Add fast, layer-merged forward and inverse NTT code.

Adjust and move proof files accordingly.

Signed-off-by: Rod Chapman <[email protected]>

Add support for NO_INLINE attribute and its
use with CBMC.

Signed-off-by: Rod Chapman <[email protected]>

Make top-level ntt_layer*() functions NO_INLINE
to improve comprehension and review of auto-vectorization
of this code.

Signed-off-by: Rod Chapman <[email protected]>

Add first two fast Invert NTT functions

Adds
  invntt_layer7_invert_inner()
  invntt_layer7_invert()

and their proof files.

Signed-off-by: Rod Chapman <[email protected]>

Remove dummy call to invntt_layer7_invert()

Signed-off-by: Rod Chapman <[email protected]>

Add Invert NTT Layer 6 functions.

Adds
  invntt_layer6_inner()
  invntt_layer6()
functions and their proof files.

Signed-off-by: Rod Chapman <[email protected]>

Simplify Zeta tables for layers 4 and 5.

Signed-off-by: Rod Chapman <[email protected]>

Adds Inverse NTT Layer54 (marged)

Adds functions
  invntt_layer54_inner()
  invntt_layer54()

and their proof files.

Signed-off-by: Rod Chapman <[email protected]>

Use new zeta constants in ntt_layer123()

Signed-off-by: Rod Chapman <[email protected]>

Adds first full implemenation of Inverse NTT with layer merging.

Adds function invntt_layer321() and its proof.

Updates top-level poly_invntt_tomont() to call new layer-merged implementation.

Renames existing implementation as poly_invntt_tomont_ref() for now.

Signed-off-by: Rod Chapman <[email protected]>

Update proof of poly_invntt_tomont()

Signed-off-by: Rod Chapman <[email protected]>

Remove reference implementation of poly_invntt_tomont()

Also removes local function invntt_layer()
and its proof.

Signed-off-by: Rod Chapman <[email protected]>

Switch to Z3 for these proofs, which is much faster than Bitwuzla.

Signed-off-by: Rod Chapman <[email protected]>

Switch back to Z3 for proof of ntt_layer123()

Signed-off-by: Rod Chapman <[email protected]>

Rename ntt_layer45_slice() to ntt_inner45_inner()

Signed-off-by: Rod Chapman <[email protected]>

Rename proof files

Signed-off-by: Rod Chapman <[email protected]>

Further renaming of ntt_layer45_slice() to ntt_layer45_inner()

Signed-off-by: Rod Chapman <[email protected]>

Rename *_slice() to *_inner() functions - phase 1

Signed-off-by: Rod Chapman <[email protected]>

Rename *_slice() functions to *_inner() - phase 2

Signed-off-by: Rod Chapman <[email protected]>

renaming *slioce() to *inner() - phase 3

Signed-off-by: Rod Chapman <[email protected]>

Display final 4 lines of logs/result.txt after make result

Signed-off-by: Rod Chapman <[email protected]>

Rename inner to butterfly for all internal ntt functions

Signed-off-by: Rod Chapman <[email protected]>

Rename harness function source files

Signed-off-by: Rod Chapman <[email protected]>

Adjust proof Makefiles and harnesses for renaming inner to butterfly

Signed-off-by: Rod Chapman <[email protected]>

Update Makefiles for function renaming

Signed-off-by: Rod Chapman <[email protected]>

Rename all inner functions to butterfly

Signed-off-by: Rod Chapman <[email protected]>

Replace literal 255 with (MLKEM_N - 1) throughout

Signed-off-by: Rod Chapman <[email protected]>

Move declaration of Zeta tables to be as close to their
point of first use as possible.

Add and adjust comments.

Signed-off-by: Rod Chapman <[email protected]>

Align and rename Zetas tables.

Signed-off-by: Rod Chapman <[email protected]>

Zetas tables are all declared with static scope

Signed-off-by: Rod Chapman <[email protected]>

Auto-generate Zeta tables for new layer-merged NTT

Signed-off-by: Rod Chapman <[email protected]>

This proof no longer needs zetas.c as a source file

Signed-off-by: Rod Chapman <[email protected]>

Move basemul_cached() function from ntt.[hc] to poly.c

It is now local, and static within poly.c, so is amenable
to inlining and auto-vectorization within that unit.

Signed-off-by: Rod Chapman <[email protected]>

Make basemul_cached() inline-able

Signed-off-by: Rod Chapman <[email protected]>

Add top-level explanatory comments

Signed-off-by: Rod Chapman <[email protected]>

Clarify and correct 1 typo in comment only.

