Merge pull request #479 from pq-code-package/remove_todo

hanno-becker · web-flow · commit b5f962772c61 · 2024-12-03T10:46:48.000Z
Resolve or remove various small TODOs
diff --git a/cbmc/proofs/poly_compress_du/Makefile b/cbmc/proofs/poly_compress_du/Makefile
@@ -19,12 +19,16 @@ PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
 PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c
 
 CHECK_FUNCTION_CONTRACTS=$(MLKEM_NAMESPACE)poly_compress_du
+USE_FUNCTION_CONTRACTS =
+
+# TODO: We should be calling scalar_decompress_xxx by contract here,
+# but it does not seem to work yet because they are marked as static inline.
 # For K = 2 or 3, the code calls scalar_compress_d10, so
-ifeq ($(MLKEM_K),4)
-USE_FUNCTION_CONTRACTS = scalar_compress_d11
-else
-USE_FUNCTION_CONTRACTS = scalar_compress_d10
-endif
+# ifeq ($(MLKEM_K),4)
+# USE_FUNCTION_CONTRACTS = scalar_compress_d11
+# else
+# USE_FUNCTION_CONTRACTS = scalar_compress_d10
+# endif
 
 APPLY_LOOP_CONTRACTS=on
 USE_DYNAMIC_FRAMES=1
diff --git a/cbmc/proofs/poly_compress_dv/Makefile b/cbmc/proofs/poly_compress_dv/Makefile
@@ -19,11 +19,15 @@ PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
 PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c
 
 CHECK_FUNCTION_CONTRACTS=$(MLKEM_NAMESPACE)poly_compress_dv
-ifeq ($(MLKEM_K),4)
-USE_FUNCTION_CONTRACTS = scalar_compress_d5
-else
-USE_FUNCTION_CONTRACTS = scalar_compress_d4
-endif
+
+USE_FUNCTION_CONTRACTS =
+# TODO: We should be calling scalar_decompress_xxx by contract here,
+# but it does not seem to work yet because they are marked as static inline.
+# ifeq ($(MLKEM_K),4)
+# USE_FUNCTION_CONTRACTS = scalar_compress_d5
+# else
+# USE_FUNCTION_CONTRACTS = scalar_compress_d4
+# endif
 APPLY_LOOP_CONTRACTS=on
 USE_DYNAMIC_FRAMES=1
 
diff --git a/cbmc/proofs/poly_decompress_du/Makefile b/cbmc/proofs/poly_decompress_du/Makefile
@@ -20,12 +20,15 @@ PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c
 
 CHECK_FUNCTION_CONTRACTS=$(MLKEM_NAMESPACE)poly_decompress_du
 
+USE_FUNCTION_CONTRACTS =
+# TODO: We should be calling scalar_decompress_xxx by contract here,
+# but it does not seem to work yet because they are marked as static inline.
 # For K = 2 or 3, the code calls scalar_decompress_d10, so
-ifeq ($(MLKEM_K),4)
-USE_FUNCTION_CONTRACTS = scalar_decompress_d11
-else
-USE_FUNCTION_CONTRACTS = scalar_decompress_d10
-endif
+# ifeq ($(MLKEM_K),4)
+# USE_FUNCTION_CONTRACTS = scalar_decompress_d11
+# else
+# USE_FUNCTION_CONTRACTS = scalar_decompress_d10
+# endif
 
 APPLY_LOOP_CONTRACTS=on
 USE_DYNAMIC_FRAMES=1
diff --git a/cbmc/proofs/poly_decompress_dv/Makefile b/cbmc/proofs/poly_decompress_dv/Makefile
@@ -20,12 +20,15 @@ PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c
 
