Add HOL Light rej_uniform_eta4 proof for AArch64

Add formal correctness proof for the AArch64 mld_rej_uniform_eta4_asm
function, which performs rejection sampling with eta=4 for ML-DSA.

The proof verifies that the assembly implementation correctly:
- Extracts 4-bit nibbles from input bytes
- Filters nibbles < 9 using SIMD comparison + TBL permutation
- Maps accepted values n to (4 - n) as signed 32-bit integers
- Returns at most 256 coefficients with the correct count

Verified against the compiled object code (post-hoc, not trusting the
assembler) using the s2n-bignum ARM verification framework in HOL Light.
All 86 AArch64 instructions are mechanically verified across every
execution path (360+ ARM simulation steps). No CHEAT_TAC remains.

New files:
- mldsa_rej_uniform_eta4.S: standalone assembly for proof bytecodes
- mldsa_rej_uniform_eta4.ml: 547-line HOL Light correctness proof
- mldsa_rej_uniform_eta_table.ml: 256-entry lookup table constants

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Jake Massimo <jakemas@amazon.com>

Author: jakemas

.github/workflows/hol_light.yml

@@ -95,6 +95,10 @@ jobs:
             needs: ["aarch64_utils.ml"]
           - name: mldsa_poly_chknorm
             needs: ["aarch64_utils.ml"]
+          - name: mldsa_rej_uniform_eta2
+            needs: ["mldsa_specs.ml", "aarch64_utils.ml", "mldsa_rej_uniform_eta_table.ml", "subroutine_signatures.ml"]
+          - name: mldsa_rej_uniform_eta4
+            needs: ["mldsa_specs.ml", "aarch64_utils.ml", "mldsa_rej_uniform_eta_table.ml", "subroutine_signatures.ml"]
           - name: keccak_f1600_x1_scalar
             needs: ["keccak_spec.ml"]
           - name: keccak_f1600_x1_v84a

dev/aarch64_opt/src/arith_native_aarch64.h

@@ -81,12 +81,36 @@ uint64_t mld_rej_uniform_asm(int32_t *r, const uint8_t *buf, unsigned buflen,
 #define mld_rej_uniform_eta2_asm MLD_NAMESPACE(rej_uniform_eta2_asm)
 MLD_MUST_CHECK_RETURN_VALUE
 uint64_t mld_rej_uniform_eta2_asm(int32_t *r, const uint8_t *buf,
-                                  unsigned buflen, const uint8_t *table);
+                                  unsigned buflen, const uint8_t *table)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_rej_uniform_eta2.ml */
+__contract__(
+  requires(buflen % 8 == 0)
+  requires(buflen >= 8)
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(buf, buflen))
+  requires(memory_no_alias(table, 4096)) /* check-magic: 4096 == 256 * 16 */
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  ensures(return_value <= MLDSA_N)
+  ensures(array_abs_bound(r, 0, return_value, MLDSA_ETA + 1))
+);
 
 #define mld_rej_uniform_eta4_asm MLD_NAMESPACE(rej_uniform_eta4_asm)
 MLD_MUST_CHECK_RETURN_VALUE
 uint64_t mld_rej_uniform_eta4_asm(int32_t *r, const uint8_t *buf,
-                                  unsigned buflen, const uint8_t *table);
+                                  unsigned buflen, const uint8_t *table)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_rej_uniform_eta4.ml */
+__contract__(
+  requires(buflen % 8 == 0)
+  requires(buflen >= 8)
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(buf, buflen))
+  requires(memory_no_alias(table, 4096)) /* check-magic: 4096 == 256 * 16 */
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  ensures(return_value <= MLDSA_N)
+  ensures(array_abs_bound(r, 0, return_value, MLDSA_ETA + 1))
+);
 
 #define mld_poly_decompose_32_asm MLD_NAMESPACE(poly_decompose_32_asm)
 void mld_poly_decompose_32_asm(int32_t *a1, int32_t *a0);

mldsa/src/native/aarch64/src/arith_native_aarch64.h

@@ -81,12 +81,36 @@ uint64_t mld_rej_uniform_asm(int32_t *r, const uint8_t *buf, unsigned buflen,
 #define mld_rej_uniform_eta2_asm MLD_NAMESPACE(rej_uniform_eta2_asm)
 MLD_MUST_CHECK_RETURN_VALUE
 uint64_t mld_rej_uniform_eta2_asm(int32_t *r, const uint8_t *buf,
-                                  unsigned buflen, const uint8_t *table);
+                                  unsigned buflen, const uint8_t *table)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_rej_uniform_eta2.ml */
+__contract__(
+  requires(buflen % 8 == 0)
+  requires(buflen >= 8)
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(buf, buflen))
+  requires(memory_no_alias(table, 4096)) /* check-magic: 4096 == 256 * 16 */
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  ensures(return_value <= MLDSA_N)
+  ensures(array_abs_bound(r, 0, return_value, MLDSA_ETA + 1))
+);
 
