TEST

hanno-becker · hanno-becker · commit b6cd5eef70e4 · 2025-03-27T19:57:57.000Z
Signed-off-by: Hanno Becker &lt;beckphan@amazon.co.uk&gt;
diff --git a/.github/workflows/all.yml b/.github/workflows/all.yml
@@ -36,7 +36,6 @@ jobs:
     permissions:
       contents: 'read'
       id-token: 'write'
-    needs: [ base ]
     uses: ./.github/workflows/cbmc.yml
     secrets: inherit
   oqs_integration:
diff --git a/mlkem/indcpa.c b/mlkem/indcpa.c
@@ -228,7 +228,7 @@ void mlk_gen_matrix(mlk_polymat a, const uint8_t seed[MLKEM_SYMBYTES],
      * This call writes across mlk_polyvec boundaries for K=2 and K=3.
      * This is intentional and safe.
      */
-    mlk_poly_rej_uniform_x4(&a[i], seed_ext);
+    mlk_poly_rej_uniform_x4(&a[0][0] + i, seed_ext);
   }
 
   /* For MLKEM_K == 3, sample the last entry individually. */
@@ -249,7 +249,7 @@ void mlk_gen_matrix(mlk_polymat a, const uint8_t seed[MLKEM_SYMBYTES],
       seed_ext[0][MLKEM_SYMBYTES + 1] = x;
     }
 
-    mlk_poly_rej_uniform(&a[i], seed_ext[0]);
+    mlk_poly_rej_uniform(&a[0][0] + i, seed_ext[0]);
     i++;
   }
 
@@ -261,7 +261,10 @@ void mlk_gen_matrix(mlk_polymat a, const uint8_t seed[MLKEM_SYMBYTES],
    */
   for (i = 0; i < MLKEM_K * MLKEM_K; i++)
   {
-    mlk_poly_permute_bitrev_to_custom(a[i].coeffs);
+    for (j = 0; i < MLKEM_K * MLKEM_K; i++)
+    {
+       mlk_poly_permute_bitrev_to_custom(a[i][j].coeffs);
+    }
   }
 
   /* Specification: Partially implements
@@ -288,15 +291,15 @@ void mlk_gen_matrix(mlk_polymat a, const uint8_t seed[MLKEM_SYMBYTES],
  * Specification: Implements [FIPS 203, Section 2.4.7, Eq (2.12), (2.13)]
  *
  **************************************************/
-static void mlk_matvec_mul(mlk_polyvec out, const mlk_polymat a,
+static void mlk_matvec_mul(mlk_polyvec out, mlk_polymat a,
                            const mlk_polyvec v, const mlk_polyvec_mulcache vc)
 __contract__(
   requires(memory_no_alias(out, sizeof(mlk_polyvec)))
   requires(memory_no_alias(a, sizeof(mlk_polymat)))
   requires(memory_no_alias(v, sizeof(mlk_polyvec)))
   requires(memory_no_alias(vc, sizeof(mlk_polyvec_mulcache)))
-  requires(forall(k0, 0, MLKEM_K * MLKEM_K,
-      array_bound(a[k0].coeffs, 0, MLKEM_N, 0, MLKEM_UINT12_LIMIT)))
+  requires(forall(k0, 0, MLKEM_K, forall(k4, 0, MLKEM_K,
+    array_bound(a[k0][k4].coeffs, 0, MLKEM_N, 0, MLKEM_UINT12_LIMIT))))
   requires(forall(k1, 0, MLKEM_K,
      array_abs_bound(v[k1].coeffs, 0, MLKEM_N, MLK_NTT_BOUND)))
   requires(forall(k2, 0, MLKEM_K,
@@ -313,7 +316,7 @@ __contract__(
     invariant(forall(k, 0, i,
       array_abs_bound(out[k].coeffs, 0, MLKEM_N, INT16_MAX/2))))
   {
-    mlk_polyvec_basemul_acc_montgomery_cached(&out[i], &a[MLKEM_K * i], v, vc);
+    mlk_polyvec_basemul_acc_montgomery_cached(&out[i], a[i], v, vc);
   }
 }
 
