verify memory usage: Unpack hints h on the fly

mkannwischer · mkannwischer · commit fa2a1b1b5184 · 2026-01-19T21:40:18.000+08:00
This commit splits up the signature unpacking into two parts: unpack_sig_c_z and unpack_sig_h. This allows delaying unpacking of the hints h until later during the verification which in turn allows re-using the buffer used for the matrix. This cuts memory consumption by L KiB. - Hoisted out from #751 Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
diff --git a/mldsa/mldsa_native.S b/mldsa/mldsa_native.S
@@ -257,7 +257,8 @@
 #undef mld_pack_sig_z
 #undef mld_pack_sk
 #undef mld_unpack_pk
-#undef mld_unpack_sig
+#undef mld_unpack_sig_c_z
+#undef mld_unpack_sig_h
 #undef mld_unpack_sk
 /* mldsa/src/params.h */
 #undef MLDSA_BETA
diff --git a/mldsa/mldsa_native.c b/mldsa/mldsa_native.c
@@ -253,7 +253,8 @@
 #undef mld_pack_sig_z
 #undef mld_pack_sk
 #undef mld_unpack_pk
-#undef mld_unpack_sig
+#undef mld_unpack_sig_c_z
+#undef mld_unpack_sig_h
 #undef mld_unpack_sk
 /* mldsa/src/params.h */
 #undef MLDSA_BETA
diff --git a/mldsa/mldsa_native.h b/mldsa/mldsa_native.h
@@ -928,15 +928,15 @@ int MLD_API_NAMESPACE(pk_from_sk)(
 #define MLD_TOTAL_ALLOC_44_KEYPAIR_NO_PCT 32992
 #define MLD_TOTAL_ALLOC_44_KEYPAIR_PCT 36192
 #define MLD_TOTAL_ALLOC_44_SIGN 32448
-#define MLD_TOTAL_ALLOC_44_VERIFY 22464
+#define MLD_TOTAL_ALLOC_44_VERIFY 18368
 #define MLD_TOTAL_ALLOC_65_KEYPAIR_NO_PCT 46304
 #define MLD_TOTAL_ALLOC_65_KEYPAIR_PCT 50048
 #define MLD_TOTAL_ALLOC_65_SIGN 44768
-#define MLD_TOTAL_ALLOC_65_VERIFY 30720
+#define MLD_TOTAL_ALLOC_65_VERIFY 25568
 #define MLD_TOTAL_ALLOC_87_KEYPAIR_NO_PCT 62688
 #define MLD_TOTAL_ALLOC_87_KEYPAIR_PCT 66336
 #define MLD_TOTAL_ALLOC_87_SIGN 59104
-#define MLD_TOTAL_ALLOC_87_VERIFY 41216
+#define MLD_TOTAL_ALLOC_87_VERIFY 34016
 #endif /* !(MLD_API_LEGACY_CONFIG || !MLD_CONFIG_REDUCE_RAM) */
 /* check-magic: on */
 
diff --git a/mldsa/src/packing.c b/mldsa/src/packing.c
@@ -9,13 +9,6 @@
 #include "poly.h"
 #include "polyvec.h"
 
-/* Parameter set namespacing
- * This is to facilitate building multiple instances
- * of mldsa-native (e.g. with varying parameter sets)
- * within a single compilation unit. */
-#define mld_unpack_hints MLD_ADD_PARAM_SET(mld_unpack_hints)
-/* End of parameter set namespacing */
-
 MLD_INTERNAL_API
 void mld_pack_pk(uint8_t pk[MLDSA_CRYPTO_PUBLICKEYBYTES],
                  const uint8_t rho[MLDSA_SEEDBYTES], const mld_polyveck *t1)
@@ -177,33 +170,14 @@ void mld_pack_sig_z(uint8_t sig[MLDSA_CRYPTO_BYTES], const mld_poly *zi,
   mld_polyz_pack(sig, zi);
 }
 
