Switch mld_polymat to struct wrapper

- Change mld_polymat from mld_polyvecl[MLDSA_K] to struct wrapper
- Update all function signatures to use pointer style
- Fix all implementations to use struct member access
- Update CBMC harnesses and contracts

Addresses #737 (step 1 of #736)

Signed-off-by: Hanno Becker <beckphan@amazon.co.uk>

Author: hanno-becker

mldsa/mldsa_native.S

@@ -259,6 +259,7 @@
 #undef mld_polyz_unpack
 /* mldsa/src/polyvec.h */
 #undef MLD_POLYVEC_H
+#undef mld_polymat
 #undef mld_polyvec_matrix_expand
 #undef mld_polyvec_matrix_pointwise_montgomery
 #undef mld_polyveck

mldsa/mldsa_native.c

@@ -256,6 +256,7 @@
 #undef mld_polyz_unpack
 /* mldsa/src/polyvec.h */
 #undef MLD_POLYVEC_H
+#undef mld_polymat
 #undef mld_polyvec_matrix_expand
 #undef mld_polyvec_matrix_pointwise_montgomery
 #undef mld_polyveck

mldsa/src/polyvec.c

@@ -31,18 +31,18 @@
  * of coefficients.
  * No-op unless a native backend with a custom ordering is used.
  */
-static void mld_polymat_permute_bitrev_to_custom(mld_polyvecl mat[MLDSA_K])
+static void mld_polymat_permute_bitrev_to_custom(mld_polymat *mat)
 __contract__(
   /* We don't specify that this should be a permutation, but only
    * that it does not change the bound established at the end of
    * mld_polyvec_matrix_expand.
    */
-  requires(memory_no_alias(mat, MLDSA_K * sizeof(mld_polyvecl)))
+  requires(memory_no_alias(mat, sizeof(mld_polymat)))
   requires(forall(k1, 0, MLDSA_K, forall(l1, 0, MLDSA_L,
-    array_bound(mat[k1].vec[l1].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
-  assigns(memory_slice(mat, sizeof(mld_polyvecl)*MLDSA_K))
+    array_bound(mat->vec[k1].vec[l1].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
+  assigns(memory_slice(mat, sizeof(mld_polymat)))
   ensures(forall(k1, 0, MLDSA_K, forall(l1, 0, MLDSA_L,
-    array_bound(mat[k1].vec[l1].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
+    array_bound(mat->vec[k1].vec[l1].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
 )
 {
 #if defined(MLD_USE_NATIVE_NTT_CUSTOM_ORDER)
@@ -52,7 +52,7 @@ __contract__(
   {
     for (j = 0; j < MLDSA_L; j++)
     {
-      mld_poly_permute_bitrev_to_custom(mat[i].vec[j].coeffs);
+      mld_poly_permute_bitrev_to_custom(mat->vec[i].vec[j].coeffs);
     }
   }
 
@@ -66,7 +66,7 @@ __contract__(
 
 
 MLD_INTERNAL_API
-void mld_polyvec_matrix_expand(mld_polyvecl mat[MLDSA_K],
+void mld_polyvec_matrix_expand(mld_polymat *mat,
                                const uint8_t rho[MLDSA_SEEDBYTES])
 {
   unsigned int i, j;
@@ -91,14 +91,14 @@ void mld_polyvec_matrix_expand(mld_polyvecl mat[MLDSA_K],
   /* Sample 4 matrix entries a time. */
   for (i = 0; i < (MLDSA_K * MLDSA_L / 4) * 4; i += 4)
   __loop__(
-    assigns(i, j, object_whole(seed_ext), memory_slice(mat, MLDSA_K * sizeof(mld_polyvecl)))
+    assigns(i, j, object_whole(seed_ext), memory_slice(mat, sizeof(mld_polymat)))
     invariant(i <= (MLDSA_K * MLDSA_L / 4) * 4 && i % 4 == 0)
     /* vectors 0 .. i / MLDSA_L are completely sampled */
     invariant(forall(k1, 0, i / MLDSA_L, forall(l1, 0, MLDSA_L,
-      array_bound(mat[k1].vec[l1].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
+      array_bound(mat->vec[k1].vec[l1].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
     /* last vector is sampled up to i % MLDSA_L */
     invariant(forall(k2, i / MLDSA_L, i / MLDSA_L + 1, forall(l2, 0, i % MLDSA_L,
-      array_bound(mat[k2].vec[l2].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
+      array_bound(mat->vec[k2].vec[l2].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
   )
   {
     for (j = 0; j < 4; j++)
@@ -114,10 +114,10 @@ void mld_polyvec_matrix_expand(mld_polyvecl mat[MLDSA_K],
       seed_ext[j][MLDSA_SEEDBYTES + 1] = x;
     }
 
