CBMC: Add KeccakF1600[x4]_StatePermute proofs based on native code

This commit adds CBMC specifications to the FIPS202 backend API and
proves the functions depending on it -- KeccakF1600_StatePermute and
KeccakF1600x4_StatePermute -- memory-safe with respect to those
specifications.

Since the logic implementing KeccakF1600x4_StatePermute in the presence
of a FIPS202 backend depends on whether x1/x2/x4-batched Keccak is present
in the native backend, we provide 3 dummy FIPS202 backends for each case.

Signed-off-by: Hanno Becker <beckphan@amazon.co.uk>

mlkem/fips202/native/api.h

@@ -32,13 +32,22 @@
  */
 
 #if defined(MLKEM_USE_FIPS202_X1_NATIVE)
-static INLINE void keccak_f1600_x1_native(uint64_t *state);
+static INLINE void keccak_f1600_x1_native(uint64_t *state)
+__contract__(
+  requires(memory_no_alias(state, sizeof(uint64_t) * 25 * 1))
+  assigns(memory_slice(state, sizeof(uint64_t) * 25 * 1)));
 #endif
 #if defined(MLKEM_USE_FIPS202_X2_NATIVE)
-static INLINE void keccak_f1600_x2_native(uint64_t *state);
+static INLINE void keccak_f1600_x2_native(uint64_t *state)
+__contract__(
+  requires(memory_no_alias(state, sizeof(uint64_t) * 25 * 2))
+  assigns(memory_slice(state, sizeof(uint64_t) * 25 * 2)));
 #endif
 #if defined(MLKEM_USE_FIPS202_X4_NATIVE)
-static INLINE void keccak_f1600_x4_native(uint64_t *state);
+static INLINE void keccak_f1600_x4_native(uint64_t *state)
+__contract__(
+  requires(memory_no_alias(state, sizeof(uint64_t) * 25 * 4))
+  assigns(memory_slice(state, sizeof(uint64_t) * 25 * 4)));
 #endif
 
 #endif /* MLKEM_NATIVE_FIPS202_NATIVE_API_H */

proofs/cbmc/KeccakF1600_StatePermute_native/KeccakF1600_StatePermute_native_harness.c

@@ -0,0 +1,11 @@
+// Copyright (c) 2024 The mlkem-native project authors
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: MIT-0
+
+#include <keccakf1600.h>
+
+void harness(void)
+{
+  uint64_t *s;
+  KeccakF1600_StatePermute(s);
+}

proofs/cbmc/KeccakF1600_StatePermute_native/Makefile

@@ -0,0 +1,54 @@
+# SPDX-License-Identifier: Apache-2.0
+
+include ../Makefile_params.common
+
+HARNESS_ENTRY = harness
+HARNESS_FILE = KeccakF1600_StatePermute_native_harness
+
+# This should be a unique identifier for this proof, and will appear on the
+# Litani dashboard. It can be human-readable and contain spaces if you wish.
+PROOF_UID = KeccakF1600_StatePermute_native
+
+DEFINES += -DMLKEM_USE_NATIVE_BACKEND_FIPS202 -DMLKEM_NATIVE_FIPS202_BACKEND_FILE="\"dummy_backend_fips202_x1.h\""
+INCLUDES +=
+
+REMOVE_FUNCTION_BODY +=
+UNWINDSET +=
+
+PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
+PROJECT_SOURCES += $(SRCDIR)/mlkem/fips202/keccakf1600.c
+
+CHECK_FUNCTION_CONTRACTS=$(MLKEM_NAMESPACE)KeccakF1600_StatePermute
+USE_FUNCTION_CONTRACTS=keccak_f1600_x1_native
+APPLY_LOOP_CONTRACTS=on
+USE_DYNAMIC_FRAMES=1
+
+# Disable any setting of EXTERNAL_SAT_SOLVER, and choose SMT backend instead
+EXTERNAL_SAT_SOLVER=
+CBMCFLAGS=--bitwuzla
+
+FUNCTION_NAME = $(MLKEM_NAMESPACE)KeccakF1600_StatePermute_native
+
+# If this proof is found to consume huge amounts of RAM, you can set the
+# EXPENSIVE variable. With new enough versions of the proof tools, this will
+# restrict the number of EXPENSIVE CBMC jobs running at once. See the
+# documentation in Makefile.common under the "Job Pools" heading for details.
+# EXPENSIVE = true
+
+# This function is large enough to need...
+CBMC_OBJECT_BITS = 8
+
+# If you require access to a file-local ("static") function or object to conduct
+# your proof, set the following (and do not include the original source file
+# ("mlkem/poly.c") in PROJECT_SOURCES).
+# REWRITTEN_SOURCES = $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i
+# include ../Makefile.common
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_SOURCE = $(SRCDIR)/mlkem/poly.c
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_FUNCTIONS = foo bar
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_OBJECTS = baz
+# Care is required with variables on the left-hand side: REWRITTEN_SOURCES must
+# be set before including Makefile.common, but any use of variables on the
+# left-hand side requires those variables to be defined. Hence, _SOURCE,
+# _FUNCTIONS, _OBJECTS is set after including Makefile.common.
+
+include ../Makefile.common