-/*************************************************
- * Name:        mld_unpack_hints
- *
- * Description: Unpack raw hint bytes into a polyveck
- *              struct
- *
- * Arguments:   - mld_polyveck *h: pointer to output hint vector h
- *              - const uint8_t packed_hints[MLDSA_POLYVECH_PACKEDBYTES]:
- *                raw hint bytes
- *
- * Returns 1 in case of malformed hints; otherwise 0.
- **************************************************/
-static int mld_unpack_hints(
-    mld_polyveck *h, const uint8_t packed_hints[MLDSA_POLYVECH_PACKEDBYTES])
-__contract__(
-  requires(memory_no_alias(packed_hints, MLDSA_POLYVECH_PACKEDBYTES))
-  requires(memory_no_alias(h, sizeof(mld_polyveck)))
-  assigns(memory_slice(h, sizeof(mld_polyveck)))
-  /* All returned coefficients are either 0 or 1 */
-  ensures(forall(k1, 0, MLDSA_K,
-    array_bound(h->vec[k1].coeffs, 0, MLDSA_N, 0, 2)))
-  ensures(return_value >= 0 && return_value <= 1)
-)
+int mld_unpack_sig_h(mld_polyveck *h, const uint8_t sig[MLDSA_CRYPTO_BYTES])
 {
   unsigned int i, j;
   unsigned int old_hint_count;
 
+  const uint8_t *packed_hints =
+      sig + MLDSA_CTILDEBYTES + MLDSA_L * MLDSA_POLYZ_PACKEDBYTES;
+
   /* Set all coefficients of all polynomials to 0.    */
   /* Only those that are actually non-zero hints will */
   /* be overwritten below.                            */
@@ -269,18 +243,12 @@ __contract__(
 }
 
 MLD_INTERNAL_API
-int mld_unpack_sig(uint8_t c[MLDSA_CTILDEBYTES], mld_polyvecl *z,
-                   mld_polyveck *h, const uint8_t sig[MLDSA_CRYPTO_BYTES])
+void mld_unpack_sig_c_z(uint8_t c[MLDSA_CTILDEBYTES], mld_polyvecl *z,
+                        const uint8_t sig[MLDSA_CRYPTO_BYTES])
 {
   mld_memcpy(c, sig, MLDSA_CTILDEBYTES);
   sig += MLDSA_CTILDEBYTES;
 
   mld_polyvecl_unpack_z(z, sig);
   sig += MLDSA_L * MLDSA_POLYZ_PACKEDBYTES;
-
-  return mld_unpack_hints(h, sig);
 }
-
-/* To facilitate single-compilation-unit (SCU) builds, undefine all macros.
- * Don't modify by hand -- this is auto-generated by scripts/autogen. */
-#undef mld_unpack_hints
diff --git a/mldsa/src/packing.h b/mldsa/src/packing.h
@@ -190,36 +190,55 @@ __contract__(
     array_bound(s2->vec[k2].coeffs, 0, MLDSA_N, MLD_POLYETA_UNPACK_LOWER_BOUND, MLDSA_ETA + 1)))
 );
 
-#define mld_unpack_sig MLD_NAMESPACE_KL(unpack_sig)
+#define mld_unpack_sig_h MLD_NAMESPACE_KL(unpack_sig_h)
 /*************************************************
- * Name:        mld_unpack_sig
+ * Name:        mld_unpack_sig_h
  *
- * Description: Unpack signature sig = (c, z, h).
+ * Description: Unpack h of signature sig = (c, z, h).
+ *              The (c, z) components unis packed separately using
+ *              mld_unpack_sig_c_z.
+ *
+ * Arguments:   - mld_polyveck *h: pointer to output hint vector h
+ *              - const uint8_t packed_hints[MLDSA_POLYVECH_PACKEDBYTES]:
+ *                raw hint bytes
+ *
+ * Returns 1 in case of malformed hints; otherwise 0.
+ **************************************************/
+MLD_INTERNAL_API
+MLD_MUST_CHECK_RETURN_VALUE
+int mld_unpack_sig_h(mld_polyveck *h, const uint8_t sig[MLDSA_CRYPTO_BYTES])
+__contract__(
+  requires(memory_no_alias(sig, MLDSA_CRYPTO_BYTES))
+  requires(memory_no_alias(h, sizeof(mld_polyveck)))
+  assigns(memory_slice(h, sizeof(mld_polyveck)))
+  ensures(forall(k1, 0, MLDSA_K,
+    array_bound(h->vec[k1].coeffs, 0, MLDSA_N, 0, 2)))
+  ensures(return_value >= 0 && return_value <= 1)
+);
+
+#define mld_unpack_sig_c_z MLD_NAMESPACE_KL(unpack_sig_c_z)
+/*************************************************
+ * Name:        mld_unpack_sig_c_z
+ *
+ * Description: Unpack (c, z) of signature sig = (c, z, h).
+ *              The h component unis packed separately using mld_pack_sig_z.
  *
  * Arguments:   - uint8_t *c: pointer to output challenge hash
- *              - mld_polyvecl *z: pointer to output vector z
  *              - mld_polyveck *h: pointer to output hint vector h
- *              - const uint8_t sig[]: byte array containing
+ *              - const uint8_t sig[MLDSA_CRYPTO_BYTES]: byte array containing
  *                bit-packed signature
  *
- * Returns 1 in case of malformed signature; otherwise 0.
  **************************************************/
 MLD_INTERNAL_API
-MLD_MUST_CHECK_RETURN_VALUE
-int mld_unpack_sig(uint8_t c[MLDSA_CTILDEBYTES], mld_polyvecl *z,
-                   mld_polyveck *h, const uint8_t sig[MLDSA_CRYPTO_BYTES])
+void mld_unpack_sig_c_z(uint8_t c[MLDSA_CTILDEBYTES], mld_polyvecl *z,
+                        const uint8_t sig[MLDSA_CRYPTO_BYTES])
 __contract__(
   requires(memory_no_alias(sig, MLDSA_CRYPTO_BYTES))
   requires(memory_no_alias(c, MLDSA_CTILDEBYTES))
   requires(memory_no_alias(z, sizeof(mld_polyvecl)))
-  requires(memory_no_alias(h, sizeof(mld_polyveck)))
   assigns(memory_slice(c, MLDSA_CTILDEBYTES))
   assigns(memory_slice(z, sizeof(mld_polyvecl)))
-  assigns(memory_slice(h, sizeof(mld_polyveck)))
   ensures(forall(k0, 0, MLDSA_L,
     array_bound(z->vec[k0].coeffs, 0, MLDSA_N, -(MLDSA_GAMMA1 - 1), MLDSA_GAMMA1 + 1)))
-  ensures(forall(k1, 0, MLDSA_K,
-    array_bound(h->vec[k1].coeffs, 0, MLDSA_N, 0, 2)))
-  ensures(return_value >= 0 && return_value <= 1)
 );
 #endif /* !MLD_PACKING_H */
diff --git a/mldsa/src/sign.c b/mldsa/src/sign.c
@@ -993,27 +993,38 @@ int mld_sign_verify_internal(const uint8_t *sig, size_t siglen,
   mld_polyveck *t1;
   mld_polyveck *w1;
 
