Merge pull request #1231 from pq-code-package/serialize-keccaks

Add MLK_CONFIG_SERIAL_FIPS202_ONLY option

Author: hanno-becker

.github/actions/config-variations/action.yml

@@ -7,7 +7,7 @@ inputs:
     description: 'GitHub token'
     required: true
   tests:
-    description: 'List of tests to run (space-separated IDs) or "all" for all tests. Available IDs: pct-enabled, pct-enabled-broken, custom-zeroize, native-cap-ON, native-cap-OFF, native-cap-ID_AA64PFR1_EL1, native-cap-CPUID_AVX2, no-asm, custom-randombytes, custom-memcpy, custom-memset, custom-stdlib, nblocks-1, nblocks-2, nblocks-4'
+    description: 'List of tests to run (space-separated IDs) or "all" for all tests. Available IDs: pct-enabled, pct-enabled-broken, custom-zeroize, native-cap-ON, native-cap-OFF, native-cap-ID_AA64PFR1_EL1, native-cap-CPUID_AVX2, no-asm, serial-fips202, custom-randombytes, custom-memcpy, custom-memset, custom-stdlib, nblocks-1, nblocks-2, nblocks-4'
     required: false
     default: 'all'
   opt:
@@ -117,6 +117,18 @@ runs:
         acvp: true
         opt: ${{ inputs.opt }}
         examples: false # Some examples use a custom config themselves
+    - name: "Serial FIPS202 (no batched Keccak)"
+      if: ${{ inputs.tests == 'all' || contains(inputs.tests, 'serial-fips202') }}
+      uses: ./.github/actions/multi-functest
+      with:
+        gh_token: ${{ inputs.gh_token }}
+        compile_mode: native
+        cflags: "-std=c11 -D_GNU_SOURCE -DMLK_CONFIG_FILE=\\\\\\\"../../test/serial_fips202_config.h\\\\\\\" -fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all"
+        func: true
+        kat: true
+        acvp: true
+        opt: ${{ inputs.opt }}
+        examples: false # Some examples use a custom config themselves
     - name: "Custom randombytes"
       if: ${{ inputs.tests == 'all' || contains(inputs.tests, 'custom-randombytes') }}
       uses: ./.github/actions/multi-functest

BIBLIOGRAPHY.md

@@ -43,6 +43,7 @@ source code and documentation.
   - [test/custom_stdlib_config.h](test/custom_stdlib_config.h)
   - [test/custom_zeroize_config.h](test/custom_zeroize_config.h)
   - [test/no_asm_config.h](test/no_asm_config.h)
+  - [test/serial_fips202_config.h](test/serial_fips202_config.h)
 
 ### `FIPS202`
 

examples/basic_deterministic/mlkem_native/custom_no_randomized_config.h

@@ -506,6 +506,28 @@
    #endif
 */
 
+/******************************************************************************
+ * Name:        MLK_CONFIG_SERIAL_FIPS202_ONLY
+ *
+ * Description: Set this to use a FIPS202 implementation with global state
+ *              that supports only one active Keccak computation at a time
+ *              (e.g. some hardware accelerators).
+ *
+ *              If this option is set, batched Keccak operations are
+ *              disabled for rejection sampling during matrix generation.
+ *              Instead, matrix entries will be generated one at a time.
+ *
+ *              This allows offloading Keccak computations to a hardware
+ *              accelerator that holds only a single Keccak state locally,
+ *              rather than requiring support for batched (4x) Keccak states.
+ *
+ *              NOTE: Depending on the target CPU, disabling batched Keccak
+ *              may reduce performance when using software FIPS202
+ *              implementations. Only enable this when you have to.
+ *
+ *****************************************************************************/
+/* #define MLK_CONFIG_SERIAL_FIPS202_ONLY */
+
 /*************************  Config internals  ********************************/
 
 /* Default namespace

mlkem/src/config.h

@@ -506,6 +506,28 @@
    #endif
 */
 
+/******************************************************************************
+ * Name:        MLK_CONFIG_SERIAL_FIPS202_ONLY
+ *
+ * Description: Set this to use a FIPS202 implementation with global state
+ *              that supports only one active Keccak computation at a time
+ *              (e.g. some hardware accelerators).
+ *
+ *              If this option is set, batched Keccak operations are
+ *              disabled for rejection sampling during matrix generation.
+ *              Instead, matrix entries will be generated one at a time.
+ *
+ *              This allows offloading Keccak computations to a hardware
+ *              accelerator that holds only a single Keccak state locally,
+ *              rather than requiring support for batched (4x) Keccak states.
+ *
+ *              NOTE: Depending on the target CPU, disabling batched Keccak
+ *              may reduce performance when using software FIPS202
+ *              implementations. Only enable this when you have to.
+ *
+ *****************************************************************************/
+/* #define MLK_CONFIG_SERIAL_FIPS202_ONLY */
+
 /*************************  Config internals  ********************************/
 