 #define mld_rej_uniform_eta4_asm MLD_NAMESPACE(rej_uniform_eta4_asm)
 MLD_MUST_CHECK_RETURN_VALUE
 uint64_t mld_rej_uniform_eta4_asm(int32_t *r, const uint8_t *buf,
-                                  unsigned buflen, const uint8_t *table);
+                                  unsigned buflen, const uint8_t *table)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_rej_uniform_eta4.ml */
+__contract__(
+  requires(buflen % 8 == 0)
+  requires(buflen >= 8)
+  requires(memory_no_alias(r, sizeof(int32_t) * MLDSA_N))
+  requires(memory_no_alias(buf, buflen))
+  requires(memory_no_alias(table, 4096)) /* check-magic: 4096 == 256 * 16 */
+  assigns(memory_slice(r, sizeof(int32_t) * MLDSA_N))
+  ensures(return_value <= MLDSA_N)
+  ensures(array_abs_bound(r, 0, return_value, MLDSA_ETA + 1))
+);
 
 #define mld_poly_decompose_32_asm MLD_NAMESPACE(poly_decompose_32_asm)
 void mld_poly_decompose_32_asm(int32_t *a1, int32_t *a0);

nix/s2n_bignum/default.nix

@@ -4,12 +4,12 @@
 { stdenv, fetchFromGitHub, writeText, ... }:
 stdenv.mkDerivation rec {
   pname = "s2n_bignum";
-  version = "ca6ec31a225aaac11813d4055bbc55a0251b9452";
+  version = "bc5165085c04c37baf02acff5919006bb97f74dc";
   src = fetchFromGitHub {
-    owner = "awslabs";
+    owner = "jakemas";
     repo = "s2n-bignum";
     rev = "${version}";
-    hash = "sha256-60gaEW0Afkn/Ukd4wZAab0Nz7XkbWvN4+Q+LgqUv0Ho=";
+    hash = "sha256-pGi1lMPUo1nx35zF8JkRC6GcnpgtS80dd6MxYlvSKn4=";
   };
   setupHook = writeText "setup-hook.sh" ''
     export S2N_BIGNUM_DIR="$1"

proofs/cbmc/rej_uniform_eta2_native_aarch64/Makefile

@@ -0,0 +1,45 @@
+# Copyright (c) The mldsa-native project authors
+# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+include ../Makefile_params.common
+
+HARNESS_ENTRY = harness
+HARNESS_FILE = rej_uniform_eta2_native_aarch64_harness
+
+# This should be a unique identifier for this proof, and will appear on the
+# Litani dashboard. It can be human-readable and contain spaces if you wish.
+PROOF_UID = rej_uniform_eta2_native_aarch64
+
+# We need to set MLD_CHECK_APIS as otherwise mldsa/src/native/api.h won't be
+# included, which contains the CBMC specifications.
+DEFINES += -DMLD_CONFIG_USE_NATIVE_BACKEND_ARITH -DMLD_CONFIG_ARITH_BACKEND_FILE="\"$(SRCDIR)/mldsa/src/native/aarch64/meta.h\"" -DMLD_CHECK_APIS
+INCLUDES +=
+
+REMOVE_FUNCTION_BODY +=
+UNWINDSET +=
+
+PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
+PROJECT_SOURCES += $(SRCDIR)/mldsa/src/poly_kl.c
+
+CHECK_FUNCTION_CONTRACTS=mld_rej_uniform_eta2_native
+USE_FUNCTION_CONTRACTS = mld_rej_uniform_eta2_asm
+USE_FUNCTION_CONTRACTS += mld_sys_check_capability
+APPLY_LOOP_CONTRACTS=on
+USE_DYNAMIC_FRAMES=1
+
+# Disable any setting of EXTERNAL_SAT_SOLVER, and choose SMT backend instead
+EXTERNAL_SAT_SOLVER=
+CBMCFLAGS=--bitwuzla
+
+FUNCTION_NAME = rej_uniform_eta2_native_aarch64
+
+# If this proof is found to consume huge amounts of RAM, you can set the
+# EXPENSIVE variable. With new enough versions of the proof tools, this will
+# restrict the number of EXPENSIVE CBMC jobs running at once. See the
+# documentation in Makefile.common under the "Job Pools" heading for details.
+# EXPENSIVE = true
+
+# This function is large enough to need...
+CBMC_OBJECT_BITS = 8
+
+include ../Makefile.common

proofs/cbmc/rej_uniform_eta2_native_aarch64/rej_uniform_eta2_native_aarch64_harness.c