+  /* TODO: Remove the following workaround for
+   * https://github.com/diffblue/cbmc/issues/8813 */
+  typedef MLD_UNION_OR_STRUCT
+  {
+    mld_polymat mat;
+    mld_polyveck h;
+  }
+  math_u;
+  mld_polymat *mat;
+  mld_polyveck *h;
+
   MLD_ALLOC(buf, uint8_t, (MLDSA_K * MLDSA_POLYW1_PACKEDBYTES), context);
   MLD_ALLOC(rho, uint8_t, MLDSA_SEEDBYTES, context);
   MLD_ALLOC(mu, uint8_t, MLDSA_CRHBYTES, context);
   MLD_ALLOC(c, uint8_t, MLDSA_CTILDEBYTES, context);
   MLD_ALLOC(c2, uint8_t, MLDSA_CTILDEBYTES, context);
   MLD_ALLOC(cp, mld_poly, 1, context);
-  MLD_ALLOC(mat, mld_polymat, 1, context);
+  MLD_ALLOC(math, math_u, 1, context);
   MLD_ALLOC(z, mld_polyvecl, 1, context);
   MLD_ALLOC(t1w1, t1w1_u, 1, context);
   MLD_ALLOC(tmp, mld_polyveck, 1, context);
-  MLD_ALLOC(h, mld_polyveck, 1, context);
 
   if (buf == NULL || rho == NULL || mu == NULL || c == NULL || c2 == NULL ||
-      cp == NULL || mat == NULL || z == NULL || t1w1 == NULL || tmp == NULL ||
-      h == NULL)
+      cp == NULL || math == NULL || z == NULL || t1w1 == NULL || tmp == NULL)
   {
     ret = MLD_ERR_OUT_OF_MEMORY;
     goto cleanup;
   }
   t1 = &t1w1->t1;
   w1 = &t1w1->w1;
+  mat = &math->mat;
+  h = &math->h;
 
   if (siglen != MLDSA_CRYPTO_BYTES)
   {
@@ -1023,14 +1034,10 @@ int mld_sign_verify_internal(const uint8_t *sig, size_t siglen,
 
   mld_unpack_pk(rho, t1, pk);
 