Signed-off-by: Rod Chapman <[email protected]>

Move symlink from zetas.c to zetas.i

Signed-off-by: Rod Chapman <[email protected]>

Correct INVNTT_BOUND_REF for new implementation of Inverse NTT

Signed-off-by: Rod Chapman <[email protected]>

Add MLKEM_NAMESPACE to mlkem_layer7_zetas, since it is a global symbol

Signed-off-by: Rod Chapman <[email protected]>

Remove boilerplate comments from proof harness sources.

Signed-off-by: Rod Chapman <[email protected]>

Updates for namespacing of all static functions.

Signed-off-by: Rod Chapman <[email protected]>

Update this file following changes to other files

Signed-off-by: Rod Chapman <[email protected]>

Remove pc typedef and use int16_t r[MLKEM_N] instead throughout

Signed-off-by: Rod Chapman <[email protected]>

Adds namespacing to all static constant lookup tables.

In support of the monolithic build.

Signed-off-by: Rod Chapman <[email protected]>

Update auto-generates files following name-spacing of Zeta tables

Signed-off-by: Rod Chapman <[email protected]>

Remove declaration of basmul_cached() from ntt.h following rebase against PR 623

Signed-off-by: Rod Chapman <[email protected]>

Correct declaration of basemul_cached() to be static

Signed-off-by: Rod Chapman <[email protected]>

basemul_cached() is explicitly static, so does not also need MLKEM_NATIVE_INTERNAL_API

Signed-off-by: Rod Chapman <[email protected]>

remove sym link to zetas.c

Signed-off-by: Rod Chapman <[email protected]>

Add new symlink for zetas.i

Signed-off-by: Rod Chapman <[email protected]>

Add internal ct_butterfly() function and use it in ntt_layer123()

Same for other NTT layers and InvNTT is TBD.

Signed-off-by: Rod Chapman <[email protected]>

Update autogenerated file

Signed-off-by: Rod Chapman <[email protected]>

Update invariant and constants for exclusive array bounds checks.

Updates only ntt_layer123() for now to confirm effectiveness
of updates. Other functions will be updated once all is well.

Signed-off-by: Rod Chapman <[email protected]>

Update proofs for exclusive upper bound.

1. Upper bound of quantitied ranges is now exclusive
2. Upper bound of array element range constraint is now exclusive.

Signed-off-by: Rod Chapman <[email protected]>

Re-generate all auto-generated files after rebase

Signed-off-by: Rod Chapman <[email protected]>

Use inner ct_butterfly() function in all forward NTT functions.

Signed-off-by: Rod Chapman <[email protected]>

Updates for readability following review.

Introduces local gs_butterfly_reduce() and
gs_butterfly_defer() functions, which are inlined
for both compilation and proof, but significantly
simplify and improve readability of the calling
functions.

Signed-off-by: Rod Chapman <[email protected]>

Update auto-generated files after rebase

Signed-off-by: Rod Chapman <[email protected]>

Remove final STATIC_ASSERT() macro use

Signed-off-by: Rod Chapman <[email protected]>

Switch to unsigned type for loop index variables.

Signed-off-by: Rod Chapman <[email protected]>

Clarify comment on vectorization strategy

Signed-off-by: Rod Chapman <[email protected]>

Remove redundant proof files no longer needed on this branch.

Signed-off-by: Rod Chapman <[email protected]>

Correct use of BOUND() macro to debug_assert_abs_bound()

Signed-off-by: Rod Chapman <[email protected]>

Use "unsigned" where possible for zeta_index, start formal
parameters and loop index variables.

Drop redundant lower-bound for these objects in pre-conditions
and loop invariants.

Signed-off-by: Rod Chapman <[email protected]>

Correct bound pre-condition on basemul_cached()

Signed-off-by: Rod Chapman <[email protected]>

Author: rod-chapman

examples/bring_your_own_fips202/mlkem_native/zetas.c

@@ -0,0 +1 @@
+../../../mlkem/zetas.i

examples/bring_your_own_fips202/mlkem_native/zetas.i

@@ -0,0 +1 @@
+../../../../mlkem/zetas.i

examples/custom_backend/mlkem_native/mlkem/zetas.c

@@ -28,7 +28,6 @@
 #include "mlkem/polyvec.c"
 #include "mlkem/rej_uniform.c"
 #include "mlkem/verify.c"
-#include "mlkem/zetas.c"
 
 #if !defined(MLKEM_NATIVE_MONOBUILD_NO_FIPS202_SOURCES)
 #include "mlkem/fips202/fips202.c"
@@ -1314,18 +1313,123 @@
 #endif
 
 /* mlkem/ntt.c */
-#if defined(invntt_layer)
-#undef invntt_layer
+#if defined(MONT_F)
+#undef MONT_F
 #endif
 
 /* mlkem/ntt.c */
-#if defined(ntt_butterfly_block)
-#undef ntt_butterfly_block
+#if defined(NTT_BOUND1)
+#undef NTT_BOUND1
 #endif
 
