Lowram: Share buffers with non-overlapping lifetimes in verify

integration/opentitan/reduce_alloc.patch

@@ -13,20 +13,20 @@ index be11f20..0000000 100644
 -  kOtcryptoMldsa44WorkBufferVerifyWords = 22464 / sizeof(uint32_t),
 +  kOtcryptoMldsa44WorkBufferKeypairWords = 13600 / sizeof(uint32_t),
 +  kOtcryptoMldsa44WorkBufferSignWords = 13120 / sizeof(uint32_t),
-+  kOtcryptoMldsa44WorkBufferVerifyWords = 19392 / sizeof(uint32_t),
++  kOtcryptoMldsa44WorkBufferVerifyWords = 13184 / sizeof(uint32_t),
 
 -  kOtcryptoMldsa65WorkBufferKeypairWords = 46304 / sizeof(uint32_t),
 -  kOtcryptoMldsa65WorkBufferSignWords = 44768 / sizeof(uint32_t),
 -  kOtcryptoMldsa65WorkBufferVerifyWords = 30720 / sizeof(uint32_t),
 +  kOtcryptoMldsa65WorkBufferKeypairWords = 19744 / sizeof(uint32_t),
 +  kOtcryptoMldsa65WorkBufferSignWords = 17248 / sizeof(uint32_t),
-+  kOtcryptoMldsa65WorkBufferVerifyWords = 26624 / sizeof(uint32_t),
++  kOtcryptoMldsa65WorkBufferVerifyWords = 18368 / sizeof(uint32_t),
 
 -  kOtcryptoMldsa87WorkBufferKeypairWords = 62688 / sizeof(uint32_t),
 -  kOtcryptoMldsa87WorkBufferSignWords = 59104 / sizeof(uint32_t),
 -  kOtcryptoMldsa87WorkBufferVerifyWords = 41216 / sizeof(uint32_t),
 +  kOtcryptoMldsa87WorkBufferKeypairWords = 25888 / sizeof(uint32_t),
 +  kOtcryptoMldsa87WorkBufferSignWords = 21344 / sizeof(uint32_t),
-+  kOtcryptoMldsa87WorkBufferVerifyWords = 35072 / sizeof(uint32_t),
++  kOtcryptoMldsa87WorkBufferVerifyWords = 24768 / sizeof(uint32_t),
  };
 

mldsa/mldsa_native.c

@@ -264,8 +264,8 @@
 #undef mld_pack_sig_z
 #undef mld_pack_sk_rho_key_tr_s2_t0
 #undef mld_pack_sk_s1
-#undef mld_unpack_pk
-#undef mld_unpack_sig
+#undef mld_sig_unpack_hints
+#undef mld_unpack_pk_t1
 #undef mld_unpack_sk
 /* mldsa/src/params.h */
 #undef MLDSA_BETA