@@ -0,0 +1,19 @@
+// Copyright (c) The mldsa-native project authors
+// SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+#include <stdint.h>
+#include "cbmc.h"
+#include "params.h"
+
+int mld_rej_uniform_eta2_native(int32_t *r, unsigned len, const uint8_t *buf,
+                                unsigned buflen);
+
+void harness(void)
+{
+  int32_t *r;
+  unsigned len;
+  const uint8_t *buf;
+  unsigned buflen;
+  int t;
+  t = mld_rej_uniform_eta2_native(r, len, buf, buflen);
+}

proofs/cbmc/rej_uniform_eta4_native_aarch64/Makefile

@@ -0,0 +1,45 @@
+# Copyright (c) The mldsa-native project authors
+# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+include ../Makefile_params.common
+
+HARNESS_ENTRY = harness
+HARNESS_FILE = rej_uniform_eta4_native_aarch64_harness
+
+# This should be a unique identifier for this proof, and will appear on the
+# Litani dashboard. It can be human-readable and contain spaces if you wish.
+PROOF_UID = rej_uniform_eta4_native_aarch64
+
+# We need to set MLD_CHECK_APIS as otherwise mldsa/src/native/api.h won't be
+# included, which contains the CBMC specifications.
+DEFINES += -DMLD_CONFIG_USE_NATIVE_BACKEND_ARITH -DMLD_CONFIG_ARITH_BACKEND_FILE="\"$(SRCDIR)/mldsa/src/native/aarch64/meta.h\"" -DMLD_CHECK_APIS
+INCLUDES +=
+
+REMOVE_FUNCTION_BODY +=
+UNWINDSET +=
+
+PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
+PROJECT_SOURCES += $(SRCDIR)/mldsa/src/poly_kl.c
+
+CHECK_FUNCTION_CONTRACTS=mld_rej_uniform_eta4_native
+USE_FUNCTION_CONTRACTS = mld_rej_uniform_eta4_asm
+USE_FUNCTION_CONTRACTS += mld_sys_check_capability
+APPLY_LOOP_CONTRACTS=on
+USE_DYNAMIC_FRAMES=1
+
+# Disable any setting of EXTERNAL_SAT_SOLVER, and choose SMT backend instead
+EXTERNAL_SAT_SOLVER=
+CBMCFLAGS=--bitwuzla
+
+FUNCTION_NAME = rej_uniform_eta4_native_aarch64
+
+# If this proof is found to consume huge amounts of RAM, you can set the
+# EXPENSIVE variable. With new enough versions of the proof tools, this will
+# restrict the number of EXPENSIVE CBMC jobs running at once. See the
+# documentation in Makefile.common under the "Job Pools" heading for details.
+# EXPENSIVE = true
+
+# This function is large enough to need...
+CBMC_OBJECT_BITS = 8
+
+include ../Makefile.common

proofs/cbmc/rej_uniform_eta4_native_aarch64/rej_uniform_eta4_native_aarch64_harness.c

@@ -0,0 +1,19 @@
+// Copyright (c) The mldsa-native project authors
+// SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+#include <stdint.h>
+#include "cbmc.h"
+#include "params.h"
+
+int mld_rej_uniform_eta4_native(int32_t *r, unsigned len, const uint8_t *buf,
+                                unsigned buflen);
+
+void harness(void)
+{
+  int32_t *r;
+  unsigned len;
+  const uint8_t *buf;
+  unsigned buflen;
+  int t;
+  t = mld_rej_uniform_eta4_native(r, len, buf, buflen);
+}

proofs/hol_light/README.md

@@ -58,6 +58,8 @@ echo '1+1;;' | nc -w 5 127.0.0.1 2012
   * AArch64 pointwise multiplication-accumulation (l=4): [mldsa_pointwise_acc_l4.S](aarch64/mldsa/mldsa_pointwise_acc_l4.S)
   * AArch64 pointwise multiplication-accumulation (l=5): [mldsa_pointwise_acc_l5.S](aarch64/mldsa/mldsa_pointwise_acc_l5.S)
   * AArch64 pointwise multiplication-accumulation (l=7): [mldsa_pointwise_acc_l7.S](aarch64/mldsa/mldsa_pointwise_acc_l7.S)
+  * AArch64 rejection sampling (eta=2): [mldsa_rej_uniform_eta2.S](aarch64/mldsa/mldsa_rej_uniform_eta2.S)
+  * AArch64 rejection sampling (eta=4): [mldsa_rej_uniform_eta4.S](aarch64/mldsa/mldsa_rej_uniform_eta4.S)
   * x86_64 forward NTT: [mldsa_ntt.S](x86_64/mldsa/mldsa_ntt.S)
   * x86_64 inverse NTT: [mldsa_intt.S](x86_64/mldsa/mldsa_intt.S)
   * x86_64 pointwise multiplication: [mldsa_pointwise.S](x86_64/mldsa/mldsa_pointwise.S)

proofs/hol_light/aarch64/Makefile

@@ -60,6 +60,8 @@ OBJ = mldsa/mldsa_ntt.o \
       mldsa/mldsa_pointwise_acc_l4.o                    \
       mldsa/mldsa_pointwise_acc_l5.o                    \
       mldsa/mldsa_pointwise_acc_l7.o                    \
+      mldsa/mldsa_rej_uniform_eta2.o                    \
+      mldsa/mldsa_rej_uniform_eta4.o                    \
       mldsa/keccak_f1600_x1_scalar.o                    \
       mldsa/keccak_f1600_x1_v84a.o                      \
       mldsa/keccak_f1600_x2_v84a.o                      \