 /* mlkem/ntt.c */
-#if defined(ntt_layer)
-#undef ntt_layer
+#if defined(NTT_BOUND2)
+#undef NTT_BOUND2
+#endif
+
+/* mlkem/ntt.c */
+#if defined(NTT_BOUND4)
+#undef NTT_BOUND4
+#endif
+
+/* mlkem/ntt.c */
+#if defined(NTT_BOUND6)
+#undef NTT_BOUND6
+#endif
+
+/* mlkem/ntt.c */
+#if defined(NTT_BOUND7)
+#undef NTT_BOUND7
+#endif
+
+/* mlkem/ntt.c */
+#if defined(NTT_BOUND8)
+#undef NTT_BOUND8
+#endif
+
+/* mlkem/ntt.c */
+#if defined(ct_butterfly)
+#undef ct_butterfly
+#endif
+
+/* mlkem/ntt.c */
+#if defined(gs_butterfly_defer)
+#undef gs_butterfly_defer
+#endif
+
+/* mlkem/ntt.c */
+#if defined(gs_butterfly_reduce)
+#undef gs_butterfly_reduce
+#endif
+
+/* mlkem/ntt.c */
+#if defined(invntt_layer321)
+#undef invntt_layer321
+#endif
+
+/* mlkem/ntt.c */
+#if defined(invntt_layer54)
+#undef invntt_layer54
+#endif
+
+/* mlkem/ntt.c */
+#if defined(invntt_layer54_butterfly)
+#undef invntt_layer54_butterfly
+#endif
+
+/* mlkem/ntt.c */
+#if defined(invntt_layer6)
+#undef invntt_layer6
+#endif
+
+/* mlkem/ntt.c */
+#if defined(invntt_layer6_butterfly)
+#undef invntt_layer6_butterfly
+#endif
+
+/* mlkem/ntt.c */
+#if defined(invntt_layer7_invert)
+#undef invntt_layer7_invert
+#endif
+
+/* mlkem/ntt.c */
+#if defined(invntt_layer7_invert_butterfly)
+#undef invntt_layer7_invert_butterfly
+#endif
+
+/* mlkem/ntt.c */
+#if defined(ntt_layer123)
+#undef ntt_layer123
+#endif
+
+/* mlkem/ntt.c */
+#if defined(ntt_layer45)
+#undef ntt_layer45
+#endif
+
+/* mlkem/ntt.c */
+#if defined(ntt_layer45_butterfly)
+#undef ntt_layer45_butterfly
+#endif
+
+/* mlkem/ntt.c */
+#if defined(ntt_layer6)
+#undef ntt_layer6
+#endif
+
+/* mlkem/ntt.c */
+#if defined(ntt_layer6_butterfly)
+#undef ntt_layer6_butterfly
+#endif
+
+/* mlkem/ntt.c */
+#if defined(ntt_layer7)
+#undef ntt_layer7
+#endif
+
+/* mlkem/ntt.c */
+#if defined(ntt_layer7_butterfly)
+#undef ntt_layer7_butterfly
 #endif
 
 /* mlkem/ntt.h */
@@ -1334,8 +1438,8 @@
 #endif
 
 /* mlkem/ntt.h */
-#if defined(basemul_cached)
-#undef basemul_cached
+#if defined(layer7_zetas)
+#undef layer7_zetas
 #endif
 
 /* mlkem/ntt.h */
@@ -1348,11 +1452,6 @@
 #undef poly_ntt
 #endif
 
-/* mlkem/ntt.h */
-#if defined(zetas)
-#undef zetas
-#endif
-
 /* mlkem/params.h */
 #if defined(KECCAK_WAY)
 #undef KECCAK_WAY
@@ -1463,6 +1562,11 @@
 #undef UINT12_LIMIT
 #endif
 
+/* mlkem/poly.c */
+#if defined(basemul_cached)
+#undef basemul_cached
+#endif
+
 /* mlkem/poly.h */
 #if defined(INVNTT_BOUND)
 #undef INVNTT_BOUND
@@ -1863,6 +1967,26 @@
 #undef MLKEM_NATIVE_SYS_H
 #endif
 
+/* mlkem/sys.h */
+#if defined(NO_INLINE)
+#undef NO_INLINE
+#endif
+
+/* mlkem/sys.h */
+#if defined(NO_INLINE)
+#undef NO_INLINE
+#endif
+
+/* mlkem/sys.h */
+#if defined(NO_INLINE)
+#undef NO_INLINE
+#endif
+
+/* mlkem/sys.h */
+#if defined(NO_INLINE)
+#undef NO_INLINE
+#endif
+
 /* mlkem/sys.h */
 #if defined(RESTRICT)
 #undef RESTRICT