Merge pull request #826 from pq-code-package/keccak_proof_v84a

mkannwischer · web-flow · commit f2b1a7e0227f · 2025-03-03T12:40:33.000+08:00
Add proof for AArch64+SHA3 Keccak-f1600-x1
diff --git a/.github/workflows/hol_light.yml b/.github/workflows/hol_light.yml
@@ -23,7 +23,7 @@ jobs:
   hol_light_proofs:
     strategy:
       matrix:
-        proof: [mlkem_ntt,mlkem_intt,mlkem_keccak_f1600]
+        proof: [mlkem_ntt,mlkem_intt,mlkem_keccak_f1600,mlkem_keccak_f1600_alt]
     name: HOL Light proof for ${{ matrix.proof }}.S
     runs-on: pqcp-arm64
     if: github.repository_owner == 'pq-code-package' && !github.event.pull_request.head.repo.fork
diff --git a/dev/fips202/aarch64/src/keccak_f1600_x1_v84a_asm_clean.S b/dev/fips202/aarch64/src/keccak_f1600_x1_v84a_asm_clean.S
@@ -49,7 +49,6 @@
 
     input_addr    .req x0
     input_rc      .req x1
-    const_addr    .req x1
     count         .req x2
     cur_const     .req x3
 
@@ -210,7 +209,7 @@
     str Asud, [input_addr, #0xC0]
 .endm
 
-#define STACK_SIZE (16*4 + 16*6) /* VREGS (16*4) + GPRS (TODO: Remove) */
+#define STACK_SIZE (16*4) /* VREGS (16*4) */
 
 #define STACK_BASE_GPRS (16*4)
 .macro alloc_stack
@@ -219,7 +218,7 @@
 
 .macro free_stack
     add sp, sp, #(STACK_SIZE)
-	.endm
+.endm
 
 .macro save_vregs
     stp  d8,  d9, [sp, #(16*0)]
@@ -300,7 +299,7 @@
     xar_m0 Ame_, Aga, E0, 28
     xar_m0 Abe_, Age, E1, 20
 
-    ld1r {v31.2d}, [const_addr], #8
+    ld1r {v31.2d}, [input_rc], #8
 
     bcax_m0 Aga, Aga_, Agi_, Age_
     bcax_m0 Age, Age_, Ago_, Agi_
@@ -341,7 +340,6 @@
 MLK_ASM_FN_SYMBOL(keccak_f1600_x1_v84a_asm_clean)
     alloc_stack
     save_vregs
-    mov const_addr, input_rc
     load_input
 
     mov count, #(KECCAK_F1600_ROUNDS)
@@ -358,7 +356,6 @@ keccak_f1600_x1_v84a_loop:
 /****************** REGISTER DEALLOCATIONS *******************/
     .unreq input_addr
     .unreq input_rc
-    .unreq const_addr
     .unreq count
     .unreq cur_const
     .unreq Aba
diff --git a/mlkem/fips202/native/aarch64/src/keccak_f1600_x1_v84a_asm_clean.S b/mlkem/fips202/native/aarch64/src/keccak_f1600_x1_v84a_asm_clean.S
@@ -55,12 +55,11 @@
 .global MLK_ASM_NAMESPACE(keccak_f1600_x1_v84a_asm_clean)
 MLK_ASM_FN_SYMBOL(keccak_f1600_x1_v84a_asm_clean)
 
-        sub	sp, sp, #0xa0
+        sub	sp, sp, #0x40
         stp	d8, d9, [sp]
         stp	d10, d11, [sp, #0x10]
         stp	d12, d13, [sp, #0x20]
         stp	d14, d15, [sp, #0x30]
-        mov	x1, x1
         ldp	d0, d1, [x0]
         ldp	d2, d3, [x0, #0x10]
         ldp	d4, d5, [x0, #0x20]
@@ -163,7 +162,7 @@ keccak_f1600_x1_v84a_loop:
         ldp	d10, d11, [sp, #0x10]
         ldp	d12, d13, [sp, #0x20]
         ldp	d14, d15, [sp, #0x30]
-        add	sp, sp, #0xa0
+        add	sp, sp, #0x40
         ret
 