 /* Default namespace

mlkem/src/indcpa.c

@@ -39,6 +39,8 @@
 #define mlk_pack_ciphertext MLK_ADD_PARAM_SET(mlk_pack_ciphertext)
 #define mlk_unpack_ciphertext MLK_ADD_PARAM_SET(mlk_unpack_ciphertext)
 #define mlk_matvec_mul MLK_ADD_PARAM_SET(mlk_matvec_mul)
+#define mlk_polymat_permute_bitrev_to_custom \
+  MLK_ADD_PARAM_SET(mlk_polymat_permute_bitrev_to_custom)
 /* End of parameter set namespacing */
 
 /*************************************************
@@ -175,21 +177,40 @@ static void mlk_unpack_ciphertext(mlk_polyvec b, mlk_poly *v,
   mlk_poly_decompress_dv(v, c + MLKEM_POLYVECCOMPRESSEDBYTES_DU);
 }
 
-#if !defined(MLK_USE_NATIVE_NTT_CUSTOM_ORDER)
-/* This namespacing is not done at the top to avoid a naming conflict
- * with native backends, which are currently not yet namespaced. */
-#define mlk_poly_permute_bitrev_to_custom \
-  MLK_ADD_PARAM_SET(mlk_poly_permute_bitrev_to_custom)
-
-static MLK_INLINE void mlk_poly_permute_bitrev_to_custom(int16_t data[MLKEM_N])
+/* Helper function to ensure that the polynomial entries in the output
+ * of gen_matrix use the standard (bitreversed) ordering of coefficients.
+ * No-op unless a native backend with a custom ordering is used.
+ *
+ * We don't inline this into gen_matrix to avoid having to split the CBMC
+ * proof for gen_matrix based on MLK_USE_NATIVE_NTT_CUSTOM_ORDER. */
+static void mlk_polymat_permute_bitrev_to_custom(mlk_polymat a)
 __contract__(
   /* We don't specify that this should be a permutation, but only
    * that it does not change the bound established at the end of mlk_gen_matrix. */
-  requires(memory_no_alias(data, sizeof(int16_t) * MLKEM_N))
-  requires(array_bound(data, 0, MLKEM_N, 0, MLKEM_Q))
-  assigns(memory_slice(data, sizeof(mlk_poly)))
-  ensures(array_bound(data, 0, MLKEM_N, 0, MLKEM_Q))) { ((void)data); }
+ requires(memory_no_alias(a, sizeof(mlk_polymat)))
+ requires(forall(x, 0, MLKEM_K * MLKEM_K,
+   array_bound(a[x].coeffs, 0, MLKEM_N, 0, MLKEM_Q)))
+ assigns(object_whole(a))
+ ensures(forall(x, 0, MLKEM_K * MLKEM_K,
+   array_bound(a[x].coeffs, 0, MLKEM_N, 0, MLKEM_Q))))
+{
+#if defined(MLK_USE_NATIVE_NTT_CUSTOM_ORDER)
+  unsigned i;
+  for (i = 0; i < MLKEM_K * MLKEM_K; i++)
+  __loop__(
+     assigns(i, object_whole(a))
+     invariant(i <= MLKEM_K * MLKEM_K)
+     invariant(forall(x, 0, MLKEM_K * MLKEM_K,
+       array_bound(a[x].coeffs, 0, MLKEM_N, 0, MLKEM_Q)))
+     )
+  {
+    mlk_poly_permute_bitrev_to_custom(a[i].coeffs);
+  }
+#else  /* MLK_USE_NATIVE_NTT_CUSTOM_ORDER */
+  /* Nothing to do */
+  (void)a;
 #endif /* !MLK_USE_NATIVE_NTT_CUSTOM_ORDER */
+}
 