-    mld_poly_uniform_4x(&mat[i / MLDSA_L].vec[i % MLDSA_L],
-                        &mat[(i + 1) / MLDSA_L].vec[(i + 1) % MLDSA_L],
-                        &mat[(i + 2) / MLDSA_L].vec[(i + 2) % MLDSA_L],
-                        &mat[(i + 3) / MLDSA_L].vec[(i + 3) % MLDSA_L],
+    mld_poly_uniform_4x(&mat->vec[i / MLDSA_L].vec[i % MLDSA_L],
+                        &mat->vec[(i + 1) / MLDSA_L].vec[(i + 1) % MLDSA_L],
+                        &mat->vec[(i + 2) / MLDSA_L].vec[(i + 2) % MLDSA_L],
+                        &mat->vec[(i + 3) / MLDSA_L].vec[(i + 3) % MLDSA_L],
                         seed_ext);
   }
 #else  /* !MLD_CONFIG_SERIAL_FIPS202_ONLY */
@@ -127,19 +127,19 @@ void mld_polyvec_matrix_expand(mld_polyvecl mat[MLDSA_K],
   /* Entries omitted by the batch-sampling are sampled individually. */
   while (i < MLDSA_K * MLDSA_L)
   __loop__(
-    assigns(i, object_whole(seed_ext), memory_slice(mat, MLDSA_K * sizeof(mld_polyvecl)))
+    assigns(i, object_whole(seed_ext), memory_slice(mat, sizeof(mld_polymat)))
     invariant(i <= MLDSA_K * MLDSA_L)
     /* vectors 0 .. i / MLDSA_L are completely sampled */
     invariant(forall(k1, 0, i / MLDSA_L, forall(l1, 0, MLDSA_L,
-      array_bound(mat[k1].vec[l1].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
+      array_bound(mat->vec[k1].vec[l1].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
     /* last vector is sampled up to i % MLDSA_L */
     invariant(forall(k2, i / MLDSA_L, i / MLDSA_L + 1, forall(l2, 0, i % MLDSA_L,
-      array_bound(mat[k2].vec[l2].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
+      array_bound(mat->vec[k2].vec[l2].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
   )
   {
     uint8_t x = (uint8_t)(i / MLDSA_L);
     uint8_t y = (uint8_t)(i % MLDSA_L);
-    mld_poly *this_poly = &mat[i / MLDSA_L].vec[i % MLDSA_L];
+    mld_poly *this_poly = &mat->vec[i / MLDSA_L].vec[i % MLDSA_L];
 
     seed_ext[0][MLDSA_SEEDBYTES + 0] = y;
     seed_ext[0][MLDSA_SEEDBYTES + 1] = x;
@@ -156,7 +156,7 @@ void mld_polyvec_matrix_expand(mld_polyvecl mat[MLDSA_K],
 