 #endif /* __ARM_FEATURE_SHA3 */
diff --git a/proofs/hol_light/arm/Makefile b/proofs/hol_light/arm/Makefile
@@ -25,10 +25,11 @@ SRC_ARM ?= $(SRC)/arm
 # Some clang-based preprocessors seem to behave differently, and get confused
 # by single-quote characters in comments, so we eliminate // comments first.
 
+ARCHFLAGS=-march=armv8.4-a+sha3
 ifeq ($(OSTYPE_RESULT),Darwin)
 PREPROCESS=sed -e 's/\/\/.*//' | $(CC) -E -xassembler-with-cpp -
 else
-PREPROCESS=$(CC) -E -xassembler-with-cpp -
+PREPROCESS=$(CC) $(ARCHFLAGS) -E -xassembler-with-cpp -
 endif
 
 # Generally GNU-type assemblers are happy with multiple instructions on
@@ -47,24 +48,27 @@ SPLIT=tr ';' '\n'
 #  sudo apt-get install binutils-aarch64-linux-gnu
 
 ifeq ($(ARCHTYPE_RESULT),aarch64)
-ASSEMBLE=as
+ASSEMBLE=as $(ARCHFLAGS)
 OBJDUMP=objdump -d
 else
 ifeq ($(ARCHTYPE_RESULT),arm64)
-ASSEMBLE=as
+ASSEMBLE=as $(ARCHFLAGS)
 OBJDUMP=objdump -d
 else
 ifeq ($(OSTYPE_RESULT),Darwin)
 ASSEMBLE=as -arch arm64
 OBJDUMP=otool -tvV
 else
-ASSEMBLE=aarch64-linux-gnu-as
+ASSEMBLE=aarch64-linux-gnu-as $(ARCHFLAGS)
 OBJDUMP=aarch64-linux-gnu-objdump -d
 endif
 endif
 endif
 
-OBJ = mlkem/mlkem_ntt.o mlkem/mlkem_intt.o mlkem/mlkem_keccak_f1600.o
+OBJ = mlkem/mlkem_ntt.o                 \
+      mlkem/mlkem_intt.o                \
+      mlkem/mlkem_keccak_f1600.o        \
+      mlkem/mlkem_keccak_f1600_alt.o
 