 /* Reference: `gen_matrix()` in the reference implementation @[REF].
  *            - We use a special subroutine to generate 4 polynomials
@@ -203,19 +224,14 @@ void mlk_gen_matrix(mlk_polymat a, const uint8_t seed[MLKEM_SYMBYTES],
                     int transposed)
 {
   unsigned i, j;
-  /*
-   * We generate four separate seed arrays rather than a single one to work
-   * around limitations in CBMC function contracts dealing with disjoint slices
-   * of the same parent object.
-   */
-
   MLK_ALIGN uint8_t seed_ext[4][MLK_ALIGN_UP(MLKEM_SYMBYTES + 2)];
 
   for (j = 0; j < 4; j++)
   {
     mlk_memcpy(seed_ext[j], seed, MLKEM_SYMBYTES);
   }
 
+#if !defined(MLK_CONFIG_SERIAL_FIPS202_ONLY)
   /* Sample 4 matrix entries a time. */
   for (i = 0; i < (MLKEM_K * MLKEM_K / 4) * 4; i += 4)
   {
@@ -239,9 +255,15 @@ void mlk_gen_matrix(mlk_polymat a, const uint8_t seed[MLKEM_SYMBYTES],
 
     mlk_poly_rej_uniform_x4(&a[i], &a[i + 1], &a[i + 2], &a[i + 3], seed_ext);
   }
-
-  /* For MLKEM_K == 3, sample the last entry individually. */
-  if (i < MLKEM_K * MLKEM_K)
+#else  /* !MLK_CONFIG_SERIAL_FIPS202_ONLY */
+  /* When using serial FIPS202, sample all entries individually. */
+  i = 0;
+#endif /* MLK_CONFIG_SERIAL_FIPS202_ONLY */
+
+  /* For MLKEM_K == 3, sample the last entry individually.
+   * When MLK_CONFIG_SERIAL_FIPS202_ONLY is set, sample all entries
+   * individually. */
+  for (; i < MLKEM_K * MLKEM_K; i++)
   {
     uint8_t x, y;
     /* MLKEM_K <= 4, so the values fit in uint8_t. */
@@ -260,7 +282,6 @@ void mlk_gen_matrix(mlk_polymat a, const uint8_t seed[MLKEM_SYMBYTES],
     }
 
     mlk_poly_rej_uniform(&a[i], seed_ext[0]);
-    i++;
   }
 
   mlk_assert(i == MLKEM_K * MLKEM_K);
@@ -269,10 +290,7 @@ void mlk_gen_matrix(mlk_polymat a, const uint8_t seed[MLKEM_SYMBYTES],
    * The public matrix is generated in NTT domain. If the native backend
    * uses a custom order in NTT domain, permute A accordingly.
    */
-  for (i = 0; i < MLKEM_K * MLKEM_K; i++)
-  {
-    mlk_poly_permute_bitrev_to_custom(a[i].coeffs);
-  }
+  mlk_polymat_permute_bitrev_to_custom(a);
 
   /* Specification: Partially implements
    * @[FIPS203, Section 3.3, Destruction of intermediate values] */
@@ -524,4 +542,4 @@ void mlk_indcpa_dec(uint8_t m[MLKEM_INDCPA_MSGBYTES],
 #undef mlk_pack_ciphertext
 #undef mlk_unpack_ciphertext
 #undef mlk_matvec_mul
-#undef mlk_poly_permute_bitrev_to_custom
+#undef mlk_polymat_permute_bitrev_to_custom

mlkem/src/sampling.c

@@ -143,6 +143,7 @@ __contract__(
   ((12 * MLKEM_N / 8 * (1 << 12) / MLKEM_Q + MLK_XOF_RATE) / MLK_XOF_RATE)
 #endif
 
+#if !defined(MLK_CONFIG_SERIAL_FIPS202_ONLY)
 /* Reference: Does not exist in the reference implementation @[REF].
  *            - x4-batched version of `rej_uniform()` from the
  *              reference implementation, leveraging x4-batched Keccak-f1600. */
@@ -211,6 +212,7 @@ void mlk_poly_rej_uniform_x4(mlk_poly *vec0, mlk_poly *vec1, mlk_poly *vec2,
    * @[FIPS203, Section 3.3, Destruction of intermediate values] */
   mlk_zeroize(buf, sizeof(buf));
 }
+#endif /* !MLK_CONFIG_SERIAL_FIPS202_ONLY */
 