diff --git a/mlkem/indcpa.h b/mlkem/indcpa.h
@@ -36,8 +36,8 @@ __contract__(
   requires(memory_no_alias(seed, MLKEM_SYMBYTES))
   requires(transposed == 0 || transposed == 1)
   assigns(object_whole(a))
-  ensures(forall(x, 0, MLKEM_K * MLKEM_K,
-    array_bound(a[x].coeffs, 0, MLKEM_N, 0, MLKEM_Q)))
+  ensures(forall(x, 0, MLKEM_K, forall(y, 0, MLKEM_K,
+    array_bound(a[x][y].coeffs, 0, MLKEM_N, 0, MLKEM_Q))))
 );
 
 #define mlk_indcpa_keypair_derand MLK_NAMESPACE_K(indcpa_keypair_derand)
diff --git a/mlkem/poly_k.h b/mlkem/poly_k.h
@@ -20,7 +20,7 @@
 /* End of level namespacing */
 
 typedef mlk_poly mlk_polyvec[MLKEM_K];
-typedef mlk_poly mlk_polymat[MLKEM_K * MLKEM_K];
+typedef mlk_poly mlk_polymat[MLKEM_K][MLKEM_K];
 typedef mlk_poly_mulcache mlk_polyvec_mulcache[MLKEM_K];
 
 #define mlk_poly_compress_du MLK_NAMESPACE_K(poly_compress_du)
diff --git a/proofs/cbmc/matvec_mul/Makefile b/proofs/cbmc/matvec_mul/Makefile
@@ -11,6 +11,7 @@ PROOF_UID = mlk_matvec_mul
 
 DEFINES +=
 INCLUDES +=
+#UNWINDSET += matvec_mul.0:4
 
 REMOVE_FUNCTION_BODY +=
 
diff --git a/proofs/cbmc/matvec_mul/matvec_mul_harness.c b/proofs/cbmc/matvec_mul/matvec_mul_harness.c
@@ -6,12 +6,13 @@
 #include "poly_k.h"
 
 #define mlk_matvec_mul MLK_NAMESPACE(matvec_mul)
-void mlk_matvec_mul(mlk_polyvec out, const mlk_polymat a, mlk_polyvec const v,
+void mlk_matvec_mul(mlk_polyvec out, mlk_polymat a, mlk_polyvec const v,
                     mlk_polyvec_mulcache const vc);
 
 void harness(void)
 {
-  mlk_poly *out, *a, *v;
+  mlk_poly *out, *v;
+  mlk_poly (*a)[MLKEM_K];
   mlk_poly_mulcache *vc;
   mlk_matvec_mul(out, a, v, vc);
 }