 # According to
 # https://developer.apple.com/documentation/xcode/writing-arm64-code-for-apple-platforms,
diff --git a/proofs/hol_light/arm/mlkem/mlkem_keccak_f1600_alt.S b/proofs/hol_light/arm/mlkem/mlkem_keccak_f1600_alt.S
@@ -0,0 +1,166 @@
+/*
+ * Copyright (c) 2024-2025 The mlkem-native project authors
+ * Copyright (c) 2021-2022 Arm Limited
+ * Copyright (c) 2022 Matthias Kannwischer
+ * SPDX-License-Identifier: MIT
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ *
+ */
+
+//
+// Author: Hanno Becker <hanno.becker@arm.com>
+// Author: Matthias Kannwischer <matthias@kannwischer.eu>
+//
+// This implementation is essentially from the paper
+//
+//   Hybrid scalar/vector implementations of Keccak and SPHINCS+ on AArch64
+//   https://eprint.iacr.org/2022/1243
+//
+// The only difference is interleaving/deinterleaving of Keccak state
+// during load and store, so that the caller need not do this.
+//
+
+
+
+/*
+ * WARNING: This file is auto-derived from the mlkem-native source file
+ *   dev/fips202/aarch64/src/keccak_f1600_x1_v84a_asm_clean.S using scripts/simpasm. Do not modify it directly.
+ */
+
+
+.text
+.balign 4
+#ifdef __APPLE__
+.global _PQCP_MLKEM_NATIVE_MLKEM768_keccak_f1600_x1_v84a_asm_clean
+_PQCP_MLKEM_NATIVE_MLKEM768_keccak_f1600_x1_v84a_asm_clean:
+#else
+.global PQCP_MLKEM_NATIVE_MLKEM768_keccak_f1600_x1_v84a_asm_clean
+PQCP_MLKEM_NATIVE_MLKEM768_keccak_f1600_x1_v84a_asm_clean:
+#endif
+
+        sub	sp, sp, #0x40
+        stp	d8, d9, [sp]
+        stp	d10, d11, [sp, #0x10]
+        stp	d12, d13, [sp, #0x20]
+        stp	d14, d15, [sp, #0x30]
+        ldp	d0, d1, [x0]
+        ldp	d2, d3, [x0, #0x10]
+        ldp	d4, d5, [x0, #0x20]
+        ldp	d6, d7, [x0, #0x30]
+        ldp	d8, d9, [x0, #0x40]
+        ldp	d10, d11, [x0, #0x50]
+        ldp	d12, d13, [x0, #0x60]
+        ldp	d14, d15, [x0, #0x70]
+        ldp	d16, d17, [x0, #0x80]
+        ldp	d18, d19, [x0, #0x90]
+        ldp	d20, d21, [x0, #0xa0]
+        ldp	d22, d23, [x0, #0xb0]
+        ldr	d24, [x0, #0xc0]
+        mov	x2, #0x18               // =24
+
+keccak_f1600_x1_v84a_loop:
+        eor3	v30.16b, v0.16b, v5.16b, v10.16b
+        eor3	v29.16b, v1.16b, v6.16b, v11.16b
+        eor3	v28.16b, v2.16b, v7.16b, v12.16b
+        eor3	v27.16b, v3.16b, v8.16b, v13.16b
+        eor3	v26.16b, v4.16b, v9.16b, v14.16b
+        eor3	v30.16b, v30.16b, v15.16b, v20.16b
+        eor3	v29.16b, v29.16b, v16.16b, v21.16b
+        eor3	v28.16b, v28.16b, v17.16b, v22.16b
+        eor3	v27.16b, v27.16b, v18.16b, v23.16b
+        eor3	v26.16b, v26.16b, v19.16b, v24.16b
+        rax1	v25.2d, v30.2d, v28.2d
+        rax1	v28.2d, v28.2d, v26.2d
+        rax1	v26.2d, v26.2d, v29.2d
+        rax1	v29.2d, v29.2d, v27.2d
+        rax1	v27.2d, v27.2d, v30.2d
+        eor	v30.16b, v0.16b, v26.16b
+        xar	v0.2d, v2.2d, v29.2d, #0x2
+        xar	v2.2d, v12.2d, v29.2d, #0x15
+        xar	v12.2d, v13.2d, v28.2d, #0x27
+        xar	v13.2d, v19.2d, v27.2d, #0x38
