Hoist default C backend into separate functions(mld_poly_chknorm_c)

Signed-off-by: willieyz <willie.zhao@chelpis.com>

Author: willieyz

mldsa/src/poly.c

@@ -648,50 +648,18 @@ void mld_polyt0_unpack(mld_poly *r, const uint8_t a[MLDSA_POLYT0_PACKEDBYTES])
                    (1 << (MLDSA_D - 1)) + 1);
 }
 
-/* Reference: explicitly checks the bound B to be <= (MLDSA_Q - 1) / 8).
- * This is unnecessary as it's always a compile-time constant.
- * We instead model it as a precondition.
- * Checking the bound is performed using a conditional arguing
- * that it is okay to leak which coefficient violates the bound (while the
- * coefficient itself must remain secret).
- * We instead perform everything in constant-time.
- * Also it is sufficient to check that it is smaller than
- * MLDSA_Q - REDUCE32_RANGE_MAX > (MLDSA_Q - 1) / 8).
- */
-MLD_INTERNAL_API
-uint32_t mld_poly_chknorm(const mld_poly *a, int32_t B)
+MLD_STATIC_TESTABLE uint32_t mld_poly_chknorm_c(const mld_poly *a, int32_t B)
+__contract__(
+  requires(memory_no_alias(a, sizeof(mld_poly)))
+  requires(0 <= B && B <= MLDSA_Q - REDUCE32_RANGE_MAX)
+  requires(array_bound(a->coeffs, 0, MLDSA_N, -REDUCE32_RANGE_MAX, REDUCE32_RANGE_MAX))
+  ensures(return_value == 0 || return_value == 0xFFFFFFFF)
+  ensures((return_value == 0) == array_abs_bound(a->coeffs, 0, MLDSA_N, B))
+)
 {
   unsigned int i;
   uint32_t t = 0;
   mld_assert_bound(a->coeffs, MLDSA_N, -REDUCE32_RANGE_MAX, REDUCE32_RANGE_MAX);
-#if defined(MLD_USE_NATIVE_POLY_CHKNORM)
-  {
-    /* TODO: proof */
-    int ret;
-    int success;
-    /* The native backend returns 0 if all coefficients are within the bound,
-     * 1 if at least one coefficient exceeds the bound, and
-     * -1 (MLD_NATIVE_FUNC_FALLBACK) if the platform does not have the
-     * required capabilities to run the native function.
-     */
-    ret = mld_poly_chknorm_native(a->coeffs, B);
-
-    success = (ret != MLD_NATIVE_FUNC_FALLBACK);
-    /* Constant-time: It would be fine to leak the return value of chknorm
-     * entirely (as it is fine to leak if any coefficient exceeded the bound or
-     * not). However, it is cleaner to perform declassification in sign.c.
-     * Hence, here we only declassify if the native function returned
-     * MLD_NATIVE_FUNC_FALLBACK or not (which solely depends on system
-     * capabilities).
-     */
-    MLD_CT_TESTING_DECLASSIFY(&success, sizeof(int));
-    if (success)
-    {
-      /* Convert 0 / 1 to 0 / 0xFFFFFFFF here */
-      return 0U - (uint32_t)ret;
-    }
-  }
-#endif /* MLD_USE_NATIVE_POLY_CHKNORM */
   for (i = 0; i < MLDSA_N; ++i)
   __loop__(
     invariant(i <= MLDSA_N)
@@ -722,6 +690,49 @@ uint32_t mld_poly_chknorm(const mld_poly *a, int32_t B)
   return t;
 }
 
+/* Reference: explicitly checks the bound B to be <= (MLDSA_Q - 1) / 8).
+ * This is unnecessary as it's always a compile-time constant.
+ * We instead model it as a precondition.
+ * Checking the bound is performed using a conditional arguing
+ * that it is okay to leak which coefficient violates the bound (while the
+ * coefficient itself must remain secret).
+ * We instead perform everything in constant-time.
+ * Also it is sufficient to check that it is smaller than
+ * MLDSA_Q - REDUCE32_RANGE_MAX > (MLDSA_Q - 1) / 8).
+ */
+MLD_INTERNAL_API
+uint32_t mld_poly_chknorm(const mld_poly *a, int32_t B)
+{
+#if defined(MLD_USE_NATIVE_POLY_CHKNORM)
+  /* TODO: proof */
+  int ret;
+  int success;
+  mld_assert_bound(a->coeffs, MLDSA_N, -REDUCE32_RANGE_MAX, REDUCE32_RANGE_MAX);
+  /* The native backend returns 0 if all coefficients are within the bound,
+   * 1 if at least one coefficient exceeds the bound, and
+   * -1 (MLD_NATIVE_FUNC_FALLBACK) if the platform does not have the
+   * required capabilities to run the native function.
+   */
+  ret = mld_poly_chknorm_native(a->coeffs, B);
+
+  success = (ret != MLD_NATIVE_FUNC_FALLBACK);
+  /* Constant-time: It would be fine to leak the return value of chknorm
+   * entirely (as it is fine to leak if any coefficient exceeded the bound or
+   * not). However, it is cleaner to perform declassification in sign.c.
+   * Hence, here we only declassify if the native function returned
+   * MLD_NATIVE_FUNC_FALLBACK or not (which solely depends on system
+   * capabilities).
+   */
+  MLD_CT_TESTING_DECLASSIFY(&success, sizeof(int));
+  if (success)
+  {
+    /* Convert 0 / 1 to 0 / 0xFFFFFFFF here */
+    return 0U - (uint32_t)ret;
+  }
+#endif /* MLD_USE_NATIVE_POLY_CHKNORM */
+  return mld_poly_chknorm_c(a, B);
+}
+
 #else  /* !MLD_CONFIG_MULTILEVEL_NO_SHARED */
 MLD_EMPTY_CU(mld_poly)
 #endif /* MLD_CONFIG_MULTILEVEL_NO_SHARED */