 MLK_INTERNAL_API
 void mlk_poly_rej_uniform(mlk_poly *entry, uint8_t seed[MLKEM_SYMBYTES + 2])

mlkem/src/sampling.h

@@ -16,7 +16,6 @@
 #define MLK_SAMPLING_H
 
 #include <stdint.h>
-#include <stdlib.h>
 #include "cbmc.h"
 #include "common.h"
 #include "poly.h"
@@ -58,6 +57,7 @@ MLK_INTERNAL_API
 void mlk_poly_cbd3(mlk_poly *r, const uint8_t buf[3 * MLKEM_N / 4]);
 #endif /* MLK_CONFIG_MULTILEVEL_WITH_SHARED || MLKEM_ETA1 == 3 */
 
+#if !defined(MLK_CONFIG_SERIAL_FIPS202_ONLY)
 #define mlk_poly_rej_uniform_x4 MLK_NAMESPACE(poly_rej_uniform_x4)
 /*************************************************
  * Name:        mlk_poly_rej_uniform_x4
@@ -92,6 +92,7 @@ __contract__(
   ensures(array_bound(vec1->coeffs, 0, MLKEM_N, 0, MLKEM_Q))
   ensures(array_bound(vec2->coeffs, 0, MLKEM_N, 0, MLKEM_Q))
   ensures(array_bound(vec3->coeffs, 0, MLKEM_N, 0, MLKEM_Q)));
+#endif /* !MLK_CONFIG_SERIAL_FIPS202_ONLY */
 
 #define mlk_poly_rej_uniform MLK_NAMESPACE(poly_rej_uniform)
 /*************************************************

proofs/cbmc/gen_matrix/Makefile

@@ -20,7 +20,7 @@ PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
 PROJECT_SOURCES += $(SRCDIR)/mlkem/src/indcpa.c
 
 CHECK_FUNCTION_CONTRACTS=mlk_gen_matrix
-USE_FUNCTION_CONTRACTS=mlk_poly_rej_uniform mlk_poly_rej_uniform_x4 mlk_poly_permute_bitrev_to_custom mlk_zeroize
+USE_FUNCTION_CONTRACTS=mlk_poly_rej_uniform mlk_poly_rej_uniform_x4 mlk_polymat_permute_bitrev_to_custom mlk_zeroize
 APPLY_LOOP_CONTRACTS=on
 USE_DYNAMIC_FRAMES=1
 

proofs/cbmc/gen_matrix_native/Makefile renamed to proofs/cbmc/gen_matrix_serial/Makefile

@@ -4,31 +4,31 @@
 include ../Makefile_params.common
 
 HARNESS_ENTRY = harness
-HARNESS_FILE = gen_matrix_native_harness
+HARNESS_FILE = gen_matrix_serial_harness
 
 # This should be a unique identifier for this proof, and will appear on the
 # Litani dashboard. It can be human-readable and contain spaces if you wish.
-PROOF_UID = gen_matrix_native
+PROOF_UID = mlk_gen_matrix_serial
 
-DEFINES += -DMLK_CONFIG_USE_NATIVE_BACKEND_ARITH -DMLK_CONFIG_ARITH_BACKEND_FILE="\"dummy_backend.h\""
+DEFINES += -DMLK_CONFIG_SERIAL_FIPS202_ONLY
 INCLUDES +=
 
 REMOVE_FUNCTION_BODY +=
-UNWINDSET += mlk_gen_matrix.0:4 mlk_gen_matrix.1:4 mlk_gen_matrix.2:4 mlk_gen_matrix.3:16
+UNWINDSET += mlk_gen_matrix.0:4 mlk_gen_matrix.1:16
 
 PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
 PROJECT_SOURCES += $(SRCDIR)/mlkem/src/indcpa.c
 
 CHECK_FUNCTION_CONTRACTS=mlk_gen_matrix
-USE_FUNCTION_CONTRACTS=mlk_poly_rej_uniform mlk_poly_rej_uniform_x4 mlk_poly_permute_bitrev_to_custom
+USE_FUNCTION_CONTRACTS=mlk_poly_rej_uniform mlk_polymat_permute_bitrev_to_custom mlk_zeroize
 APPLY_LOOP_CONTRACTS=on
 USE_DYNAMIC_FRAMES=1
 
 # Disable any setting of EXTERNAL_SAT_SOLVER, and choose SMT backend instead
 EXTERNAL_SAT_SOLVER=
 CBMCFLAGS=--smt2
 
-FUNCTION_NAME = mlk_gen_matrix_native
+FUNCTION_NAME = mlk_gen_matrix_serial
 
 # If this proof is found to consume huge amounts of RAM, you can set the
 # EXPENSIVE variable. With new enough versions of the proof tools, this will