 MLD_INTERNAL_API
 void mld_polyvec_matrix_pointwise_montgomery(mld_polyveck *t,
-                                             const mld_polyvecl mat[MLDSA_K],
+                                             const mld_polymat *mat,
                                              const mld_polyvecl *v)
 {
   unsigned int i;
@@ -170,7 +170,7 @@ void mld_polyvec_matrix_pointwise_montgomery(mld_polyveck *t,
                      array_abs_bound(t->vec[k0].coeffs, 0, MLDSA_N, MLDSA_Q)))
   )
   {
-    mld_polyvecl_pointwise_acc_montgomery(&t->vec[i], &mat[i], v);
+    mld_polyvecl_pointwise_acc_montgomery(&t->vec[i], &mat->vec[i], v);
   }
 
   mld_assert_abs_bound_2d(t->vec, MLDSA_K, MLDSA_N, MLDSA_Q);

mldsa/src/polyvec.h

@@ -17,6 +17,7 @@
  * within a single compilation unit. */
 #define mld_polyvecl MLD_ADD_PARAM_SET(mld_polyvecl)
 #define mld_polyveck MLD_ADD_PARAM_SET(mld_polyveck)
+#define mld_polymat MLD_ADD_PARAM_SET(mld_polymat)
 /* End of parameter set namespacing */
 
 /* Vectors of polynomials of length MLDSA_L */
@@ -231,6 +232,12 @@ typedef struct
   mld_poly vec[MLDSA_K];
 } mld_polyveck;
 
+/* Matrix of polynomials (K x L) */
+typedef struct
+{
+  mld_polyvecl vec[MLDSA_K];
+} mld_polymat;
+
 #define mld_polyveck_reduce MLD_NAMESPACE_KL(polyveck_reduce)
 /*************************************************
  * Name:        polyveck_reduce
@@ -746,18 +753,18 @@ __contract__(
  *              random coefficients a_{i,j} by performing rejection
  *              sampling on the output stream of SHAKE128(rho|j|i)
  *
- * Arguments:   - mld_polyvecl mat[MLDSA_K]: output matrix
+ * Arguments:   - mld_polymat *mat: pointer to output matrix
  *              - const uint8_t rho[]: byte array containing seed rho
  **************************************************/
 MLD_INTERNAL_API
-void mld_polyvec_matrix_expand(mld_polyvecl mat[MLDSA_K],
+void mld_polyvec_matrix_expand(mld_polymat *mat,
                                const uint8_t rho[MLDSA_SEEDBYTES])
 __contract__(
-  requires(memory_no_alias(mat, MLDSA_K * sizeof(mld_polyvecl)))
+  requires(memory_no_alias(mat, sizeof(mld_polymat)))
   requires(memory_no_alias(rho, MLDSA_SEEDBYTES))
-  assigns(memory_slice(mat, MLDSA_K * sizeof(mld_polyvecl)))
+  assigns(memory_slice(mat, sizeof(mld_polymat)))
   ensures(forall(k1, 0, MLDSA_K, forall(l1, 0, MLDSA_L,
-    array_bound(mat[k1].vec[l1].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
+    array_bound(mat->vec[k1].vec[l1].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
 );
 
 
@@ -780,19 +787,19 @@ __contract__(
  *              inclusive.
  *
  * Arguments:   - mld_polyveck *t: pointer to output vector t
- *              - const mld_polyvecl mat[MLDSA_K]: pointer to input matrix
+ *              - const mld_polymat *mat: pointer to input matrix
  *              - const mld_polyvecl *v: pointer to input vector v
  **************************************************/
 MLD_INTERNAL_API
 void mld_polyvec_matrix_pointwise_montgomery(mld_polyveck *t,
-                                             const mld_polyvecl mat[MLDSA_K],
+                                             const mld_polymat *mat,
                                              const mld_polyvecl *v)
 __contract__(
   requires(memory_no_alias(t, sizeof(mld_polyveck)))
-  requires(memory_no_alias(mat, MLDSA_K*sizeof(mld_polyvecl)))
+  requires(memory_no_alias(mat, sizeof(mld_polymat)))
   requires(memory_no_alias(v, sizeof(mld_polyvecl)))
   requires(forall(k1, 0, MLDSA_K, forall(l1, 0, MLDSA_L,
-                                         array_bound(mat[k1].vec[l1].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
+                                         array_bound(mat->vec[k1].vec[l1].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
   requires(forall(l1, 0, MLDSA_L,
                   array_abs_bound(v->vec[l1].coeffs, 0, MLDSA_N, MLD_NTT_BOUND)))
   assigns(memory_slice(t, sizeof(mld_polyveck)))