proofs/cbmc/KeccakF1600_StatePermute_native/cbmc-proof.txt

@@ -0,0 +1,3 @@
+# SPDX-License-Identifier: Apache-2.0
+
+# This file marks this directory as containing a CBMC proof.

proofs/cbmc/KeccakF1600x4_StatePermute_native_x2/KeccakF1600x4_StatePermute_native_x2_harness.c

@@ -0,0 +1,11 @@
+// Copyright (c) 2024 The mlkem-native project authors
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: MIT-0
+
+#include <keccakf1600.h>
+
+void harness(void)
+{
+  uint64_t *s;
+  KeccakF1600x4_StatePermute(s);
+}

proofs/cbmc/KeccakF1600x4_StatePermute_native_x2/Makefile

@@ -0,0 +1,54 @@
+# SPDX-License-Identifier: Apache-2.0
+
+include ../Makefile_params.common
+
+HARNESS_ENTRY = harness
+HARNESS_FILE = KeccakF1600x4_StatePermute_native_x2_harness
+
+# This should be a unique identifier for this proof, and will appear on the
+# Litani dashboard. It can be human-readable and contain spaces if you wish.
+PROOF_UID = KeccakF1600x4_StatePermute_native_x2
+
+DEFINES += -DMLKEM_USE_NATIVE_BACKEND_FIPS202 -DMLKEM_NATIVE_FIPS202_BACKEND_FILE="\"dummy_backend_fips202_x2.h\""
+INCLUDES +=
+
+REMOVE_FUNCTION_BODY +=
+UNWINDSET +=
+
+PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
+PROJECT_SOURCES += $(SRCDIR)/mlkem/fips202/keccakf1600.c
+
+CHECK_FUNCTION_CONTRACTS=$(MLKEM_NAMESPACE)KeccakF1600x4_StatePermute
+USE_FUNCTION_CONTRACTS=keccak_f1600_x2_native
+APPLY_LOOP_CONTRACTS=on
+USE_DYNAMIC_FRAMES=1
+
+# Disable any setting of EXTERNAL_SAT_SOLVER, and choose SMT backend instead
+EXTERNAL_SAT_SOLVER=
+CBMCFLAGS=--bitwuzla
+
+FUNCTION_NAME = KeccakF1600x4_StatePermute_native_x2
+
+# If this proof is found to consume huge amounts of RAM, you can set the
+# EXPENSIVE variable. With new enough versions of the proof tools, this will
+# restrict the number of EXPENSIVE CBMC jobs running at once. See the
+# documentation in Makefile.common under the "Job Pools" heading for details.
+# EXPENSIVE = true
+
+# This function is large enough to need...
+CBMC_OBJECT_BITS = 8
+
+# If you require access to a file-local ("static") function or object to conduct
+# your proof, set the following (and do not include the original source file
+# ("mlkem/poly.c") in PROJECT_SOURCES).
+# REWRITTEN_SOURCES = $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i
+# include ../Makefile.common
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_SOURCE = $(SRCDIR)/mlkem/poly.c
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_FUNCTIONS = foo bar
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_OBJECTS = baz
+# Care is required with variables on the left-hand side: REWRITTEN_SOURCES must
+# be set before including Makefile.common, but any use of variables on the
+# left-hand side requires those variables to be defined. Hence, _SOURCE,
+# _FUNCTIONS, _OBJECTS is set after including Makefile.common.
+
+include ../Makefile.common

proofs/cbmc/KeccakF1600x4_StatePermute_native_x2/cbmc-proof.txt

@@ -0,0 +1,3 @@
+# SPDX-License-Identifier: Apache-2.0
+
+# This file marks this directory as containing a CBMC proof.