Original file line number	Diff line number	Diff line change
`@@ -228,7 +228,7 @@ void mlk_gen_matrix(mlk_polymat a, const uint8_t seed[MLKEM_SYMBYTES],`
`228`	`228`	`* This call writes across mlk_polyvec boundaries for K=2 and K=3.`
`229`	`229`	`* This is intentional and safe.`
`230`	`230`	`*/`
`231`		`- mlk_poly_rej_uniform_x4(&a[i], seed_ext);`
	`231`	`+ mlk_poly_rej_uniform_x4(&a[0][0] + i, seed_ext);`
`232`	`232`	`}`
`233`	`233`
`234`	`234`	`/* For MLKEM_K == 3, sample the last entry individually. */`
`@@ -249,7 +249,7 @@ void mlk_gen_matrix(mlk_polymat a, const uint8_t seed[MLKEM_SYMBYTES],`
`249`	`249`	`seed_ext[0][MLKEM_SYMBYTES + 1] = x;`
`250`	`250`	`}`
`251`	`251`
`252`		`- mlk_poly_rej_uniform(&a[i], seed_ext[0]);`
	`252`	`+ mlk_poly_rej_uniform(&a[0][0] + i, seed_ext[0]);`
`253`	`253`	`i++;`
`254`	`254`	`}`
`255`	`255`
`@@ -261,7 +261,10 @@ void mlk_gen_matrix(mlk_polymat a, const uint8_t seed[MLKEM_SYMBYTES],`
`261`	`261`	`*/`
`262`	`262`	`for (i = 0; i < MLKEM_K * MLKEM_K; i++)`
`263`	`263`	`{`
`264`		`- mlk_poly_permute_bitrev_to_custom(a[i].coeffs);`
	`264`	`+ for (j = 0; i < MLKEM_K * MLKEM_K; i++)`
	`265`	`+ {`
	`266`	`+ mlk_poly_permute_bitrev_to_custom(a[i][j].coeffs);`
	`267`	`+ }`
`265`	`268`	`}`
`266`	`269`
`267`	`270`	`/* Specification: Partially implements`
`@@ -288,15 +291,15 @@ void mlk_gen_matrix(mlk_polymat a, const uint8_t seed[MLKEM_SYMBYTES],`
`288`	`291`	`* Specification: Implements [FIPS 203, Section 2.4.7, Eq (2.12), (2.13)]`
`289`	`292`	`*`
`290`	`293`	`**************************************************/`
`291`		`-static void mlk_matvec_mul(mlk_polyvec out, const mlk_polymat a,`
	`294`	`+static void mlk_matvec_mul(mlk_polyvec out, mlk_polymat a,`
`292`	`295`	`const mlk_polyvec v, const mlk_polyvec_mulcache vc)`
`293`	`296`	`__contract__(`
`294`	`297`	`requires(memory_no_alias(out, sizeof(mlk_polyvec)))`
`295`	`298`	`requires(memory_no_alias(a, sizeof(mlk_polymat)))`
`296`	`299`	`requires(memory_no_alias(v, sizeof(mlk_polyvec)))`
`297`	`300`	`requires(memory_no_alias(vc, sizeof(mlk_polyvec_mulcache)))`
`298`		`- requires(forall(k0, 0, MLKEM_K * MLKEM_K,`
`299`		`- array_bound(a[k0].coeffs, 0, MLKEM_N, 0, MLKEM_UINT12_LIMIT)))`
	`301`	`+ requires(forall(k0, 0, MLKEM_K, forall(k4, 0, MLKEM_K,`
	`302`	`+ array_bound(a[k0][k4].coeffs, 0, MLKEM_N, 0, MLKEM_UINT12_LIMIT))))`
`300`	`303`	`requires(forall(k1, 0, MLKEM_K,`
`301`	`304`	`array_abs_bound(v[k1].coeffs, 0, MLKEM_N, MLK_NTT_BOUND)))`
`302`	`305`	`requires(forall(k2, 0, MLKEM_K,`
`@@ -313,7 +316,7 @@ __contract__(`
`313`	`316`	`invariant(forall(k, 0, i,`
`314`	`317`	`array_abs_bound(out[k].coeffs, 0, MLKEM_N, INT16_MAX/2))))`
`315`	`318`	`{`
`316`		`- mlk_polyvec_basemul_acc_montgomery_cached(&out[i], &a[MLKEM_K * i], v, vc);`
	`319`	`+ mlk_polyvec_basemul_acc_montgomery_cached(&out[i], a[i], v, vc);`
`317`	`320`	`}`
`318`	`321`	`}`
`319`	`322`
Original file line number	Diff line number	Diff line change
`@@ -6,12 +6,13 @@`
`6`	`6`	`#include "poly_k.h"`
`7`	`7`
`8`	`8`	`#define mlk_matvec_mul MLK_NAMESPACE(matvec_mul)`
`9`		`-void mlk_matvec_mul(mlk_polyvec out, const mlk_polymat a, mlk_polyvec const v,`
	`9`	`+void mlk_matvec_mul(mlk_polyvec out, mlk_polymat a, mlk_polyvec const v,`
`10`	`10`	`mlk_polyvec_mulcache const vc);`
`11`	`11`
`12`	`12`	`void harness(void)`
`13`	`13`	`{`
`14`		`- mlk_poly out, a, *v;`
	`14`	`+ mlk_poly out, v;`
	`15`	`+ mlk_poly (*a)[MLKEM_K];`
`15`	`16`	`mlk_poly_mulcache *vc;`
`16`	`17`	`mlk_matvec_mul(out, a, v, vc);`
`17`	`18`	`}`