Refactor mlk_polymat_permute_bitrev_to_custom

This commit refactors mlk_polymat_permute_bitrev_to_custom to not require the
helper function mlk_polyvec_permute_bitrev_to_custom.
The function was only needed due CBMC limitations.

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>

Author: mkannwischer

mlkem/src/indcpa.c

@@ -181,40 +181,6 @@ static void mlk_unpack_ciphertext(mlk_polyvec *b, mlk_poly *v,
   mlk_poly_decompress_dv(v, c + MLKEM_POLYVECCOMPRESSEDBYTES_DU);
 }
 
-/* Helper function to ensure that the polynomial entries in the output
- * of gen_matrix use the standard (bitreversed) ordering of coefficients.
- * No-op unless a native backend with a custom ordering is used.
- *
- * We don't inline this into gen_matrix to avoid having to split the CBMC
- * proof for gen_matrix based on MLK_USE_NATIVE_NTT_CUSTOM_ORDER. */
-static void mlk_polyvec_permute_bitrev_to_custom(mlk_polyvec *v)
-__contract__(
-  /* We don't specify that this should be a permutation, but only
-   * that it does not change the bound established at the end of mlk_gen_matrix. */
-  requires(memory_no_alias(v, sizeof(mlk_polyvec)))
-  requires(forall(x, 0, MLKEM_K,
-    array_bound(v->vec[x].coeffs, 0, MLKEM_N, 0, MLKEM_Q)))
-  assigns(memory_slice(v, sizeof(mlk_polyvec)))
-  ensures(forall(x, 0, MLKEM_K,
-    array_bound(v->vec[x].coeffs, 0, MLKEM_N, 0, MLKEM_Q))))
-{
-#if defined(MLK_USE_NATIVE_NTT_CUSTOM_ORDER)
-  unsigned i;
-  for (i = 0; i < MLKEM_K; i++)
-  __loop__(
-     assigns(i, memory_slice(v, sizeof(mlk_polyvec)))
-     invariant(i <= MLKEM_K)
-     invariant(forall(x, 0, MLKEM_K,
-       array_bound(v->vec[x].coeffs, 0, MLKEM_N, 0, MLKEM_Q))))
-  {
-    mlk_poly_permute_bitrev_to_custom(v->vec[i].coeffs);
-  }
-#else  /* MLK_USE_NATIVE_NTT_CUSTOM_ORDER */
-  /* Nothing to do */
-  (void)v;
-#endif /* !MLK_USE_NATIVE_NTT_CUSTOM_ORDER */
-}
-
 static void mlk_polymat_permute_bitrev_to_custom(mlk_polymat *a)
 __contract__(
   /* We don't specify that this should be a permutation, but only
@@ -227,15 +193,21 @@ __contract__(
     array_bound(a->vec[x].vec[y].coeffs, 0, MLKEM_N, 0, MLKEM_Q)))))
 {
   unsigned i;
-  for (i = 0; i < MLKEM_K; i++)
+#if defined(MLK_USE_NATIVE_NTT_CUSTOM_ORDER)
+  for (i = 0; i < MLKEM_K * MLKEM_K; i++)
   __loop__(
      assigns(i, object_whole(a))
-     invariant(i <= MLKEM_K)
+     invariant(i <= MLKEM_K * MLKEM_K)
      invariant(forall(x, 0, MLKEM_K, forall(y, 0, MLKEM_K,
        array_bound(a->vec[x].vec[y].coeffs, 0, MLKEM_N, 0, MLKEM_Q)))))
   {
-    mlk_polyvec_permute_bitrev_to_custom(&a->vec[i]);
+    mlk_poly_permute_bitrev_to_custom(
+        a->vec[i / MLKEM_K].vec[i % MLKEM_K].coeffs);
   }
+#else  /* MLK_USE_NATIVE_NTT_CUSTOM_ORDER */
+  /* Nothing to do */
+  (void)a;
+#endif /* !MLK_USE_NATIVE_NTT_CUSTOM_ORDER */
 }
 
 /* Reference: `gen_matrix()` in the reference implementation @[REF].

…permute_bitrev_to_custom_native/Makefile …permute_bitrev_to_custom_native/Makefileproofs/cbmc/polyvec_permute_bitrev_to_custom_native/Makefile renamed to proofs/cbmc/polymat_permute_bitrev_to_custom_native/Makefile proofs/cbmc/polyvec_permute_bitrev_to_custom_native/Makefile renamed to proofs/cbmc/polymat_permute_bitrev_to_custom_native/Makefile

@@ -4,11 +4,11 @@
 include ../Makefile_params.common
 
 HARNESS_ENTRY = harness
-HARNESS_FILE = polyvec_permute_bitrev_to_custom_native_harness
+HARNESS_FILE = polymat_permute_bitrev_to_custom_native_harness
 
 # This should be a unique identifier for this proof, and will appear on the
 # Litani dashboard. It can be human-readable and contain spaces if you wish.
-PROOF_UID = mlk_polyvec_permute_bitrev_to_custom_native
+PROOF_UID = mlk_polymat_permute_bitrev_to_custom_native
 
 DEFINES += -DMLK_CONFIG_USE_NATIVE_BACKEND_ARITH -DMLK_CONFIG_ARITH_BACKEND_FILE="\"dummy_backend.h\""
 INCLUDES +=
@@ -19,16 +19,16 @@ REMOVE_FUNCTION_BODY +=
 PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
 PROJECT_SOURCES += $(SRCDIR)/mlkem/src/indcpa.c
 
-CHECK_FUNCTION_CONTRACTS=mlk_polyvec_permute_bitrev_to_custom
-USE_FUNCTION_CONTRACTS= mlk_poly_permute_bitrev_to_custom
+CHECK_FUNCTION_CONTRACTS=mlk_polymat_permute_bitrev_to_custom
+USE_FUNCTION_CONTRACTS=mlk_poly_permute_bitrev_to_custom
 APPLY_LOOP_CONTRACTS=on
 USE_DYNAMIC_FRAMES=1
 
 # Disable any setting of EXTERNAL_SAT_SOLVER, and choose SMT backend instead
 EXTERNAL_SAT_SOLVER=
 CBMCFLAGS=--smt2
 
-FUNCTION_NAME = mlk_polyvec_permute_bitrev_to_custom_native
+FUNCTION_NAME = mlk_polymat_permute_bitrev_to_custom_native
 
 # If this proof is found to consume huge amounts of RAM, you can set the
 # EXPENSIVE variable. With new enough versions of the proof tools, this will

…lyvec_permute_bitrev_to_custom_harness.c …ermute_bitrev_to_custom_native_harness.cproofs/cbmc/polyvec_permute_bitrev_to_custom/polyvec_permute_bitrev_to_custom_harness.c renamed to proofs/cbmc/polymat_permute_bitrev_to_custom_native/polymat_permute_bitrev_to_custom_native_harness.c proofs/cbmc/polyvec_permute_bitrev_to_custom/polyvec_permute_bitrev_to_custom_harness.c renamed to proofs/cbmc/polymat_permute_bitrev_to_custom_native/polymat_permute_bitrev_to_custom_native_harness.c

@@ -5,10 +5,10 @@
 #include <stdint.h>
 #include "poly_k.h"
 
-void mlk_polyvec_permute_bitrev_to_custom(mlk_polyvec *v);
+void mlk_polymat_permute_bitrev_to_custom(mlk_polymat *a);
 
 void harness(void)
 {
-  mlk_polyvec *v;
-  mlk_polyvec_permute_bitrev_to_custom(v);
+  mlk_polymat *a;
+  mlk_polymat_permute_bitrev_to_custom(a);
 }