CBMC: Add contracts and proofs for various polyvec functions #151
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mkannwischer
force-pushed
the
cbmc-polyvec-proofs
branch
4 times, most recently
from
29b7232 to
5c4cfad
Compare
mkannwischer
force-pushed
the
cbmc-polyvec-proofs
branch
2 times, most recently
from
d60ef12 to
0049ad3
Compare
|
I removed the proofs from here that don't have acceptable run time yet and moved them to #169. |
mkannwischer
force-pushed
the
cbmc-polyvec-proofs
branch
2 times, most recently
from
cdec6c2 to
6050f70
Compare
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Arm Cortex-A72 (Raspberry Pi 4) benchmarks (opt)
| Benchmark suite | Current: 6050f70 | Previous: db0c059 | Ratio |
|---|---|---|---|
ML-DSA-44 keypair |
305686 cycles |
302258 cycles |
1.01 |
ML-DSA-44 sign |
1054556 cycles |
1038859 cycles |
1.02 |
ML-DSA-44 verify |
328806 cycles |
325882 cycles |
1.01 |
ML-DSA-65 keypair |
560506 cycles |
557736 cycles |
1.00 |
ML-DSA-65 sign |
1549828 cycles |
1517159 cycles |
1.02 |
ML-DSA-65 verify |
537579 cycles |
532945 cycles |
1.01 |
ML-DSA-87 keypair |
863362 cycles |
862513 cycles |
1.00 |
ML-DSA-87 sign |
1986410 cycles |
1962426 cycles |
1.01 |
ML-DSA-87 verify |
894623 cycles |
890895 cycles |
1.00 |
This comment was automatically generated by workflow using github-action-benchmark.
There was a problem hiding this comment.
Arm Cortex-A72 (Raspberry Pi 4) benchmarks (no-opt)
| Benchmark suite | Current: 6050f70 | Previous: db0c059 | Ratio |
|---|---|---|---|
ML-DSA-44 keypair |
305610 cycles |
302563 cycles |
1.01 |
ML-DSA-44 sign |
949111 cycles |
1038239 cycles |
0.91 |
ML-DSA-44 verify |
329175 cycles |
325625 cycles |
1.01 |
ML-DSA-65 keypair |
560411 cycles |
557708 cycles |
1.00 |
ML-DSA-65 sign |
1543294 cycles |
1521737 cycles |
1.01 |
ML-DSA-65 verify |
536667 cycles |
533310 cycles |
1.01 |
ML-DSA-87 keypair |
865489 cycles |
861766 cycles |
1.00 |
ML-DSA-87 sign |
1994548 cycles |
1959841 cycles |
1.02 |
ML-DSA-87 verify |
897060 cycles |
889017 cycles |
1.01 |
This comment was automatically generated by workflow using github-action-benchmark.
Resolves #116 Signed-off-by: Matthias J. Kannwischer <[email protected]>
Resolves #117 Unrolling resulted in too poor performance. The direct proof works, but it requires to workaround the CBMC limitation described in: #102 diffblue/cbmc#8617 Signed-off-by: Matthias J. Kannwischer <[email protected]>
Resolves #124. Signed-off-by: Matthias J. Kannwischer <[email protected]>
Resolves #126 Signed-off-by: Matthias J. Kannwischer <[email protected]>
Resolves #127 Unrolling resulted in too poor performance. The direct proof works, but it requires to workaround the CBMC limitation described in: #102 diffblue/cbmc#8617 This also moves the correctness post-condition in poly_sub into a assert at the end of the function. This vastly improves performance. Signed-off-by: Matthias J. Kannwischer <[email protected]>
Resolves #136 Signed-off-by: Matthias J. Kannwischer <[email protected]>
Resolves #135 Unrolling resulted in too poor performance. The direct proof works, but it requires to workaround the CBMC limitation described in: #102 diffblue/cbmc#8617 Signed-off-by: Matthias J. Kannwischer <[email protected]>
mkannwischer
force-pushed
the
cbmc-polyvec-proofs
branch
from
6050f70 to
5a25f42
Compare
|
There is a measurable overhead of the whole-struct assignment CBMC workaround of 1-2% I'd say. That shouldn't stop us from proceeding, I think. |
|
This is ready for review now. Much pain. |
This was referenced Apr 16, 2025
| void polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v); | ||
| void polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v) | ||
| __contract__( | ||
| requires(memory_no_alias(w, sizeof(polyvecl))) |
There was a problem hiding this comment.
This is not going to work, and similar for poly_add, since the function is being called with aliasing first and second argument -- like in mlkem-native.
hanno-becker
requested changes
Apr 17, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
polyvecl_reduce#116polyvecl_add#117polyveck_reduce#124polyveck_add#126polyveck_sub#127polyveck_pack_w1#136polyveck_use_hint#135polyvecl_add,polyveck_add,polyveck_sub,polyveck_use_hint,polyveck_reduce,polyvecl_reducewere too slow when using unrolling - I instead did a direct proof with the workaround from #92. I added them to #102 to remove the whole-struct assignments once the corresponding CBMC issue is resolved.