 CHECK_FUNCTION_CONTRACTS=$(MLKEM_NAMESPACE)poly_decompress_dv
 
+USE_FUNCTION_CONTRACTS =
+# TODO: We should be calling scalar_decompress_xxx by contract here,
+# but it does not seem to work yet because they are marked as static inline.
 # For K = 2 or 3, the code calls scalar_decompress_d4, so
-ifeq ($(MLKEM_K),4)
-USE_FUNCTION_CONTRACTS = scalar_decompress_d5
-else
-USE_FUNCTION_CONTRACTS = scalar_decompress_d4
-endif
+# ifeq ($(MLKEM_K),4)
+# USE_FUNCTION_CONTRACTS = scalar_decompress_d5
+# else
+# USE_FUNCTION_CONTRACTS = scalar_decompress_d4
+# endif
 
 APPLY_LOOP_CONTRACTS=on
 USE_DYNAMIC_FRAMES=1
diff --git a/mlkem/indcpa.c b/mlkem/indcpa.c
@@ -61,9 +61,11 @@ static void unpack_pk(polyvec *pk, uint8_t seed[MLKEM_SYMBYTES],
   memcpy(seed, packedpk + MLKEM_POLYVECBYTES, MLKEM_SYMBYTES);
 
   /*
-   * TODO! pk must be subject to a "modulus check" at the top-level
-   * crypto_kem_enc_derand(). Once that's done, the reduction is no
-   * longer necessary here.
+   * TODO! We know from the modulus check that this will result in an
+   * unsigned canonical polynomial, but CBMC does not know it. We should
+   * weaken the specification of `unpack_pk()` and all depending functions
+   * to work with the weaker 4096-bound, so that the proofs go through
+   * without the need of this redundant call to polyvec_reduce().
    */
   polyvec_reduce(pk);
 }
@@ -291,13 +293,6 @@ void gen_matrix(polyvec *a, const uint8_t seed[MLKEM_SYMBYTES], int transposed)
     memcpy(seedxy[j], seed, MLKEM_SYMBYTES);
   }
 
-  /*
-   * TODO: All loops in this function should be unrolled for decent
-   * performance.
-   * Either add suitable pragmas, or split gen_matrix according to MLKEM_K
-   * and unroll by hand.
-   */
-
   for (i = 0; i < (MLKEM_K * MLKEM_K / KECCAK_WAY) * KECCAK_WAY;
        i += KECCAK_WAY)
   {
diff --git a/mlkem/native/arith_native.h b/mlkem/native/arith_native.h
@@ -240,7 +240,7 @@ static INLINE void poly_frombytes_native(poly *a,
  *
  * Return -1 if the native implementation does not support the input lengths.
  * Otherwise, returns non-negative number of sampled 16-bit integers (at most
- *len).
+ * len).
  **************************************************/
 static INLINE int rej_uniform_native(int16_t *r, unsigned int len,
                                      const uint8_t *buf, unsigned int buflen);
diff --git a/mlkem/native/x86_64/arith_native_x86_64.h b/mlkem/native/x86_64/arith_native_x86_64.h
@@ -20,7 +20,6 @@
   ((12 * MLKEM_N / 8 * (1 << 12) / MLKEM_Q + SHAKE128_RATE) / SHAKE128_RATE)
 #define REJ_UNIFORM_AVX_BUFLEN (REJ_UNIFORM_AVX_NBLOCKS * SHAKE128_RATE)
 
-/* TODO: Document buffer constraints */
 #define rej_uniform_avx2 MLKEM_NAMESPACE(rej_uniform_avx2)
 unsigned int rej_uniform_avx2(int16_t *r, const uint8_t *buf);
 
diff --git a/mlkem/native/x86_64/profiles/default.h b/mlkem/native/x86_64/profiles/default.h
@@ -74,13 +74,7 @@ static INLINE void poly_mulcache_compute_native(poly_mulcache *x, const poly *y)
 {
   /* AVX2 backend does not use mulcache */
   ((void)y);
-
-  /*
-   * TODO! The mulcache is subject to the absolute bound < q
-   * This needs to be dropped if the mulcache is not present.
-   * Until that's done, memset to 0 to avoid failure.
-   */
-  memset(x, 0, sizeof(poly_mulcache));
+  ((void)x);
 }
 