proofs/cbmc/KeccakF1600x4_StatePermute_native_x4/KeccakF1600x4_StatePermute_native_x4_harness.c

@@ -0,0 +1,11 @@
+// Copyright (c) 2024 The mlkem-native project authors
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: MIT-0
+
+#include <keccakf1600.h>
+
+void harness(void)
+{
+  uint64_t *s;
+  KeccakF1600x4_StatePermute(s);
+}

proofs/cbmc/KeccakF1600x4_StatePermute_native_x4/Makefile

@@ -0,0 +1,54 @@
+# SPDX-License-Identifier: Apache-2.0
+
+include ../Makefile_params.common
+
+HARNESS_ENTRY = harness
+HARNESS_FILE = KeccakF1600x4_StatePermute_native_x4_harness
+
+# This should be a unique identifier for this proof, and will appear on the
+# Litani dashboard. It can be human-readable and contain spaces if you wish.
+PROOF_UID = KeccakF1600x4_StatePermute_native_x4
+
+DEFINES += -DMLKEM_USE_NATIVE_BACKEND_FIPS202 -DMLKEM_NATIVE_FIPS202_BACKEND_FILE="\"dummy_backend_fips202_x4.h\""
+INCLUDES +=
+
+REMOVE_FUNCTION_BODY +=
+UNWINDSET +=
+
+PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
+PROJECT_SOURCES += $(SRCDIR)/mlkem/fips202/keccakf1600.c
+
+CHECK_FUNCTION_CONTRACTS=$(MLKEM_NAMESPACE)KeccakF1600x4_StatePermute
+USE_FUNCTION_CONTRACTS=keccak_f1600_x4_native
+APPLY_LOOP_CONTRACTS=on
+USE_DYNAMIC_FRAMES=1
+
+# Disable any setting of EXTERNAL_SAT_SOLVER, and choose SMT backend instead
+EXTERNAL_SAT_SOLVER=
+CBMCFLAGS=--bitwuzla
+
+FUNCTION_NAME = KeccakF1600x4_StatePermute_native_x4
+
+# If this proof is found to consume huge amounts of RAM, you can set the
+# EXPENSIVE variable. With new enough versions of the proof tools, this will
+# restrict the number of EXPENSIVE CBMC jobs running at once. See the
+# documentation in Makefile.common under the "Job Pools" heading for details.
+# EXPENSIVE = true
+
+# This function is large enough to need...
+CBMC_OBJECT_BITS = 8
+
+# If you require access to a file-local ("static") function or object to conduct
+# your proof, set the following (and do not include the original source file
+# ("mlkem/poly.c") in PROJECT_SOURCES).
+# REWRITTEN_SOURCES = $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i
+# include ../Makefile.common
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_SOURCE = $(SRCDIR)/mlkem/poly.c
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_FUNCTIONS = foo bar
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_OBJECTS = baz
+# Care is required with variables on the left-hand side: REWRITTEN_SOURCES must
+# be set before including Makefile.common, but any use of variables on the
+# left-hand side requires those variables to be defined. Hence, _SOURCE,
+# _FUNCTIONS, _OBJECTS is set after including Makefile.common.
+
+include ../Makefile.common

proofs/cbmc/KeccakF1600x4_StatePermute_native_x4/cbmc-proof.txt

@@ -0,0 +1,3 @@
+# SPDX-License-Identifier: Apache-2.0
+
+# This file marks this directory as containing a CBMC proof.

proofs/cbmc/dummy_backend_fips202_x1.h

@@ -0,0 +1,18 @@
+/*
+ * Copyright (c) 2024 The mlkem-native project authors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#ifdef MLKEM_NATIVE_FIPS202_PROFILE_H
+#error Only one MLKEM_FIPS202 assembly profile can be defined -- did you include multiple profiles?
+#else
+#define MLKEM_NATIVE_FIPS202_PROFILE_H
+
+#define MLKEM_NATIVE_FIPS202_BACKEND_NAME DUMMY_BACKEND_FIPS202_X1
+
+/* Filename of the C backend implementation.
+ * This is not inlined here because this header is included in assembly
+ * files as well. */
+#define MLKEM_NATIVE_FIPS202_BACKEND_IMPL "dummy_backend_fips202_x1_impl.h"
+
+#endif /* MLKEM_NATIVE_FIPS202_PROFILE_H */