mldsa/src/sign.c

@@ -215,16 +215,17 @@ __contract__(
   ensures(forall(k2, 0, MLDSA_K, array_bound(t1->vec[k2].coeffs, 0, MLDSA_N, 0, 1 << 10)))
 )
 {
-  mld_polyvecl mat[MLDSA_K], s1hat;
+  mld_polymat mat;
+  mld_polyvecl s1hat;
   mld_polyveck t;
 
   /* Expand matrix */
-  mld_polyvec_matrix_expand(mat, rho);
+  mld_polyvec_matrix_expand(&mat, rho);
 
   /* Matrix-vector multiplication */
   s1hat = *s1;
   mld_polyvecl_ntt(&s1hat);
-  mld_polyvec_matrix_pointwise_montgomery(&t, mat, &s1hat);
+  mld_polyvec_matrix_pointwise_montgomery(&t, &mat, &s1hat);
   mld_polyveck_reduce(&t);
   mld_polyveck_invntt_tomont(&t);
 
@@ -251,7 +252,7 @@ __contract__(
   mld_shake256(tr, MLDSA_TRBYTES, pk, CRYPTO_PUBLICKEYBYTES);
 
   /* @[FIPS204, Section 3.6.3] Destruction of intermediate values. */
-  mld_zeroize(mat, sizeof(mat));
+  mld_zeroize(&mat, sizeof(mat));
   mld_zeroize(&s1hat, sizeof(s1hat));
   mld_zeroize(&t, sizeof(t));
 }
@@ -407,7 +408,7 @@ __contract__(
  *                                   of exactly MLDSA_CRHBYTES bytes
  *              - const uint8_t *rhoprime: pointer to randomness seed
  *              - uint16_t nonce: current nonce value
- *              - const polyvecl mat[MLDSA_K]: expanded matrix
+ *              - const mld_polymat *mat: expanded matrix
  *              - const polyvecl *s1: secret vector s1
  *              - const polyveck *s2: secret vector s2
  *              - const polyveck *t0: vector t0
@@ -423,19 +424,19 @@ MLD_MUST_CHECK_RETURN_VALUE
 static int mld_attempt_signature_generation(
     uint8_t sig[CRYPTO_BYTES], const uint8_t *mu,
     const uint8_t rhoprime[MLDSA_CRHBYTES], uint16_t nonce,
-    const mld_polyvecl mat[MLDSA_K], const mld_polyvecl *s1,
-    const mld_polyveck *s2, const mld_polyveck *t0)
+    const mld_polymat *mat, const mld_polyvecl *s1, const mld_polyveck *s2,
+    const mld_polyveck *t0)
 __contract__(
   requires(memory_no_alias(sig, CRYPTO_BYTES))
   requires(memory_no_alias(mu, MLDSA_CRHBYTES))
   requires(memory_no_alias(rhoprime, MLDSA_CRHBYTES))
-  requires(memory_no_alias(mat, MLDSA_K * sizeof(mld_polyvecl)))
+  requires(memory_no_alias(mat, sizeof(mld_polymat)))
   requires(memory_no_alias(s1, sizeof(mld_polyvecl)))
   requires(memory_no_alias(s2, sizeof(mld_polyveck)))
   requires(memory_no_alias(t0, sizeof(mld_polyveck)))
   requires(nonce <= NONCE_UB)
   requires(forall(k1, 0, MLDSA_K, forall(l1, 0, MLDSA_L,
-                                         array_bound(mat[k1].vec[l1].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
+                                         array_bound(mat->vec[k1].vec[l1].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
   requires(forall(k2, 0, MLDSA_K, array_abs_bound(t0->vec[k2].coeffs, 0, MLDSA_N, MLD_NTT_BOUND)))
   requires(forall(k3, 0, MLDSA_L, array_abs_bound(s1->vec[k3].coeffs, 0, MLDSA_N, MLD_NTT_BOUND)))
   requires(forall(k4, 0, MLDSA_K, array_abs_bound(s2->vec[k4].coeffs, 0, MLDSA_N, MLD_NTT_BOUND)))
@@ -584,7 +585,8 @@ int crypto_sign_signature_internal(uint8_t sig[CRYPTO_BYTES], size_t *siglen,
   MLD_ALIGN uint8_t
       seedbuf[2 * MLDSA_SEEDBYTES + MLDSA_TRBYTES + 2 * MLDSA_CRHBYTES];
   uint8_t *rho, *tr, *key, *mu, *rhoprime;
-  mld_polyvecl mat[MLDSA_K], s1;
+  mld_polymat mat;
+  mld_polyvecl s1;
   mld_polyveck t0, s2;
 