 static INLINE void polyvec_basemul_acc_montgomery_cached_native(
diff --git a/mlkem/poly.c b/mlkem/poly.c
@@ -456,6 +456,8 @@ void poly_basemul_montgomery_cached(poly *r, const poly *a, const poly *b,
                                     const poly_mulcache *b_cache)
 {
   int i;
+  POLY_BOUND(b_cache, MLKEM_Q);
+
   for (i = 0; i < MLKEM_N / 4; i++)
   __loop__(
     assigns(i, object_whole(r))
@@ -559,6 +561,8 @@ void poly_mulcache_compute(poly_mulcache *x, const poly *a)
 void poly_mulcache_compute(poly_mulcache *x, const poly *a)
 {
   poly_mulcache_compute_native(x, a);
-  POLY_BOUND(x, MLKEM_Q);
+  /* Omitting POLY_BOUND(x, MLKEM_Q) since native implementations may
+   * decide not to use a mulcache. Note that the C backend implementation
+   * of poly_basemul_montgomery_cached() does still include the check. */
 }
 #endif /* MLKEM_USE_NATIVE_POLY_MULCACHE_COMPUTE */
diff --git a/mlkem/poly.h b/mlkem/poly.h
@@ -192,9 +192,7 @@ __contract__(
 #pragma CPROVER check push
 #pragma CPROVER check disable "unsigned-overflow"
 #endif
-/* TODO: do the same for the other static inline functions */
-STATIC_INLINE_TESTABLE
-uint32_t scalar_compress_d10(uint16_t u)
+static INLINE uint32_t scalar_compress_d10(uint16_t u)
 __contract__(
   requires(u <= MLKEM_Q - 1)
   ensures(return_value < (1u << 10))
@@ -244,8 +242,7 @@ __contract__(
 #pragma CPROVER check push
 #pragma CPROVER check disable "unsigned-overflow"
 #endif
-STATIC_INLINE_TESTABLE
-uint32_t scalar_compress_d11(uint16_t u)
+static INLINE uint32_t scalar_compress_d11(uint16_t u)
 __contract__(
   requires(u <= MLKEM_Q - 1)
   ensures(return_value < (1u << 11))
@@ -270,8 +267,7 @@ __contract__(
  * Arguments: - u: Unsigned canonical modulus modulo 16
  *                 to be decompressed.
  ************************************************************/
-STATIC_INLINE_TESTABLE
-uint16_t scalar_decompress_d11(uint32_t u)
+static INLINE uint16_t scalar_decompress_d11(uint32_t u)
 __contract__(
   requires(0 <= u && u < 2048)
   ensures(return_value <= (MLKEM_Q - 1))
@@ -295,8 +291,7 @@ __contract__(
  *
  * Arguments: c: signed coefficient to be converted
  ************************************************************/
-STATIC_INLINE_TESTABLE
-uint16_t scalar_signed_to_unsigned_q(int16_t c)
+static INLINE uint16_t scalar_signed_to_unsigned_q(int16_t c)
 __contract__(
   requires(c >= -(MLKEM_Q - 1) && c <= (MLKEM_Q - 1))
   ensures(return_value >= 0 && return_value <= (MLKEM_Q - 1))
diff --git a/mlkem/polyvec.c b/mlkem/polyvec.c
@@ -128,7 +128,9 @@ void polyvec_basemul_acc_montgomery_cached(poly *r, const polyvec *a,
 {
   POLYVEC_BOUND(a, MLKEM_Q);
   POLYVEC_BOUND(b, NTT_BOUND);
-  POLYVEC_BOUND(b_cache, MLKEM_Q);
+  /* Omitting POLYVEC_BOUND(b_cache, MLKEM_Q) since native implementations may
+   * decide not to use a mulcache. Note that the C backend implementation
+   * of poly_basemul_montgomery_cached() does still include the check. */
   polyvec_basemul_acc_montgomery_cached_native(r, a, b, b_cache);
 }
 #endif /* MLKEM_USE_NATIVE_POLYVEC_BASEMUL_ACC_MONTGOMERY_CACHED */

