Add debug assertions for reduce.c and polyvec.c #216 #416
Conversation
willieyz
force-pushed
the
cbmc-bound-assertions
branch
7 times, most recently
from
6ed6054 to
407a414
Compare
- This commit is ported from mlkem PR #214 - All implementations of functions in poly.c have bounds assertions for inputs and outputs added that match the CBMC specifications. Signed-off-by: willieyz <[email protected]>
willieyz
force-pushed
the
cbmc-bound-assertions
branch
from
407a414 to
a4cfae5
Compare
willieyz
changed the title
willieyz
changed the title
willieyz
force-pushed
the
cbmc-bound-assertions
branch
5 times, most recently
from
b99b71f to
1a95672
Compare
There was a problem hiding this comment.
Thanks @willieyz. This is a nice addition!
There are still quite a few things that could be improved.
mldsa/polyvec.c
Outdated
| @@ -384,11 +421,15 @@ void mld_polyveck_sub(mld_polyveck *u, const mld_polyveck *v) | |||
| { | |||
| mld_poly_sub(&u->vec[i], &v->vec[i]); | |||
| } | |||
|
|
|||
| mld_assert_bound_2d(u->vec, MLDSA_K, MLDSA_N, (int64_t)INT32_MIN, | |||
There was a problem hiding this comment.
This cast should not be needed.
mldsa/polyvec.c
Outdated
| } | ||
|
|
||
| void mld_polyvecl_reduce(mld_polyvecl *v) | ||
| { | ||
| unsigned int i; | ||
| mld_assert_bound_2d(v->vec, MLDSA_L, MLDSA_N, (int64_t)INT32_MIN, |
There was a problem hiding this comment.
This cast should not be needed.
| @@ -74,6 +74,8 @@ void mld_poly_add(mld_poly *r, const mld_poly *b) | |||
| void mld_poly_sub(mld_poly *r, const mld_poly *b) | |||
There was a problem hiding this comment.
Did you miss mld_poly_add or was that intentionally skipped?
There was a problem hiding this comment.
@mkannwischer , I leave this intentionally, because there is no any array_bound or array_abs_bound post-condition in the contract of mld_poly_add.
It do have some post-condition, but none of those are array_bound and array_abs_bound.
or should I add assertion for it according to those?
mldsa/poly.c
Outdated
| @@ -379,6 +393,8 @@ void mld_poly_uniform(mld_poly *a, const uint8_t seed[MLDSA_SEEDBYTES + 2]) | |||
|
|
|||
| /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */ | |||
| mld_zeroize(buf, sizeof(buf)); | |||
|
|
|||
| mld_assert_bound(a->coeffs, MLDSA_N, 0, MLDSA_Q); | |||
There was a problem hiding this comment.
Can we have all assertions before the zeroize call please? Just to be consistent with mlkem-native that zeroize is the last step in the function.
There was a problem hiding this comment.
Fixed, Thank you for your reviewing!
mldsa/poly.c
Outdated
| @@ -84,6 +86,8 @@ void mld_poly_sub(mld_poly *r, const mld_poly *b) | |||
| { | |||
| r->coeffs[i] = r->coeffs[i] - b->coeffs[i]; | |||
| } | |||
|
|
|||
| mld_assert_bound(r->coeffs, MLDSA_N, (int64_t)INT32_MIN, REDUCE32_DOMAIN_MAX); | |||
There was a problem hiding this comment.
This cast should not be needed
| } | ||
|
|
||
| void mld_polyvecl_pointwise_acc_montgomery(mld_poly *w, const mld_polyvecl *u, | ||
| const mld_polyvecl *v) | ||
| { | ||
| unsigned int i, j; | ||
| mld_assert_bound_2d(u->vec, MLDSA_L, MLDSA_N, 0, MLDSA_Q); |
There was a problem hiding this comment.
isn't this missing a pre-condition on v?
There was a problem hiding this comment.
Yes, sorry about the miss..
I had fixed it now, thank you for your reviewing!
| @@ -372,6 +407,8 @@ void mld_polyveck_add(mld_polyveck *u, const mld_polyveck *v) | |||
| void mld_polyveck_sub(mld_polyveck *u, const mld_polyveck *v) | |||
There was a problem hiding this comment.
mld_polyveck_add can have a post-condition in the contract - just like mld_polyvecl_add. That should be added and also be asserted.
There was a problem hiding this comment.
Added, thank you for your reviewing!
mldsa/polyvec.c
Outdated
| @@ -431,12 +477,15 @@ void mld_polyveck_invntt_tomont(mld_polyveck *v) | |||
| { | |||
| mld_poly_invntt_tomont(&v->vec[i]); | |||
| } | |||
|
|
|||
| mld_assert_abs_bound_2d(v->vec, MLDSA_K, MLDSA_N, MLD_NTT_BOUND); | |||
There was a problem hiding this comment.
This should be INTT_BOUND.
There was a problem hiding this comment.
Can the assertion for mld_poly_reduce now be added?
| @@ -141,6 +146,9 @@ void mld_poly_pointwise_montgomery(mld_poly *c, const mld_poly *a, | |||
| { | |||
There was a problem hiding this comment.
mld_poly_invntt_tomont should have an MLD_INTT_BOUND output bound.
willieyz
force-pushed
the
cbmc-bound-assertions
branch
2 times, most recently
from
8b12dbf to
7e05da5
Compare
Signed-off-by: willieyz <[email protected]>
- This commit is ported from mlkem PR #214 - All implementations of functions in polyvec.c have bounds assertions for inputs and outputs added that match the CBMC specifications. Signed-off-by: willieyz <[email protected]>
willieyz
force-pushed
the
cbmc-bound-assertions
branch
from
7e05da5 to
d36b82b
Compare
…test error Signed-off-by: willieyz <[email protected]>
willieyz
force-pushed
the
cbmc-bound-assertions
branch
from
d36b82b to
2ed2e64
Compare
Signed-off-by: willieyz <[email protected]>
willieyz
force-pushed
the
cbmc-bound-assertions
branch
from
494c599 to
f3858ea
Compare
Signed-off-by: willieyz <[email protected]>
Signed-off-by: willieyz <[email protected]>
Resolves Add debug assertions for reduce.c and polyvec.c #216
All implementations of functions in
poly.c,polyvec.chave bounds assertionsfor inputs and outputs added that match the CBMC specifications.
As for mlkem-native, if CBMC is enabled, the bounds assertions
are interpreted as CBMC proof obligations.