mldsa/mldsa_native.h

@@ -942,33 +942,33 @@ int MLD_API_NAMESPACE(pk_from_sk)(
 #define MLD_TOTAL_ALLOC_44_KEYPAIR_PCT 48448
 #define MLD_TOTAL_ALLOC_44_PK_FROM_SK 37056
 #define MLD_TOTAL_ALLOC_44_SIGN 44704
-#define MLD_TOTAL_ALLOC_44_VERIFY 34720
+#define MLD_TOTAL_ALLOC_44_VERIFY 25472
 #define MLD_TOTAL_ALLOC_65_KEYPAIR_NO_PCT 49408
 #define MLD_TOTAL_ALLOC_65_KEYPAIR_PCT 74592
 #define MLD_TOTAL_ALLOC_65_PK_FROM_SK 60608
 #define MLD_TOTAL_ALLOC_65_SIGN 69312
-#define MLD_TOTAL_ALLOC_65_VERIFY 56288
+#define MLD_TOTAL_ALLOC_65_VERIFY 42944
 #define MLD_TOTAL_ALLOC_87_KEYPAIR_NO_PCT 82176
 #define MLD_TOTAL_ALLOC_87_KEYPAIR_PCT 115456
 #define MLD_TOTAL_ALLOC_87_PK_FROM_SK 97472
 #define MLD_TOTAL_ALLOC_87_SIGN 108224
-#define MLD_TOTAL_ALLOC_87_VERIFY 91360
+#define MLD_TOTAL_ALLOC_87_VERIFY 73920
 #else /* MLD_API_LEGACY_CONFIG || !MLD_CONFIG_REDUCE_RAM */
 #define MLD_TOTAL_ALLOC_44_KEYPAIR_NO_PCT 13600
-#define MLD_TOTAL_ALLOC_44_KEYPAIR_PCT 23136
+#define MLD_TOTAL_ALLOC_44_KEYPAIR_PCT 16928
 #define MLD_TOTAL_ALLOC_44_PK_FROM_SK 21728
 #define MLD_TOTAL_ALLOC_44_SIGN 13120
-#define MLD_TOTAL_ALLOC_44_VERIFY 19392
+#define MLD_TOTAL_ALLOC_44_VERIFY 13184
 #define MLD_TOTAL_ALLOC_65_KEYPAIR_NO_PCT 19744
-#define MLD_TOTAL_ALLOC_65_KEYPAIR_PCT 31904
+#define MLD_TOTAL_ALLOC_65_KEYPAIR_PCT 23648
 #define MLD_TOTAL_ALLOC_65_PK_FROM_SK 30944
 #define MLD_TOTAL_ALLOC_65_SIGN 17248
-#define MLD_TOTAL_ALLOC_65_VERIFY 26624
+#define MLD_TOTAL_ALLOC_65_VERIFY 18368
 #define MLD_TOTAL_ALLOC_87_KEYPAIR_NO_PCT 25888
-#define MLD_TOTAL_ALLOC_87_KEYPAIR_PCT 42304
+#define MLD_TOTAL_ALLOC_87_KEYPAIR_PCT 32000
 #define MLD_TOTAL_ALLOC_87_PK_FROM_SK 41184
 #define MLD_TOTAL_ALLOC_87_SIGN 21344
-#define MLD_TOTAL_ALLOC_87_VERIFY 35072
+#define MLD_TOTAL_ALLOC_87_VERIFY 24768
 #endif /* !(MLD_API_LEGACY_CONFIG || !MLD_CONFIG_REDUCE_RAM) */
 /* check-magic: on */
 

mldsa/mldsa_native_asm.S

@@ -269,8 +269,8 @@
 #undef mld_pack_sig_z
 #undef mld_pack_sk_rho_key_tr_s2_t0
 #undef mld_pack_sk_s1
-#undef mld_unpack_pk
-#undef mld_unpack_sig
+#undef mld_sig_unpack_hints
+#undef mld_unpack_pk_t1
 #undef mld_unpack_sk
 /* mldsa/src/params.h */
 #undef MLDSA_BETA

mldsa/src/packing.c

@@ -13,7 +13,6 @@
  * This is to facilitate building multiple instances
  * of mldsa-native (e.g. with varying parameter sets)
  * within a single compilation unit. */
-#define mld_unpack_hints MLD_ADD_PARAM_SET(mld_unpack_hints)
 /* End of parameter set namespacing */
 
 #if !defined(MLD_CONFIG_NO_KEYPAIR_API)
@@ -39,12 +38,11 @@ void mld_pack_pk(uint8_t pk[MLDSA_CRYPTO_PUBLICKEYBYTES],
 
 #if !defined(MLD_CONFIG_NO_VERIFY_API)
 MLD_INTERNAL_API
-void mld_unpack_pk(uint8_t rho[MLDSA_SEEDBYTES], mld_polyveck *t1,
-                   const uint8_t pk[MLDSA_CRYPTO_PUBLICKEYBYTES])
+void mld_unpack_pk_t1(mld_polyveck *t1,
+                      const uint8_t pk[MLDSA_CRYPTO_PUBLICKEYBYTES])
 {
   unsigned int i;
 
-  mld_memcpy(rho, pk, MLDSA_SEEDBYTES);
   pk += MLDSA_SEEDBYTES;
 
   for (i = 0; i < MLDSA_K; ++i)
@@ -173,30 +171,11 @@ void mld_pack_sig_z(uint8_t sig[MLDSA_CRYPTO_BYTES], const mld_poly *zi,
 #endif /* !MLD_CONFIG_NO_SIGN_API */
 
