Hoist default C backend into separate functions(mld_rej_eta_c)

Signed-off-by: willieyz <willie.zhao@chelpis.com>

Author: willieyz

mldsa/src/poly_kl.c

@@ -32,6 +32,7 @@
  * of mldsa-native (e.g. with varying parameter sets)
  * within a single compilation unit. */
 #define mld_rej_eta MLD_ADD_PARAM_SET(mld_rej_eta)
+#define mld_rej_eta_c MLD_ADD_PARAM_SET(mld_rej_eta_c)
 #define mld_poly_decompose_c MLD_ADD_PARAM_SET(mld_poly_decompose_c)
 #define mld_poly_use_hint_c MLD_ADD_PARAM_SET(mld_poly_use_hint_c)
 #define mld_polyz_unpack_c MLD_ADD_PARAM_SET(mld_polyz_unpack_c)
@@ -224,9 +225,11 @@ void mld_poly_use_hint(mld_poly *b, const mld_poly *a, const mld_poly *h)
 #else /* MLDSA_ETA == 4 */
 #error "Invalid value of MLDSA_ETA"
 #endif /* MLDSA_ETA != 2 && MLDSA_ETA != 4 */
-static unsigned int mld_rej_eta(int32_t *a, unsigned int target,
-                                unsigned int offset, const uint8_t *buf,
-                                unsigned int buflen)
+
+MLD_STATIC_TESTABLE unsigned int mld_rej_eta_c(int32_t *a, unsigned int target,
+                                               unsigned int offset,
+                                               const uint8_t *buf,
+                                               unsigned int buflen)
 __contract__(
   requires(offset <= target && target <= MLDSA_N)
   requires(buflen <= (POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES))
@@ -242,36 +245,6 @@ __contract__(
   int t_valid;
   uint32_t t0, t1;
   mld_assert_abs_bound(a, offset, MLDSA_ETA + 1);
-
-/* TODO: CBMC proof based on mld_rej_uniform_eta2_native */
-#if MLDSA_ETA == 2 && defined(MLD_USE_NATIVE_REJ_UNIFORM_ETA2)
-  if (offset == 0)
-  {
-    int ret;
-    ret = mld_rej_uniform_eta2_native(a, target, buf, buflen);
-    if (ret != MLD_NATIVE_FUNC_FALLBACK)
-    {
-      unsigned res = (unsigned)ret;
-      mld_assert_abs_bound(a, res, MLDSA_ETA + 1);
-      return res;
-    }
-  }
-/* TODO: CBMC proof based on mld_rej_uniform_eta4_native */
-#elif MLDSA_ETA == 4 && defined(MLD_USE_NATIVE_REJ_UNIFORM_ETA4)
-  if (offset == 0)
-  {
-    int ret;
-    ret = mld_rej_uniform_eta4_native(a, target, buf, buflen);
-    if (ret != MLD_NATIVE_FUNC_FALLBACK)
-    {
-      unsigned res = (unsigned)ret;
-      mld_assert_abs_bound(a, res, MLDSA_ETA + 1);
-      return res;
-    }
-  }
-#endif /* !(MLDSA_ETA == 2 && MLD_USE_NATIVE_REJ_UNIFORM_ETA2) && MLDSA_ETA == \
-          4 && MLD_USE_NATIVE_REJ_UNIFORM_ETA4 */
-
   ctr = offset;
   pos = 0;
   while (ctr < target && pos < buflen)
@@ -326,6 +299,54 @@ __contract__(
   return ctr;
 }
 
+static unsigned int mld_rej_eta(int32_t *a, unsigned int target,
+                                unsigned int offset, const uint8_t *buf,
+                                unsigned int buflen)
+__contract__(
+  requires(offset <= target && target <= MLDSA_N)
+  requires(buflen <= (POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES))
+  requires(memory_no_alias(a, sizeof(int32_t) * target))
+  requires(memory_no_alias(buf, buflen))
+  requires(array_abs_bound(a, 0, offset, MLDSA_ETA + 1))
+  assigns(memory_slice(a, sizeof(int32_t) * target))
+  ensures(offset <= return_value && return_value <= target)
+  ensures(array_abs_bound(a, 0, return_value, MLDSA_ETA + 1))
+)
+{
+/* TODO: CBMC proof based on mld_rej_uniform_eta2_native */
+#if MLDSA_ETA == 2 && defined(MLD_USE_NATIVE_REJ_UNIFORM_ETA2)
+  int ret;
+  mld_assert_abs_bound(a, offset, MLDSA_ETA + 1);
+  if (offset == 0)
+  {
+    ret = mld_rej_uniform_eta2_native(a, target, buf, buflen);
+    if (ret != MLD_NATIVE_FUNC_FALLBACK)
+    {
+      unsigned res = (unsigned)ret;
+      mld_assert_abs_bound(a, res, MLDSA_ETA + 1);
+      return res;
+    }
+  }
+/* TODO: CBMC proof based on mld_rej_uniform_eta4_native */
+#elif MLDSA_ETA == 4 && defined(MLD_USE_NATIVE_REJ_UNIFORM_ETA4)
+  int ret;
+  mld_assert_abs_bound(a, offset, MLDSA_ETA + 1);
+  if (offset == 0)
+  {
+    ret = mld_rej_uniform_eta4_native(a, target, buf, buflen);
+    if (ret != MLD_NATIVE_FUNC_FALLBACK)
+    {
+      unsigned res = (unsigned)ret;
+      mld_assert_abs_bound(a, res, MLDSA_ETA + 1);
+      return res;
+    }
+  }
+#endif /* !(MLDSA_ETA == 2 && MLD_USE_NATIVE_REJ_UNIFORM_ETA2) && MLDSA_ETA == \
+          4 && MLD_USE_NATIVE_REJ_UNIFORM_ETA4 */
+
+  return mld_rej_eta_c(a, target, offset, buf, buflen);
+}
+
 #if !defined(MLD_CONFIG_SERIAL_FIPS202_ONLY)
 MLD_INTERNAL_API
 void mld_poly_uniform_eta_4x(mld_poly *r0, mld_poly *r1, mld_poly *r2,
@@ -906,6 +927,7 @@ void mld_polyw1_pack(uint8_t r[MLDSA_POLYW1_PACKEDBYTES], const mld_poly *a)
 /* To facilitate single-compilation-unit (SCU) builds, undefine all macros.
  * Don't modify by hand -- this is auto-generated by scripts/autogen. */
 #undef mld_rej_eta
+#undef mld_rej_eta_c
 #undef mld_poly_decompose_c
 #undef mld_poly_use_hint_c
 #undef mld_polyz_unpack_c