proofs/cbmc/dummy_backend_fips202_x1_impl.h

@@ -0,0 +1,17 @@
+/*
+ * Copyright (c) 2024 The mlkem-native project authors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/* ML-KEM arithmetic native profile for clean assembly */
+
+#ifdef MLKEM_NATIVE_ARITH_PROFILE_IMPL_H
+#error Only one MLKEM_ARITH assembly profile can be defined -- did you include multiple profiles?
+#else
+#define MLKEM_NATIVE_ARITH_PROFILE_IMPL_H
+
+#define MLKEM_USE_FIPS202_X1_NATIVE
+
+#include "../mlkem/fips202/native/api.h"
+
+#endif /* MLKEM_NATIVE_ARITH_PROFILE_IMPL_H */

proofs/cbmc/dummy_backend_fips202_x2.h

@@ -0,0 +1,18 @@
+/*
+ * Copyright (c) 2024 The mlkem-native project authors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#ifdef MLKEM_NATIVE_FIPS202_PROFILE_H
+#error Only one MLKEM_FIPS202 assembly profile can be defined -- did you include multiple profiles?
+#else
+#define MLKEM_NATIVE_FIPS202_PROFILE_H
+
+#define MLKEM_NATIVE_FIPS202_BACKEND_NAME DUMMY_BACKEND_FIPS202_X2
+
+/* Filename of the C backend implementation.
+ * This is not inlined here because this header is included in assembly
+ * files as well. */
+#define MLKEM_NATIVE_FIPS202_BACKEND_IMPL "dummy_backend_fips202_x2_impl.h"
+
+#endif /* MLKEM_NATIVE_FIPS202_PROFILE_H */

proofs/cbmc/dummy_backend_fips202_x2_impl.h

@@ -0,0 +1,17 @@
+/*
+ * Copyright (c) 2024 The mlkem-native project authors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/* ML-KEM arithmetic native profile for clean assembly */
+
+#ifdef MLKEM_NATIVE_ARITH_PROFILE_IMPL_H
+#error Only one MLKEM_ARITH assembly profile can be defined -- did you include multiple profiles?
+#else
+#define MLKEM_NATIVE_ARITH_PROFILE_IMPL_H
+
+#define MLKEM_USE_FIPS202_X2_NATIVE
+
+#include "../mlkem/fips202/native/api.h"
+
+#endif /* MLKEM_NATIVE_ARITH_PROFILE_IMPL_H */

proofs/cbmc/dummy_backend_fips202_x4.h

@@ -0,0 +1,18 @@
+/*
+ * Copyright (c) 2024 The mlkem-native project authors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#ifdef MLKEM_NATIVE_FIPS202_PROFILE_H
+#error Only one MLKEM_FIPS202 assembly profile can be defined -- did you include multiple profiles?
+#else
+#define MLKEM_NATIVE_FIPS202_PROFILE_H
+
+#define MLKEM_NATIVE_FIPS202_BACKEND_NAME DUMMY_BACKEND_FIPS202_X2
+
+/* Filename of the C backend implementation.
+ * This is not inlined here because this header is included in assembly
+ * files as well. */
+#define MLKEM_NATIVE_FIPS202_BACKEND_IMPL "dummy_backend_fips202_x4_impl.h"
+
+#endif /* MLKEM_NATIVE_FIPS202_PROFILE_H */

proofs/cbmc/dummy_backend_fips202_x4_impl.h

@@ -0,0 +1,17 @@
+/*
+ * Copyright (c) 2024 The mlkem-native project authors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/* ML-KEM arithmetic native profile for clean assembly */
+
+#ifdef MLKEM_NATIVE_ARITH_PROFILE_IMPL_H
+#error Only one MLKEM_ARITH assembly profile can be defined -- did you include multiple profiles?
+#else
+#define MLKEM_NATIVE_ARITH_PROFILE_IMPL_H
+
+#define MLKEM_USE_FIPS202_X4_NATIVE
+
+#include "../mlkem/fips202/native/api.h"
+
+#endif /* MLKEM_NATIVE_ARITH_PROFILE_IMPL_H */