 #if !defined(MLD_CONFIG_NO_VERIFY_API)
-/*************************************************
- * Name:        mld_unpack_hints
- *
- * Description: Unpack raw hint bytes into a polyveck
- *              struct
- *
- * Arguments:   - mld_polyveck *h: pointer to output hint vector h
- *              - const uint8_t packed_hints[MLDSA_POLYVECH_PACKEDBYTES]:
- *                raw hint bytes
- *
- * Returns 1 in case of malformed hints; otherwise 0.
- **************************************************/
-static int mld_unpack_hints(
-    mld_polyveck *h, const uint8_t packed_hints[MLDSA_POLYVECH_PACKEDBYTES])
-__contract__(
-  requires(memory_no_alias(packed_hints, MLDSA_POLYVECH_PACKEDBYTES))
-  requires(memory_no_alias(h, sizeof(mld_polyveck)))
-  assigns(memory_slice(h, sizeof(mld_polyveck)))
-  /* All returned coefficients are either 0 or 1 */
-  ensures(forall(k1, 0, MLDSA_K,
-    array_bound(h->vec[k1].coeffs, 0, MLDSA_N, 0, 2)))
-  ensures(return_value >= 0 && return_value <= 1)
-)
+MLD_INTERNAL_API
+int mld_sig_unpack_hints(mld_polyveck *h, const uint8_t sig[MLDSA_CRYPTO_BYTES])
 {
+  const uint8_t *packed_hints =
+      sig + MLDSA_CTILDEBYTES + MLDSA_L * MLDSA_POLYZ_PACKEDBYTES;
   unsigned int i, j;
   unsigned int old_hint_count;
 
@@ -269,21 +248,5 @@ __contract__(
 }
 #endif /* !MLD_CONFIG_NO_VERIFY_API */
 
-#if !defined(MLD_CONFIG_NO_VERIFY_API)
-MLD_INTERNAL_API
-int mld_unpack_sig(uint8_t c[MLDSA_CTILDEBYTES], mld_polyvecl *z,
-                   mld_polyveck *h, const uint8_t sig[MLDSA_CRYPTO_BYTES])
-{
-  mld_memcpy(c, sig, MLDSA_CTILDEBYTES);
-  sig += MLDSA_CTILDEBYTES;
-
-  mld_polyvecl_unpack_z(z, sig);
-  sig += MLDSA_L * MLDSA_POLYZ_PACKEDBYTES;
-
-  return mld_unpack_hints(h, sig);
-}
-#endif /* !MLD_CONFIG_NO_VERIFY_API */
-
 /* To facilitate single-compilation-unit (SCU) builds, undefine all macros.
  * Don't modify by hand -- this is auto-generated by scripts/autogen. */
-#undef mld_unpack_hints

mldsa/src/packing.h

@@ -159,24 +159,21 @@ __contract__(
 #endif /* !MLD_CONFIG_NO_SIGN_API */
 
 #if !defined(MLD_CONFIG_NO_VERIFY_API)
-#define mld_unpack_pk MLD_NAMESPACE_KL(unpack_pk)
+#define mld_unpack_pk_t1 MLD_NAMESPACE_KL(unpack_pk_t1)
 /*************************************************
- * Name:        mld_unpack_pk
+ * Name:        mld_unpack_pk_t1
  *
- * Description: Unpack public key pk = (rho, t1).
+ * Description: Unpack the t1 component of a public key pk = (rho, t1).
  *
- * Arguments:   - const uint8_t rho[]: output byte array for rho
- *              - const mld_polyveck *t1: pointer to output vector t1
+ * Arguments:   - mld_polyveck *t1: pointer to output vector t1
  *              - uint8_t pk[]: byte array containing bit-packed pk
  **************************************************/
 MLD_INTERNAL_API
-void mld_unpack_pk(uint8_t rho[MLDSA_SEEDBYTES], mld_polyveck *t1,
-                   const uint8_t pk[MLDSA_CRYPTO_PUBLICKEYBYTES])
+void mld_unpack_pk_t1(mld_polyveck *t1,
+                      const uint8_t pk[MLDSA_CRYPTO_PUBLICKEYBYTES])
 __contract__(
   requires(memory_no_alias(pk, MLDSA_CRYPTO_PUBLICKEYBYTES))
-  requires(memory_no_alias(rho, MLDSA_SEEDBYTES))
   requires(memory_no_alias(t1, sizeof(mld_polyveck)))
-  assigns(memory_slice(rho, MLDSA_SEEDBYTES))
   assigns(memory_slice(t1, sizeof(mld_polyveck)))
   ensures(forall(k0, 0, MLDSA_K,
     array_bound(t1->vec[k0].coeffs, 0, MLDSA_N, 0, 1 << 10)))
@@ -239,34 +236,26 @@ __contract__(
 #endif /* !MLD_CONFIG_NO_SIGN_API */
 