Original file line number	Diff line number	Diff line change
`@@ -240,7 +240,7 @@ static INLINE void poly_frombytes_native(poly *a,`
`240`	`240`	`*`
`241`	`241`	`* Return -1 if the native implementation does not support the input lengths.`
`242`	`242`	`* Otherwise, returns non-negative number of sampled 16-bit integers (at most`
`243`		`- *len).`
	`243`	`+ * len).`
`244`	`244`	`**************************************************/`
`245`	`245`	`static INLINE int rej_uniform_native(int16_t *r, unsigned int len,`
`246`	`246`	`const uint8_t *buf, unsigned int buflen);`
Original file line number	Diff line number	Diff line change
`@@ -74,13 +74,7 @@ static INLINE void poly_mulcache_compute_native(poly_mulcache x, const poly y)`
`74`	`74`	`{`
`75`	`75`	`/* AVX2 backend does not use mulcache */`
`76`	`76`	`((void)y);`
`77`		`-`
`78`		`- /*`
`79`		`- * TODO! The mulcache is subject to the absolute bound < q`
`80`		`- * This needs to be dropped if the mulcache is not present.`
`81`		`- * Until that's done, memset to 0 to avoid failure.`
`82`		`- */`
`83`		`- memset(x, 0, sizeof(poly_mulcache));`
	`77`	`+ ((void)x);`
`84`	`78`	`}`
`85`	`79`
`86`	`80`	`static INLINE void polyvec_basemul_acc_montgomery_cached_native(`
Original file line number	Diff line number	Diff line change
`@@ -456,6 +456,8 @@ void poly_basemul_montgomery_cached(poly r, const poly a, const poly *b,`
`456`	`456`	`const poly_mulcache *b_cache)`
`457`	`457`	`{`
`458`	`458`	`int i;`
	`459`	`+ POLY_BOUND(b_cache, MLKEM_Q);`
	`460`	`+`
`459`	`461`	`for (i = 0; i < MLKEM_N / 4; i++)`
`460`	`462`	`__loop__(`
`461`	`463`	`assigns(i, object_whole(r))`
`@@ -559,6 +561,8 @@ void poly_mulcache_compute(poly_mulcache x, const poly a)`
`559`	`561`	`void poly_mulcache_compute(poly_mulcache x, const poly a)`
`560`	`562`	`{`
`561`	`563`	`poly_mulcache_compute_native(x, a);`
`562`		`- POLY_BOUND(x, MLKEM_Q);`
	`564`	`+ /* Omitting POLY_BOUND(x, MLKEM_Q) since native implementations may`
	`565`	`+ * decide not to use a mulcache. Note that the C backend implementation`
	`566`	`+ * of poly_basemul_montgomery_cached() does still include the check. */`
`563`	`567`	`}`
`564`	`568`	`#endif /* MLKEM_USE_NATIVE_POLY_MULCACHE_COMPUTE */`
Original file line number	Diff line number	Diff line change
`@@ -128,7 +128,9 @@ void polyvec_basemul_acc_montgomery_cached(poly r, const polyvec a,`
`128`	`128`	`{`
`129`	`129`	`POLYVEC_BOUND(a, MLKEM_Q);`
`130`	`130`	`POLYVEC_BOUND(b, NTT_BOUND);`
`131`		`- POLYVEC_BOUND(b_cache, MLKEM_Q);`
	`131`	`+ /* Omitting POLYVEC_BOUND(b_cache, MLKEM_Q) since native implementations may`
	`132`	`+ * decide not to use a mulcache. Note that the C backend implementation`
	`133`	`+ * of poly_basemul_montgomery_cached() does still include the check. */`
`132`	`134`	`polyvec_basemul_acc_montgomery_cached_native(r, a, b, b_cache);`
`133`	`135`	`}`
`134`	`136`	`#endif /* MLKEM_USE_NATIVE_POLYVEC_BASEMUL_ACC_MONTGOMERY_CACHED */`