP_TAC VAL_IWORD_NUM THEN
+  ASM_SIMP_TAC[VAL_IWORD_NUM_32] THEN MATCH_MP_TAC VAL_IWORD_NUM_32 THEN
   UNDISCH_THEN `val(t:int32) = (2 * val(a:int32) * 1074791425) DIV 4294967296`
     (SUBST1_TAC o SYM) THEN ASM_REWRITE_TAC[]);;
 
@@ -427,13 +399,13 @@ let ELEMENT_CORRECT_WORD = prove(
 (* Correctness proof (output bounds)                                          *)
 (* ========================================================================= *)
 
-let MLDSA_USE_HINT_CORRECT = prove
+let POLY_USE_HINT_32_AARCH64_ASM_CORRECT = prove
  (`!b a h x y pc.
-    nonoverlapping (word pc, LENGTH mldsa_poly_use_hint_32_mc) (b, 1024) /\
+    nonoverlapping (word pc, LENGTH poly_use_hint_32_aarch64_asm_mc) (b, 1024) /\
     nonoverlapping (b, 1024) (a, 1024) /\
     nonoverlapping (b, 1024) (h, 1024)
     ==> ensures arm
-          (\s. aligned_bytes_loaded s (word pc) mldsa_poly_use_hint_32_mc /\
+          (\s. aligned_bytes_loaded s (word pc) poly_use_hint_32_aarch64_asm_mc /\
                read PC s = word pc /\
                C_ARGUMENTS [b; a; h] s /\
                (!i. i < 256 ==> val(x i) < 8380417) /\
@@ -455,7 +427,7 @@ let MLDSA_USE_HINT_CORRECT = prove
      `x:num->int32`; `y:num->int32`; `pc:num`] THEN
   REWRITE_TAC[MAYCHANGE_REGS_AND_FLAGS_PERMITTED_BY_ABI; C_ARGUMENTS;
               NONOVERLAPPING_CLAUSES; ALL;
-              fst MLDSA_USE_HINT_EXEC] THEN
+              fst POLY_USE_HINT_32_AARCH64_ASM_EXEC] THEN
   DISCH_THEN(REPEAT_TCL CONJUNCTS_THEN ASSUME_TAC) THEN
   GLOBALIZE_PRECONDITION_TAC THEN
   CONV_TAC(RATOR_CONV(LAND_CONV(ONCE_DEPTH_CONV EXPAND_CASES_CONV))) THEN
@@ -474,7 +446,7 @@ let MLDSA_USE_HINT_CORRECT = prove
   DISCARD_MATCHING_ASSUMPTIONS [`read (memory :> bytes32 a) s = x`] THEN
 
   (* Simulate 878 instructions (excluding RET) *)
-  MAP_EVERY (fun n -> ARM_STEPS_TAC MLDSA_USE_HINT_EXEC [n] THEN
+  MAP_EVERY (fun n -> ARM_STEPS_TAC POLY_USE_HINT_32_AARCH64_ASM_EXEC [n] THEN
                       SIMD_SIMPLIFY_TAC[])
         (1--878) THEN
   ENSURES_FINAL_STATE_TAC THEN ASM_REWRITE_TAC[] THEN
@@ -519,13 +491,13 @@ let MLDSA_USE_HINT_CORRECT = prove
 (* Subroutine form                                                           *)
 (* ========================================================================= *)
 
-let MLDSA_USE_HINT_SUBROUTINE_CORRECT = prove
+let POLY_USE_HINT_32_AARCH64_ASM_SUBROUTINE_CORRECT = prove
  (`!b a h x y pc returnaddress.
-    nonoverlapping (word pc, LENGTH mldsa_poly_use_hint_32_mc) (b, 1024) /\
+    nonoverlapping (word pc, LENGTH poly_use_hint_32_aarch64_asm_mc) (b, 1024) /\
     nonoverlapping (b, 1024) (a, 1024) /\
     nonoverlapping (b, 1024) (h, 1024)
     ==> ensures arm
-          (\s. aligned_bytes_loaded s (word pc) mldsa_poly_use_hint_32_mc /\
+          (\s. aligned_bytes_loaded s (word pc) poly_use_hint_32_aarch64_asm_mc /\
                read PC s = word pc /\
                read X30 s = returnaddress /\
                C_ARGUMENTS [b; a; h] s /\
@@ -541,10 +513,10 @@ let MLDSA_USE_HINT_SUBROUTINE_CORRECT = prove
                  word(mldsa_use_hint_32_spec (val(x i)) (val(y i)))))
           (MAYCHANGE_REGS_AND_FLAGS_PERMITTED_BY_ABI ,,
            MAYCHANGE [memory :> bytes(b, 1024)])`,
-  REWRITE_TAC[fst MLDSA_USE_HINT_EXEC] THEN
-  ARM_ADD_RETURN_NOSTACK_TAC MLDSA_USE_HINT_EXEC
-    (REWRITE_RULE[fst MLDSA_USE_HINT_EXEC]
-       MLDSA_USE_HINT_CORRECT));;
+  REWRITE_TAC[fst POLY_USE_HINT_32_AARCH64_ASM_EXEC] THEN
+  ARM_ADD_RETURN_NOSTACK_TAC POLY_USE_HINT_32_AARCH64_ASM_EXEC
+    (REWRITE_RULE[fst POLY_USE_HINT_32_AARCH64_ASM_EXEC]
+       POLY_USE_HINT_32_AARCH64_ASM_CORRECT));;
 
 
 (* ========================================================================= *)
@@ -557,20 +529,20 @@ needs "aarch64/proofs/subroutine_signatures.ml";;
 
 let full_spec,public_vars = mk_safety_spec
     ~keep_maychanges:false
-    (assoc "mldsa_poly_use_hint_32" subroutine_signatures)
-    MLDSA_USE_HINT_SUBROUTINE_CORRECT
-    MLDSA_USE_HINT_EXEC;;
+    (assoc "poly_use_hint_32_aarch64_asm" subroutine_signatures)
+    POLY_USE_HINT_32_AARCH64_ASM_SUBROUTINE_CORRECT
+    POLY_USE_HINT_32_AARCH64_ASM_EXEC;;
 
-let MLDSA_USE_HINT_SUBROUTINE_SAFE = time prove
+let POLY_USE_HINT_32_AARCH64_ASM_SUBROUTINE_SAFE = time prove
  (`exists f_events.
        forall e b a h pc returnaddress.
-           nonoverlapping (word pc,LENGTH mldsa_poly_use_hint_32_mc) (b,1024) /\
+           nonoverlapping (word pc,LENGTH poly_use_hint_32_aarch64_asm_mc) (b,1024) /\
            nonoverlapping (b,1024) (a,1024) /\
            nonoverlapping (b,1024) (h,1024)
            ==> ensures arm
                (\s.
                     aligned_bytes_loaded s (word pc)
-                    mldsa_poly_use_hint_32_mc /\
+                    poly_use_hint_32_aarch64_asm_mc /\
                     read PC s = word pc /\
                     read X30 s = returnaddress /\
                     C_ARGUMENTS [b; a; h] s /\
@@ -584,4 +556,4 @@ let MLDSA_USE_HINT_SUBROUTINE_SAFE = time prove
                          [b,1024]))
                (\s s'. true)`,
   ASSERT_CONCL_TAC full_spec THEN
-  PROVE_SAFETY_SPEC_TAC ~public_vars:public_vars MLDSA_USE_HINT_EXEC);;
+  PROVE_SAFETY_SPEC_TAC ~public_vars:public_vars POLY_USE_HINT_32_AARCH64_ASM_EXEC);;