Refactor mlk_polymat_permute_bitrev_to_custom

This commit refactors mlk_polymat_permute_bitrev_to_custom to not require the
helper function mlk_polyvec_permute_bitrev_to_custom.
The function was only needed due CBMC limitations.

Also updates CBMC to trial new build (CBMC PR#8705)
that solves performance problem for this proof.

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

Update to try Tautschnig's new CBMC build

Signed-off-by: Rod Chapman <rodchap@amazon.com>

Simplify polymat_permite_bitrev_to_customer() (native version)

The code structure now mimics the data structure to make proof tractable.

Also updates Makefile for this proof in line with the similar function
in mldsa-native.

Signed-off-by: Rod Chapman <rodchap@amazon.com>

Author: mkannwischer

mlkem/src/indcpa.c

@@ -181,40 +181,6 @@ static void mlk_unpack_ciphertext(mlk_polyvec *b, mlk_poly *v,
   mlk_poly_decompress_dv(v, c + MLKEM_POLYVECCOMPRESSEDBYTES_DU);
 }
 
-/* Helper function to ensure that the polynomial entries in the output
- * of gen_matrix use the standard (bitreversed) ordering of coefficients.
- * No-op unless a native backend with a custom ordering is used.
- *
- * We don't inline this into gen_matrix to avoid having to split the CBMC
- * proof for gen_matrix based on MLK_USE_NATIVE_NTT_CUSTOM_ORDER. */
-static void mlk_polyvec_permute_bitrev_to_custom(mlk_polyvec *v)
-__contract__(
-  /* We don't specify that this should be a permutation, but only
-   * that it does not change the bound established at the end of mlk_gen_matrix. */
-  requires(memory_no_alias(v, sizeof(mlk_polyvec)))
-  requires(forall(x, 0, MLKEM_K,
-    array_bound(v->vec[x].coeffs, 0, MLKEM_N, 0, MLKEM_Q)))
-  assigns(memory_slice(v, sizeof(mlk_polyvec)))
-  ensures(forall(x, 0, MLKEM_K,
-    array_bound(v->vec[x].coeffs, 0, MLKEM_N, 0, MLKEM_Q))))
-{
-#if defined(MLK_USE_NATIVE_NTT_CUSTOM_ORDER)
-  unsigned i;
-  for (i = 0; i < MLKEM_K; i++)
-  __loop__(
-     assigns(i, memory_slice(v, sizeof(mlk_polyvec)))
-     invariant(i <= MLKEM_K)
-     invariant(forall(x, 0, MLKEM_K,
-       array_bound(v->vec[x].coeffs, 0, MLKEM_N, 0, MLKEM_Q))))
-  {
-    mlk_poly_permute_bitrev_to_custom(v->vec[i].coeffs);
-  }
-#else  /* MLK_USE_NATIVE_NTT_CUSTOM_ORDER */
-  /* Nothing to do */
-  (void)v;
-#endif /* !MLK_USE_NATIVE_NTT_CUSTOM_ORDER */
-}
-
 static void mlk_polymat_permute_bitrev_to_custom(mlk_polymat *a)
 __contract__(
   /* We don't specify that this should be a permutation, but only
@@ -226,16 +192,31 @@ __contract__(
   ensures(forall(x, 0, MLKEM_K, forall(y, 0, MLKEM_K,
     array_bound(a->vec[x].vec[y].coeffs, 0, MLKEM_N, 0, MLKEM_Q)))))
 {
-  unsigned i;
+#if defined(MLK_USE_NATIVE_NTT_CUSTOM_ORDER)
+  unsigned i, j;
   for (i = 0; i < MLKEM_K; i++)
   __loop__(
-     assigns(i, memory_slice(a, sizeof(mlk_polymat)))
-     invariant(i <= MLKEM_K)
-     invariant(forall(x, 0, MLKEM_K, forall(y, 0, MLKEM_K,
-       array_bound(a->vec[x].vec[y].coeffs, 0, MLKEM_N, 0, MLKEM_Q)))))
+    assigns(i, j, memory_slice(a, sizeof(mlk_polymat)))
+    invariant(i <= MLKEM_K)
+    invariant(forall(x2, 0, MLKEM_K, forall(y2, 0, MLKEM_K,
+      array_bound(a->vec[x2].vec[y2].coeffs, 0, MLKEM_N, 0, MLKEM_Q)))))
   {
-    mlk_polyvec_permute_bitrev_to_custom(&a->vec[i]);
+    for (j = 0; j < MLKEM_K; j++)
+    __loop__(
+      assigns(j, memory_slice(a, sizeof(mlk_polymat)))
+      invariant(i <= MLKEM_K)
+      invariant(j <= MLKEM_K)
+      invariant(forall(x3, 0, MLKEM_K, forall(y3, 0, MLKEM_K,
+        array_bound(a->vec[x3].vec[y3].coeffs, 0, MLKEM_N, 0, MLKEM_Q))))
+    )
+    {
+      mlk_poly_permute_bitrev_to_custom(a->vec[i].vec[j].coeffs);
+    }
   }
+#else  /* MLK_USE_NATIVE_NTT_CUSTOM_ORDER */
+  /* Nothing to do */
+  (void)a;
+#endif /* !MLK_USE_NATIVE_NTT_CUSTOM_ORDER */
 }
 
