Add spec and proof for polyvec_matrix_expand

Signed-off-by: manastasova <[email protected]>

Author: manastasova

mldsa/polyvec.c

@@ -11,14 +11,38 @@
 void polyvec_matrix_expand(polyvecl mat[MLDSA_K],
                            const uint8_t rho[MLDSA_SEEDBYTES])
 {
-  unsigned int i, j;
+  /* Reference: This code is re-factored from the reference implementation
+   * to facilitate proof with CBMC and to improve readability.
+   *
+   * The temporary polyvecl and poly variables simplify the CBMC
+   * memory model by removing nested access patterns. Loop invariant
+   * checks are performed on the local variable tmp_polyvecl before
+   * assigning it to the output matrix |mat|. */
+
+  unsigned int i;
 
   for (i = 0; i < MLDSA_K; ++i)
+  __loop__(
+    assigns(i, memory_slice(mat, MLDSA_K * sizeof(polyvecl)))
+    invariant(i <= MLDSA_K)
+    invariant(forall(k1, 0, i, forall(l1, 0, MLDSA_L, array_bound(mat[k1].vec[l1].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
+  )
   {
+    unsigned int j;
+    polyvecl tmp_polyvecl;
+
     for (j = 0; j < MLDSA_L; ++j)
+    __loop__(
+      assigns(j, memory_slice(&tmp_polyvecl, sizeof(polyvecl)))
+      invariant(j <= MLDSA_L)
+      invariant(forall(l1, 0, j, array_bound(tmp_polyvecl.vec[l1].coeffs, 0, MLDSA_N, 0, MLDSA_Q)))
+    )
     {
-      poly_uniform(&mat[i].vec[j], rho, (i << 8) + j);
+      poly temp_poly;
+      poly_uniform(&temp_poly, rho, (i << 8) + j);
+      tmp_polyvecl.vec[j] = temp_poly;
     }
+    mat[i] = tmp_polyvecl;
   }
 }
 
@@ -35,7 +59,7 @@ void polyvec_matrix_pointwise_montgomery(polyveck *t,
 }
 
 /**************************************************************/
-/************ Vectors of polynomials of length MLDSA_L **************/
+/********** Vectors of polynomials of length MLDSA_L **********/
 /**************************************************************/
 
 void polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[MLDSA_CRHBYTES],
@@ -190,7 +214,7 @@ int polyvecl_chknorm(const polyvecl *v, int32_t bound)
 }
 
 /**************************************************************/
-/************ Vectors of polynomials of length MLDSA_K **************/
+/********** Vectors of polynomials of length MLDSA_K **********/
 /**************************************************************/
 
 void polyveck_uniform_eta(polyveck *v, const uint8_t seed[MLDSA_CRHBYTES],

mldsa/polyvec.h

@@ -619,7 +619,14 @@ __contract__(
  *              - const uint8_t rho[]: byte array containing seed rho
  **************************************************/
 void polyvec_matrix_expand(polyvecl mat[MLDSA_K],
-                           const uint8_t rho[MLDSA_SEEDBYTES]);
+                           const uint8_t rho[MLDSA_SEEDBYTES])
+__contract__(
+  requires(memory_no_alias(mat, MLDSA_K * sizeof(polyvecl)))
+  requires(memory_no_alias(rho, MLDSA_SEEDBYTES))
+  assigns(memory_slice(mat, MLDSA_K * sizeof(polyvecl)))
+  ensures(forall(k1, 0, MLDSA_K, forall(l1, 0, MLDSA_L,
+    array_bound(mat[k1].vec[l1].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
+);
 
 #define polyvec_matrix_pointwise_montgomery \
   MLD_NAMESPACE(polyvec_matrix_pointwise_montgomery)

proofs/cbmc/polyvec_matrix_expand/Makefile

@@ -0,0 +1,54 @@
+# SPDX-License-Identifier: Apache-2.0
+
+include ../Makefile_params.common
+
+HARNESS_ENTRY = harness
+HARNESS_FILE = polyvec_matrix_expand_harness
+
+# This should be a unique identifier for this proof, and will appear on the
+# Litani dashboard. It can be human-readable and contain spaces if you wish.
+PROOF_UID = polyvec_matrix_expand
+
+DEFINES +=
+INCLUDES +=
+
+REMOVE_FUNCTION_BODY +=
+UNWINDSET +=
+
+PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
+PROJECT_SOURCES += $(SRCDIR)/mldsa/polyvec.c
+
+CHECK_FUNCTION_CONTRACTS=$(MLD_NAMESPACE)polyvec_matrix_expand
+USE_FUNCTION_CONTRACTS=$(MLD_NAMESPACE)poly_uniform
+APPLY_LOOP_CONTRACTS=on
+USE_DYNAMIC_FRAMES=1
+
+# Disable any setting of EXTERNAL_SAT_SOLVER, and choose SMT backend instead
+EXTERNAL_SAT_SOLVER=
+CBMCFLAGS=--smt2
+
+FUNCTION_NAME = polyvec_matrix_expand
+
+# If this proof is found to consume huge amounts of RAM, you can set the
+# EXPENSIVE variable. With new enough versions of the proof tools, this will
+# restrict the number of EXPENSIVE CBMC jobs running at once. See the
+# documentation in Makefile.common under the "Job Pools" heading for details.
+# EXPENSIVE = true
+
+# This function is large enough to need...
+CBMC_OBJECT_BITS = 8
+
+# If you require access to a file-local ("static") function or object to conduct
+# your proof, set the following (and do not include the original source file
+# ("mldsa/poly.c") in PROJECT_SOURCES).
+# REWRITTEN_SOURCES = $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i
+# include ../Makefile.common
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_SOURCE = $(SRCDIR)/mldsa/poly.c
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_FUNCTIONS = foo bar
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_OBJECTS = baz
+# Care is required with variables on the left-hand side: REWRITTEN_SOURCES must
+# be set before including Makefile.common, but any use of variables on the
+# left-hand side requires those variables to be defined. Hence, _SOURCE,
+# _FUNCTIONS, _OBJECTS is set after including Makefile.common.
+
+include ../Makefile.common

proofs/cbmc/polyvec_matrix_expand/polyvec_matrix_expand_harness.c

@@ -0,0 +1,12 @@
+// Copyright (c) 2025 The mldsa-native project authors
+// SPDX-License-Identifier: Apache-2.0
+
+#include "polyvec.h"
+
+void harness(void)
+{
+  polyvecl *mat;
+  const uint8_t *rho;
+
+  polyvec_matrix_expand(mat, rho);
+}