   uint16_t nonce = 0;
@@ -614,7 +616,7 @@ int crypto_sign_signature_internal(uint8_t sig[CRYPTO_BYTES], size_t *siglen,
   /* Constant time: rho is part of the public key and, hence, public. */
   MLD_CT_TESTING_DECLASSIFY(rho, MLDSA_SEEDBYTES);
   /* Expand matrix and transform vectors */
-  mld_polyvec_matrix_expand(mat, rho);
+  mld_polyvec_matrix_expand(&mat, rho);
   mld_polyvecl_ntt(&s1);
   mld_polyveck_ntt(&s2);
   mld_polyveck_ntt(&t0);
@@ -638,7 +640,7 @@ int crypto_sign_signature_internal(uint8_t sig[CRYPTO_BYTES], size_t *siglen,
     /* loop. We can therefore re-assert their bounds here as part of the     */
     /* loop invariant. This makes proof noticeably faster with CBMC          */
     invariant(forall(k1, 0, MLDSA_K, forall(l1, 0, MLDSA_L,
-              array_bound(mat[k1].vec[l1].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
+              array_bound(mat.vec[k1].vec[l1].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
     invariant(forall(k2, 0, MLDSA_K, array_abs_bound(t0.vec[k2].coeffs, 0, MLDSA_N, MLD_NTT_BOUND)))
     invariant(forall(k3, 0, MLDSA_L, array_abs_bound(s1.vec[k3].coeffs, 0, MLDSA_N, MLD_NTT_BOUND)))
     invariant(forall(k4, 0, MLDSA_K, array_abs_bound(s2.vec[k4].coeffs, 0, MLDSA_N, MLD_NTT_BOUND)))
@@ -661,7 +663,7 @@ int crypto_sign_signature_internal(uint8_t sig[CRYPTO_BYTES], size_t *siglen,
     }
 
     attempt_result = mld_attempt_signature_generation(sig, mu, rhoprime, nonce,
-                                                      mat, &s1, &s2, &t0);
+                                                      &mat, &s1, &s2, &t0);
     nonce++;
     if (attempt_result == 0)
     {
@@ -673,7 +675,7 @@ int crypto_sign_signature_internal(uint8_t sig[CRYPTO_BYTES], size_t *siglen,
 
   /* @[FIPS204, Section 3.6.3] Destruction of intermediate values. */
   mld_zeroize(seedbuf, sizeof(seedbuf));
-  mld_zeroize(mat, sizeof(mat));
+  mld_zeroize(&mat, sizeof(mat));
   mld_zeroize(&s1, sizeof(s1));
   mld_zeroize(&s2, sizeof(s2));
   mld_zeroize(&t0, sizeof(t0));
@@ -788,7 +790,8 @@ int crypto_sign_verify_internal(const uint8_t *sig, size_t siglen,
   MLD_ALIGN uint8_t c[MLDSA_CTILDEBYTES];
   MLD_ALIGN uint8_t c2[MLDSA_CTILDEBYTES];
   mld_poly cp;
-  mld_polyvecl mat[MLDSA_K], z;
+  mld_polymat mat;
+  mld_polyvecl z;
   mld_polyveck t1, w1, tmp, h;
 
   if (siglen != CRYPTO_BYTES)
@@ -827,10 +830,10 @@ int crypto_sign_verify_internal(const uint8_t *sig, size_t siglen,
 