 /* Reference: `gen_matrix()` in the reference implementation @[REF].

nix/cbmc/default.nix

@@ -21,10 +21,10 @@ buildEnv {
       cbmc = cbmc.overrideAttrs (old: rec {
         version = "6.8.0";
         src = fetchFromGitHub {
-          owner = "diffblue";
+          owner = "tautschnig";
           repo = "cbmc";
-          hash = "sha256-PT6AYiwkplCeyMREZnGZA0BKl4ZESRC02/9ibKg7mYU=";
-          tag = "cbmc-6.8.0";
+          hash = "sha256-ng1zjICpmoHUWkG1PuLRmLtaUBmEALpRgNEpbsrnMV8=";
+          rev = "4f514dbd70c89e3bae03a59f1dc9837acf25885c";
         };
       });
       litani = callPackage ./litani.nix { }; # 1.29.0

…permute_bitrev_to_custom_native/Makefile …permute_bitrev_to_custom_native/Makefileproofs/cbmc/polyvec_permute_bitrev_to_custom_native/Makefile renamed to proofs/cbmc/polymat_permute_bitrev_to_custom_native/Makefile proofs/cbmc/polyvec_permute_bitrev_to_custom_native/Makefile renamed to proofs/cbmc/polymat_permute_bitrev_to_custom_native/Makefile

@@ -4,11 +4,11 @@
 include ../Makefile_params.common
 
 HARNESS_ENTRY = harness
-HARNESS_FILE = polyvec_permute_bitrev_to_custom_native_harness
+HARNESS_FILE = polymat_permute_bitrev_to_custom_native_harness
 
 # This should be a unique identifier for this proof, and will appear on the
 # Litani dashboard. It can be human-readable and contain spaces if you wish.
-PROOF_UID = mlk_polyvec_permute_bitrev_to_custom_native
+PROOF_UID = mlk_polymat_permute_bitrev_to_custom_native
 
 DEFINES += -DMLK_CONFIG_USE_NATIVE_BACKEND_ARITH -DMLK_CONFIG_ARITH_BACKEND_FILE="\"dummy_backend.h\""
 INCLUDES +=
@@ -19,23 +19,23 @@ REMOVE_FUNCTION_BODY +=
 PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
 PROJECT_SOURCES += $(SRCDIR)/mlkem/src/indcpa.c
 
-CHECK_FUNCTION_CONTRACTS=mlk_polyvec_permute_bitrev_to_custom
-USE_FUNCTION_CONTRACTS= mlk_poly_permute_bitrev_to_custom
+CHECK_FUNCTION_CONTRACTS=mlk_polymat_permute_bitrev_to_custom
+USE_FUNCTION_CONTRACTS=mlk_poly_permute_bitrev_to_custom
 APPLY_LOOP_CONTRACTS=on
 USE_DYNAMIC_FRAMES=1
 
 # Disable any setting of EXTERNAL_SAT_SOLVER, and choose SMT backend instead
 EXTERNAL_SAT_SOLVER=
-CBMCFLAGS=--smt2
+CBMCFLAGS=--smt2 --slice-formula --no-array-field-sensitivity
 
-FUNCTION_NAME = mlk_polyvec_permute_bitrev_to_custom_native
+FUNCTION_NAME = mlk_polymat_permute_bitrev_to_custom_native
 
 # If this proof is found to consume huge amounts of RAM, you can set the
 # EXPENSIVE variable. With new enough versions of the proof tools, this will
 # restrict the number of EXPENSIVE CBMC jobs running at once. See the
 # documentation in Makefile.common under the "Job Pools" heading for details.
 # EXPENSIVE = true
-CBMC_OBJECT_BITS = 10
+CBMC_OBJECT_BITS = 12
 
 # If you require access to a file-local ("static") function or object to conduct
 # your proof, set the following (and do not include the original source file

…lyvec_permute_bitrev_to_custom_harness.c …ermute_bitrev_to_custom_native_harness.cproofs/cbmc/polyvec_permute_bitrev_to_custom/polyvec_permute_bitrev_to_custom_harness.c renamed to proofs/cbmc/polymat_permute_bitrev_to_custom_native/polymat_permute_bitrev_to_custom_native_harness.c proofs/cbmc/polyvec_permute_bitrev_to_custom/polyvec_permute_bitrev_to_custom_harness.c renamed to proofs/cbmc/polymat_permute_bitrev_to_custom_native/polymat_permute_bitrev_to_custom_native_harness.c

@@ -5,10 +5,10 @@
 #include <stdint.h>
 #include "poly_k.h"
 
-void mlk_polyvec_permute_bitrev_to_custom(mlk_polyvec *v);
+void mlk_polymat_permute_bitrev_to_custom(mlk_polymat *a);
 
 void harness(void)
 {
-  mlk_polyvec *v;
-  mlk_polyvec_permute_bitrev_to_custom(v);
+  mlk_polymat *a;
+  mlk_polymat_permute_bitrev_to_custom(a);
 }