-  /* mld_unpack_sig and mld_polyvecl_chknorm signal failure through a
+  mld_unpack_sig_c_z(c, z, sig);
+  /* mld_polyvecl_chknorm signals failure through a
    * single non-zero error code that's not yet aligned with MLD_ERR_XXX.
    * Map it to MLD_ERR_FAIL explicitly. */
-  if (mld_unpack_sig(c, z, h, sig))
-  {
-    ret = MLD_ERR_FAIL;
-    goto cleanup;
-  }
   if (mld_polyvecl_chknorm(z, MLDSA_GAMMA1 - MLDSA_BETA))
   {
     ret = MLD_ERR_FAIL;
@@ -1070,6 +1077,14 @@ int mld_sign_verify_internal(const uint8_t *sig, size_t siglen,
 
   /* Reconstruct w1 */
   mld_polyveck_caddq(w1);
+  /* mld_unpack_sig_h signals failure through a
+   * single non-zero error code that's not yet aligned with MLD_ERR_XXX.
+   * Map it to MLD_ERR_FAIL explicitly. */
+  if (mld_unpack_sig_h(h, sig))
+  {
+    ret = MLD_ERR_FAIL;
+    goto cleanup;
+  }
   mld_polyveck_use_hint(tmp, w1, h);
   mld_polyveck_pack_w1(buf, tmp);
   /* Call random oracle and verify challenge */
@@ -1085,11 +1100,10 @@ int mld_sign_verify_internal(const uint8_t *sig, size_t siglen,
 
 cleanup:
   /* @[FIPS204, Section 3.6.3] Destruction of intermediate values. */
-  MLD_FREE(h, mld_polyveck, 1, context);
   MLD_FREE(tmp, mld_polyveck, 1, context);
   MLD_FREE(t1w1, t1w1_u, 1, context);
   MLD_FREE(z, mld_polyvecl, 1, context);
-  MLD_FREE(mat, mld_polymat, 1, context);
+  MLD_FREE(math, math_u, 1, context);
   MLD_FREE(cp, mld_poly, 1, context);
   MLD_FREE(c2, uint8_t, MLDSA_CTILDEBYTES, context);
   MLD_FREE(c, uint8_t, MLDSA_CTILDEBYTES, context);
diff --git a/proofs/cbmc/sign_verify_internal/Makefile b/proofs/cbmc/sign_verify_internal/Makefile
@@ -21,7 +21,8 @@ PROJECT_SOURCES += $(SRCDIR)/mldsa/src/sign.c
 
 CHECK_FUNCTION_CONTRACTS=$(MLD_NAMESPACE)verify_internal
 USE_FUNCTION_CONTRACTS=$(MLD_NAMESPACE)unpack_pk
-USE_FUNCTION_CONTRACTS+=$(MLD_NAMESPACE)unpack_sig
+USE_FUNCTION_CONTRACTS+=$(MLD_NAMESPACE)unpack_sig_c_z
+USE_FUNCTION_CONTRACTS+=$(MLD_NAMESPACE)unpack_sig_h
 USE_FUNCTION_CONTRACTS+=$(MLD_NAMESPACE)polyvecl_chknorm
 USE_FUNCTION_CONTRACTS+=mld_H
 USE_FUNCTION_CONTRACTS+=$(MLD_NAMESPACE)poly_challenge
@@ -46,8 +47,9 @@ USE_DYNAMIC_FRAMES=1
 
 # Disable any setting of EXTERNAL_SAT_SOLVER, and choose SMT backend instead
 EXTERNAL_SAT_SOLVER=
-CBMCFLAGS=--smt2
+CBMCFLAGS=--external-smt2-solver $(PROOF_ROOT)/lib/z3_no_bv_extract --z3
 CBMCFLAGS += --slice-formula
+CBMCFLAGS += --no-array-field-sensitivity
 
 FUNCTION_NAME = sign_verify_internal
 
@@ -58,7 +60,7 @@ FUNCTION_NAME = sign_verify_internal
 # EXPENSIVE = true
 
 # This function is large enough to need...
-CBMC_OBJECT_BITS = 10
+CBMC_OBJECT_BITS = 12
 
 # If you require access to a file-local ("static") function or object to conduct
 # your proof, set the following (and do not include the original source file
diff --git a/proofs/cbmc/unpack_sig_c_z/Makefile b/proofs/cbmc/unpack_sig_c_z/Makefile
@@ -4,11 +4,11 @@
 include ../Makefile_params.common
 
 HARNESS_ENTRY = harness
-HARNESS_FILE = unpack_sig_harness
+HARNESS_FILE = unpack_sig_c_z_harness
 
 # This should be a unique identifier for this proof, and will appear on the
 # Litani dashboard. It can be human-readable and contain spaces if you wish.
-PROOF_UID = unpack_sig
+PROOF_UID = unpack_sig_c_z
 