   /* Matrix-vector multiplication; compute Az - c2^dt1 */
   mld_poly_challenge(&cp, c);
-  mld_polyvec_matrix_expand(mat, rho);
+  mld_polyvec_matrix_expand(&mat, rho);
 
   mld_polyvecl_ntt(&z);
-  mld_polyvec_matrix_pointwise_montgomery(&w1, mat, &z);
+  mld_polyvec_matrix_pointwise_montgomery(&w1, &mat, &z);
 
   mld_poly_ntt(&cp);
   mld_polyveck_shiftl(&t1);
@@ -881,7 +884,7 @@ int crypto_sign_verify_internal(const uint8_t *sig, size_t siglen,
   mld_zeroize(c, sizeof(c));
   mld_zeroize(c2, sizeof(c2));
   mld_zeroize(&cp, sizeof(cp));
-  mld_zeroize(mat, sizeof(mat));
+  mld_zeroize(&mat, sizeof(mat));
   mld_zeroize(&z, sizeof(z));
   mld_zeroize(&t1, sizeof(t1));
   mld_zeroize(&w1, sizeof(w1));

proofs/cbmc/attempt_signature_generation/attempt_signature_generation_harness.c

@@ -3,18 +3,20 @@
 
 #include "sign.h"
 
-int mld_attempt_signature_generation(
-    uint8_t *sig, const uint8_t *mu, const uint8_t rhoprime[MLDSA_CRHBYTES],
-    uint16_t nonce, const mld_polyvecl mat[MLDSA_K], const mld_polyvecl *s1,
-    const mld_polyveck *s2, const mld_polyveck *t0);
+int mld_attempt_signature_generation(uint8_t *sig, const uint8_t *mu,
+                                     const uint8_t rhoprime[MLDSA_CRHBYTES],
+                                     uint16_t nonce, mld_polymat *mat,
+                                     const mld_polyvecl *s1,
+                                     const mld_polyveck *s2,
+                                     const mld_polyveck *t0);
 
 void harness(void)
 {
   uint8_t *sig;
   uint8_t *mu;
   uint8_t *rhoprime;
   uint16_t nonce;
-  mld_polyvecl *mat;
+  mld_polymat *mat;
   mld_polyvecl *s1;
   mld_polyveck *s2;
   mld_polyveck *t0;

proofs/cbmc/polymat_permute_bitrev_to_custom/polymat_permute_bitrev_to_custom_harness.c

@@ -3,10 +3,10 @@
 
 #include "polyvec.h"
 
-void mld_polymat_permute_bitrev_to_custom(mld_polyvecl mat[MLDSA_K]);
+void mld_polymat_permute_bitrev_to_custom(mld_polymat *mat);
 
 void harness(void)
 {
-  mld_polyvecl *mat;
+  mld_polymat *mat;
   mld_polymat_permute_bitrev_to_custom(mat);
 }

proofs/cbmc/polyvec_matrix_expand/polyvec_matrix_expand_harness.c

@@ -5,7 +5,7 @@
 
 void harness(void)
 {
-  mld_polyvecl *mat;
+  mld_polymat *mat;
   uint8_t *rho;
 
   mld_polyvec_matrix_expand(mat, rho);

proofs/cbmc/polyvec_matrix_expand_serial/polyvec_matrix_expand_harness.c

@@ -5,7 +5,7 @@
 
 void harness(void)
 {
-  mld_polyvecl *mat;
+  mld_polymat *mat;
   uint8_t *rho;
 
   mld_polyvec_matrix_expand(mat, rho);