 #if !defined(MLD_CONFIG_NO_VERIFY_API)
-#define mld_unpack_sig MLD_NAMESPACE_KL(unpack_sig)
+#define mld_sig_unpack_hints MLD_NAMESPACE_KL(sig_unpack_hints)
 /*************************************************
- * Name:        mld_unpack_sig
+ * Name:        mld_sig_unpack_hints
  *
- * Description: Unpack signature sig = (c, z, h).
+ * Description: Unpack hint vector h from a signature buffer.
  *
- * Arguments:   - uint8_t *c: pointer to output challenge hash
- *              - mld_polyvecl *z: pointer to output vector z
- *              - mld_polyveck *h: pointer to output hint vector h
- *              - const uint8_t sig[]: byte array containing
- *                bit-packed signature
+ * Arguments:   - mld_polyveck *h: pointer to output hint vector
+ *              - const uint8_t sig[]: signature buffer
+ *                (MLDSA_CRYPTO_BYTES); the hint bytes are read from
+ *                the trailing MLDSA_POLYVECH_PACKEDBYTES.
  *
- * Returns 1 in case of malformed signature; otherwise 0.
+ * Returns 1 in case of malformed hints; otherwise 0.
  **************************************************/
 MLD_INTERNAL_API
 MLD_MUST_CHECK_RETURN_VALUE
-int mld_unpack_sig(uint8_t c[MLDSA_CTILDEBYTES], mld_polyvecl *z,
-                   mld_polyveck *h, const uint8_t sig[MLDSA_CRYPTO_BYTES])
+int mld_sig_unpack_hints(mld_polyveck *h, const uint8_t sig[MLDSA_CRYPTO_BYTES])
 __contract__(
   requires(memory_no_alias(sig, MLDSA_CRYPTO_BYTES))
-  requires(memory_no_alias(c, MLDSA_CTILDEBYTES))
-  requires(memory_no_alias(z, sizeof(mld_polyvecl)))
   requires(memory_no_alias(h, sizeof(mld_polyveck)))
-  assigns(memory_slice(c, MLDSA_CTILDEBYTES))
-  assigns(memory_slice(z, sizeof(mld_polyvecl)))
   assigns(memory_slice(h, sizeof(mld_polyveck)))
-  ensures(forall(k0, 0, MLDSA_L,
-    array_bound(z->vec[k0].coeffs, 0, MLDSA_N, -(MLDSA_GAMMA1 - 1), MLDSA_GAMMA1 + 1)))
   ensures(forall(k1, 0, MLDSA_K,
     array_bound(h->vec[k1].coeffs, 0, MLDSA_N, 0, 2)))
   ensures(return_value >= 0 && return_value <= 1)

mldsa/src/sign.c

@@ -1051,42 +1051,55 @@ int mld_sign_verify_internal(const uint8_t *sig, size_t siglen,
 {
   int ret, cmp;
 
+  typedef union
+  {
+    mld_polyvecl z;
+    mld_poly cp;
+  } zcp_u;
+  mld_polyvecl *z;
+  mld_poly *cp;
+
+  typedef union
+  {
+    mld_polymat mat;
+    mld_polyveck t1;
+    mld_polyveck h;
+  } reuse_u;
+  mld_polymat *mat;
+  mld_polyveck *t1;
+  mld_polyveck *h;
+
   MLD_ALLOC(buf, uint8_t, (MLDSA_K * MLDSA_POLYW1_PACKEDBYTES), context);
-  MLD_ALLOC(rho, uint8_t, MLDSA_SEEDBYTES, context);
   MLD_ALLOC(mu, uint8_t, MLDSA_CRHBYTES, context);
   MLD_ALLOC(c, uint8_t, MLDSA_CTILDEBYTES, context);
   MLD_ALLOC(c2, uint8_t, MLDSA_CTILDEBYTES, context);
-  MLD_ALLOC(cp, mld_poly, 1, context);
-  MLD_ALLOC(mat, mld_polymat, 1, context);
-  MLD_ALLOC(z, mld_polyvecl, 1, context);
-  MLD_ALLOC(t1, mld_polyveck, 1, context);
-  MLD_ALLOC(tmp, mld_polyveck, 1, context);
-  MLD_ALLOC(h, mld_polyveck, 1, context);
+  MLD_ALLOC(zcp, zcp_u, 1, context);
+  MLD_ALLOC(w1, mld_polyveck, 1, context);
+  MLD_ALLOC(reuse, reuse_u, 1, context);
 
-  if (buf == NULL || rho == NULL || mu == NULL || c == NULL || c2 == NULL ||
-      cp == NULL || mat == NULL || z == NULL || t1 == NULL || tmp == NULL ||
-      h == NULL)
+  if (buf == NULL || mu == NULL || c == NULL || c2 == NULL || zcp == NULL ||
+      w1 == NULL || reuse == NULL)
   {
     ret = MLD_ERR_OUT_OF_MEMORY;
     goto cleanup;
   }
+  z = &zcp->z;
+  cp = &zcp->cp;
+  mat = &reuse->mat;
+  t1 = &reuse->t1;
+  h = &reuse->h;
 
   if (siglen != MLDSA_CRYPTO_BYTES)
   {
     ret = MLD_ERR_FAIL;
     goto cleanup;
   }
 