proofs/cbmc/rej_eta/Makefile

@@ -20,7 +20,7 @@ PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
 PROJECT_SOURCES += $(SRCDIR)/mldsa/src/poly_kl.c
 
 CHECK_FUNCTION_CONTRACTS=mld_rej_eta
-USE_FUNCTION_CONTRACTS=
+USE_FUNCTION_CONTRACTS= mld_rej_eta_c
 APPLY_LOOP_CONTRACTS=on
 USE_DYNAMIC_FRAMES=1
 

proofs/cbmc/rej_eta_c/Makefile

@@ -0,0 +1,55 @@
+# Copyright (c) The mldsa-native project authors
+# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+include ../Makefile_params.common
+
+HARNESS_ENTRY = harness
+HARNESS_FILE = rej_eta_c_harness
+
+# This should be a unique identifier for this proof, and will appear on the
+# Litani dashboard. It can be human-readable and contain spaces if you wish.
+PROOF_UID = rej_eta_c
+
+DEFINES +=
+INCLUDES +=
+
+REMOVE_FUNCTION_BODY +=
+UNWINDSET +=
+
+PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
+PROJECT_SOURCES += $(SRCDIR)/mldsa/src/poly_kl.c
+
+CHECK_FUNCTION_CONTRACTS=mld_rej_eta_c
+USE_FUNCTION_CONTRACTS=
+APPLY_LOOP_CONTRACTS=on
+USE_DYNAMIC_FRAMES=1
+
+# Disable any setting of EXTERNAL_SAT_SOLVER, and choose SMT backend instead
+EXTERNAL_SAT_SOLVER=
+CBMCFLAGS=--bitwuzla
+
+FUNCTION_NAME = mld_rej_eta_c
+
+# If this proof is found to consume huge amounts of RAM, you can set the
+# EXPENSIVE variable. With new enough versions of the proof tools, this will
+# restrict the number of EXPENSIVE CBMC jobs running at once. See the
+# documentation in Makefile.common under the "Job Pools" heading for details.
+# EXPENSIVE = true
+
+# This function is large enough to need...
+CBMC_OBJECT_BITS = 8
+
+# If you require access to a file-local ("static") function or object to conduct
+# your proof, set the following (and do not include the original source file
+# ("mldsa/poly.c") in PROJECT_SOURCES).
+# REWRITTEN_SOURCES = $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i
+# include ../Makefile.common
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_SOURCE = $(SRCDIR)/mldsa/src/poly.c
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_FUNCTIONS = foo bar
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_OBJECTS = baz
+# Care is required with variables on the left-hand side: REWRITTEN_SOURCES must
+# be set before including Makefile.common, but any use of variables on the
+# left-hand side requires those variables to be defined. Hence, _SOURCE,
+# _FUNCTIONS, _OBJECTS is set after including Makefile.common.
+
+include ../Makefile.common

proofs/cbmc/rej_eta_c/rej_eta_c_harness.c

@@ -0,0 +1,20 @@
+// Copyright (c) The mldsa-native project authors
+// SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+#include "poly.h"
+
+#define mld_rej_eta_c MLD_ADD_PARAM_SET(mld_rej_eta_c)
+static unsigned int mld_rej_eta_c(int32_t *a, unsigned int target,
+                                  unsigned int offset, const uint8_t *buf,
+                                  unsigned int buflen);
+
+void harness(void)
+{
+  int32_t *a;
+  unsigned int target;
+  unsigned int offset;
+  const uint8_t *buf;
+  unsigned int buflen;
+
+  mld_rej_eta_c(a, target, offset, buf, buflen);
+}