proofs/cbmc/poly_chknorm/Makefile

@@ -20,7 +20,7 @@ PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
 PROJECT_SOURCES += $(SRCDIR)/mldsa/src/poly.c
 
 CHECK_FUNCTION_CONTRACTS=$(MLD_NAMESPACE)poly_chknorm
-USE_FUNCTION_CONTRACTS=mld_ct_abs_i32 mld_ct_cmask_neg_i32
+USE_FUNCTION_CONTRACTS=mld_poly_chknorm_c
 APPLY_LOOP_CONTRACTS=on
 USE_DYNAMIC_FRAMES=1
 

proofs/cbmc/poly_chknorm_c/Makefile

@@ -0,0 +1,55 @@
+# Copyright (c) The mldsa-native project authors
+# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+include ../Makefile_params.common
+
+HARNESS_ENTRY = harness
+HARNESS_FILE =poly_chknorm_c_harness
+
+# This should be a unique identifier for this proof, and will appear on the
+# Litani dashboard. It can be human-readable and contain spaces if you wish.
+PROOF_UID = poly_chknorm_c
+
+DEFINES +=
+INCLUDES +=
+
+REMOVE_FUNCTION_BODY +=
+UNWINDSET +=
+
+PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
+PROJECT_SOURCES += $(SRCDIR)/mldsa/src/poly.c
+
+CHECK_FUNCTION_CONTRACTS=mld_poly_chknorm_c
+USE_FUNCTION_CONTRACTS=mld_ct_abs_i32 mld_ct_cmask_neg_i32
+APPLY_LOOP_CONTRACTS=on
+USE_DYNAMIC_FRAMES=1
+
+# Disable any setting of EXTERNAL_SAT_SOLVER, and choose SMT backend instead
+EXTERNAL_SAT_SOLVER=
+CBMCFLAGS=--smt2
+
+FUNCTION_NAME = mld_poly_chknorm_c
+
+# If this proof is found to consume huge amounts of RAM, you can set the
+# EXPENSIVE variable. With new enough versions of the proof tools, this will
+# restrict the number of EXPENSIVE CBMC jobs running at once. See the
+# documentation in Makefile.common under the "Job Pools" heading for details.
+# EXPENSIVE = true
+
+# This function is large enough to need...
+CBMC_OBJECT_BITS = 8
+
+# If you require access to a file-local ("static") function or object to conduct
+# your proof, set the following (and do not include the original source file
+# ("mldsa/poly.c") in PROJECT_SOURCES).
+# REWRITTEN_SOURCES = $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i
+# include ../Makefile.common
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_SOURCE = $(SRCDIR)/mldsa/src/poly.c
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_FUNCTIONS = foo bar
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_OBJECTS = baz
+# Care is required with variables on the left-hand side: REWRITTEN_SOURCES must
+# be set before including Makefile.common, but any use of variables on the
+# left-hand side requires those variables to be defined. Hence, _SOURCE,
+# _FUNCTIONS, _OBJECTS is set after including Makefile.common.
+
+include ../Makefile.common

proofs/cbmc/poly_chknorm_c/poly_chknorm_c_harness.c

@@ -0,0 +1,15 @@
+// Copyright (c) The mldsa-native project authors
+// SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+#include "poly_kl.h"
+
+// Prototype for the function under test
+uint32_t mld_poly_chknorm_c(mld_poly *a, int32_t B);
+
+void harness(void)
+{
+  mld_poly *a;
+  uint32_t r;
+  int32_t B;
+  r = mld_poly_chknorm_c(a, B);
+}