 DEFINES +=
 INCLUDES +=
@@ -18,8 +18,8 @@ REMOVE_FUNCTION_BODY +=
 PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
 PROJECT_SOURCES += $(SRCDIR)/mldsa/src/packing.c
 
-CHECK_FUNCTION_CONTRACTS=$(MLD_NAMESPACE)unpack_sig
-USE_FUNCTION_CONTRACTS=$(MLD_NAMESPACE)polyvecl_unpack_z mld_unpack_hints
+CHECK_FUNCTION_CONTRACTS=$(MLD_NAMESPACE)unpack_sig_c_z
+USE_FUNCTION_CONTRACTS=$(MLD_NAMESPACE)polyvecl_unpack_z
 APPLY_LOOP_CONTRACTS=on
 USE_DYNAMIC_FRAMES=1
 
@@ -28,7 +28,7 @@ EXTERNAL_SAT_SOLVER=
 CBMCFLAGS=--smt2
 CBMCFLAGS+=--slice-formula
 
-FUNCTION_NAME = unpack_sig
+FUNCTION_NAME = unpack_sig_c_z
 
 # If this proof is found to consume huge amounts of RAM, you can set the
 # EXPENSIVE variable. With new enough versions of the proof tools, this will
diff --git a/proofs/cbmc/unpack_sig_c_z/unpack_sig_c_z_harness.c b/proofs/cbmc/unpack_sig_c_z/unpack_sig_c_z_harness.c
@@ -8,8 +8,6 @@ void harness(void)
 {
   uint8_t *c;
   uint8_t *sig;
-  mld_polyveck *h;
   mld_polyvecl *z;
-  int r;
-  r = mld_unpack_sig(c, z, h, sig);
+  mld_unpack_sig_c_z(c, z, sig);
 }
diff --git a/proofs/cbmc/unpack_sig_h/Makefile b/proofs/cbmc/unpack_sig_h/Makefile
@@ -4,11 +4,11 @@
 include ../Makefile_params.common
 
 HARNESS_ENTRY = harness
-HARNESS_FILE = unpack_hints_harness
+HARNESS_FILE = unpack_sig_h_harness
 
 # This should be a unique identifier for this proof, and will appear on the
 # Litani dashboard. It can be human-readable and contain spaces if you wish.
-PROOF_UID = unpack_hints
+PROOF_UID = unpack_sig_h
 
 DEFINES +=
 INCLUDES +=
@@ -18,7 +18,7 @@ REMOVE_FUNCTION_BODY +=
 PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
 PROJECT_SOURCES += $(SRCDIR)/mldsa/src/packing.c
 
-CHECK_FUNCTION_CONTRACTS=mld_unpack_hints
+CHECK_FUNCTION_CONTRACTS=$(MLD_NAMESPACE)unpack_sig_h
 USE_FUNCTION_CONTRACTS=
 APPLY_LOOP_CONTRACTS=on
 USE_DYNAMIC_FRAMES=1
@@ -28,7 +28,7 @@ EXTERNAL_SAT_SOLVER=
 CBMCFLAGS=--smt2
 CBMCFLAGS+=--slice-formula
 
-FUNCTION_NAME = mld_unpack_hints
+FUNCTION_NAME = unpack_sig_h
 
 # If this proof is found to consume huge amounts of RAM, you can set the
 # EXPENSIVE variable. With new enough versions of the proof tools, this will
diff --git a/proofs/cbmc/unpack_sig_h/unpack_sig_h_harness.c b/proofs/cbmc/unpack_sig_h/unpack_sig_h_harness.c
@@ -3,13 +3,10 @@
 
 #include "packing.h"
 
-int mld_unpack_hints(mld_polyveck *h,
-                     const uint8_t packed_hints[MLDSA_POLYVECH_PACKEDBYTES]);
-
 void harness(void)
 {
   uint8_t *sig;
   mld_polyveck *h;
   int r;
-  r = mld_unpack_hints(h, sig);
+  r = mld_unpack_sig_h(h, sig);
 }

Original file line number	Diff line number	Diff line change
`@@ -8,8 +8,6 @@ void harness(void)`
`8`	`8`	`{`
`9`	`9`	`uint8_t *c;`
`10`	`10`	`uint8_t *sig;`
`11`		`- mld_polyveck *h;`
`12`	`11`	`mld_polyvecl *z;`
`13`		`- int r;`
`14`		`- r = mld_unpack_sig(c, z, h, sig);`
	`12`	`+ mld_unpack_sig_c_z(c, z, sig);`
`15`	`13`	`}`