-  mld_unpack_pk(rho, t1, pk);
+  mld_memcpy(c, sig, MLDSA_CTILDEBYTES);
+  mld_polyvecl_unpack_z(z, sig + MLDSA_CTILDEBYTES);
 
-  /* mld_unpack_sig and mld_polyvecl_chknorm signal failure through a
-   * single non-zero error code that's not yet aligned with MLD_ERR_XXX.
-   * Map it to MLD_ERR_FAIL explicitly. */
-  if (mld_unpack_sig(c, z, h, sig))
-  {
-    ret = MLD_ERR_FAIL;
-    goto cleanup;
-  }
+  /* mld_polyvecl_chknorm signals failure through a single non-zero error code
+   * that's not yet aligned with MLD_ERR_XXX. Map it to MLD_ERR_FAIL. */
   if (mld_polyvecl_chknorm(z, MLDSA_GAMMA1 - MLDSA_BETA))
   {
     ret = MLD_ERR_FAIL;
@@ -1111,23 +1124,32 @@ int mld_sign_verify_internal(const uint8_t *sig, size_t siglen,
   }
 
   /* Matrix-vector multiplication; compute Az - c2^dt1 */
+  mld_polyvecl_ntt(z);
+  mld_polyvec_matrix_expand(mat, pk);
+  mld_polyvec_matrix_pointwise_montgomery(w1, mat, z);
+
   mld_poly_challenge(cp, c);
   mld_poly_ntt(cp);
+  mld_unpack_pk_t1(t1, pk);
   mld_polyveck_shiftl(t1);
   mld_polyveck_ntt(t1);
   mld_polyveck_pointwise_poly_montgomery(t1, cp);
 
-  mld_polyvec_matrix_expand(mat, rho);
-  mld_polyvecl_ntt(z);
-  mld_polyvec_matrix_pointwise_montgomery(tmp, mat, z);
-  mld_polyveck_sub(tmp, t1);
-  mld_polyveck_reduce(tmp);
-  mld_polyveck_invntt_tomont(tmp);
+  mld_polyveck_sub(w1, t1);
+  mld_polyveck_reduce(w1);
+  mld_polyveck_invntt_tomont(w1);
 
   /* Reconstruct w1 */
-  mld_polyveck_caddq(tmp);
-  mld_polyveck_use_hint(tmp, h);
-  mld_polyveck_pack_w1(buf, tmp);
+  mld_polyveck_caddq(w1);
+  /* mld_sig_unpack_hints signals failure through a single non-zero error
+   * code that's not yet aligned with MLD_ERR_XXX. Map it to MLD_ERR_FAIL. */
+  if (mld_sig_unpack_hints(h, sig))
+  {
+    ret = MLD_ERR_FAIL;
+    goto cleanup;
+  }
+  mld_polyveck_use_hint(w1, h);
+  mld_polyveck_pack_w1(buf, w1);
   /* Call random oracle and verify challenge */
   mld_H(c2, MLDSA_CTILDEBYTES, mu, MLDSA_CRHBYTES, buf,
         MLDSA_K * MLDSA_POLYW1_PACKEDBYTES, NULL, 0);
@@ -1141,16 +1163,12 @@ int mld_sign_verify_internal(const uint8_t *sig, size_t siglen,
 
 cleanup:
   /* @[FIPS204, Section 3.6.3] Destruction of intermediate values. */
-  MLD_FREE(h, mld_polyveck, 1, context);
-  MLD_FREE(tmp, mld_polyveck, 1, context);
-  MLD_FREE(t1, mld_polyveck, 1, context);
-  MLD_FREE(z, mld_polyvecl, 1, context);
-  MLD_FREE(mat, mld_polymat, 1, context);
-  MLD_FREE(cp, mld_poly, 1, context);
+  MLD_FREE(reuse, reuse_u, 1, context);
+  MLD_FREE(w1, mld_polyveck, 1, context);
+  MLD_FREE(zcp, zcp_u, 1, context);
   MLD_FREE(c2, uint8_t, MLDSA_CTILDEBYTES, context);
   MLD_FREE(c, uint8_t, MLDSA_CTILDEBYTES, context);
   MLD_FREE(mu, uint8_t, MLDSA_CRHBYTES, context);
-  MLD_FREE(rho, uint8_t, MLDSA_SEEDBYTES, context);
   MLD_FREE(buf, uint8_t, (MLDSA_K * MLDSA_POLYW1_PACKEDBYTES), context);
   return ret;
 }