+        xar	v19.2d, v23.2d, v28.2d, #0x8
+        xar	v23.2d, v15.2d, v26.2d, #0x17
+        xar	v15.2d, v1.2d, v25.2d, #0x3f
+        xar	v1.2d, v8.2d, v28.2d, #0x9
+        xar	v8.2d, v16.2d, v25.2d, #0x13
+        xar	v16.2d, v7.2d, v29.2d, #0x3a
+        xar	v7.2d, v10.2d, v26.2d, #0x3d
+        xar	v10.2d, v3.2d, v28.2d, #0x24
+        xar	v3.2d, v18.2d, v28.2d, #0x2b
+        xar	v18.2d, v17.2d, v29.2d, #0x31
+        xar	v17.2d, v11.2d, v25.2d, #0x36
+        xar	v11.2d, v9.2d, v27.2d, #0x2c
+        xar	v9.2d, v22.2d, v29.2d, #0x3
+        xar	v22.2d, v14.2d, v27.2d, #0x19
+        xar	v14.2d, v20.2d, v26.2d, #0x2e
+        xar	v20.2d, v4.2d, v27.2d, #0x25
+        xar	v4.2d, v24.2d, v27.2d, #0x32
+        xar	v24.2d, v21.2d, v25.2d, #0x3e
+        xar	v21.2d, v5.2d, v26.2d, #0x1c
+        xar	v27.2d, v6.2d, v25.2d, #0x14
+        ld1r	{ v31.2d }, [x1], #8
+        bcax	v5.16b, v10.16b, v7.16b, v11.16b
+        bcax	v6.16b, v11.16b, v8.16b, v7.16b
+        bcax	v7.16b, v7.16b, v9.16b, v8.16b
+        bcax	v8.16b, v8.16b, v10.16b, v9.16b
+        bcax	v9.16b, v9.16b, v11.16b, v10.16b
+        bcax	v10.16b, v15.16b, v12.16b, v16.16b
+        bcax	v11.16b, v16.16b, v13.16b, v12.16b
+        bcax	v12.16b, v12.16b, v14.16b, v13.16b
+        bcax	v13.16b, v13.16b, v15.16b, v14.16b
+        bcax	v14.16b, v14.16b, v16.16b, v15.16b
+        bcax	v15.16b, v20.16b, v17.16b, v21.16b
+        bcax	v16.16b, v21.16b, v18.16b, v17.16b
+        bcax	v17.16b, v17.16b, v19.16b, v18.16b
+        bcax	v18.16b, v18.16b, v20.16b, v19.16b
+        bcax	v19.16b, v19.16b, v21.16b, v20.16b
+        bcax	v20.16b, v0.16b, v22.16b, v1.16b
+        bcax	v21.16b, v1.16b, v23.16b, v22.16b
+        bcax	v22.16b, v22.16b, v24.16b, v23.16b
+        bcax	v23.16b, v23.16b, v0.16b, v24.16b
+        bcax	v24.16b, v24.16b, v1.16b, v0.16b
+        bcax	v0.16b, v30.16b, v2.16b, v27.16b
+        bcax	v1.16b, v27.16b, v3.16b, v2.16b
+        bcax	v2.16b, v2.16b, v4.16b, v3.16b
+        bcax	v3.16b, v3.16b, v30.16b, v4.16b
+        bcax	v4.16b, v4.16b, v27.16b, v30.16b
+        eor	v0.16b, v0.16b, v31.16b
+        sub	x2, x2, #0x1
+        cbnz	x2, keccak_f1600_x1_v84a_loop
+        stp	d0, d1, [x0]
+        stp	d2, d3, [x0, #0x10]
+        stp	d4, d5, [x0, #0x20]
+        stp	d6, d7, [x0, #0x30]
+        stp	d8, d9, [x0, #0x40]
+        stp	d10, d11, [x0, #0x50]
+        stp	d12, d13, [x0, #0x60]
+        stp	d14, d15, [x0, #0x70]
+        stp	d16, d17, [x0, #0x80]
+        stp	d18, d19, [x0, #0x90]
+        stp	d20, d21, [x0, #0xa0]
+        stp	d22, d23, [x0, #0xb0]
+        str	d24, [x0, #0xc0]
+        ldp	d8, d9, [sp]
+        ldp	d10, d11, [sp, #0x10]
+        ldp	d12, d13, [sp, #0x20]
+        ldp	d14, d15, [sp, #0x30]
+        add	sp, sp, #0x40
+        ret
diff --git a/proofs/hol_light/arm/proofs/mlkem_keccak_f1600_alt.ml b/proofs/hol_light/arm/proofs/mlkem_keccak_f1600_alt.ml
diff --git a/scripts/autogen b/scripts/autogen
