Skip to content

cbmc

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

cbmc

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
barrett_reduce
barrett_reduce
 
 
check_pct
check_pct
 
 
ct_cmask_neg_i16
ct_cmask_neg_i16
 
 
ct_cmask_nonzero_u16
ct_cmask_nonzero_u16
 
 
ct_cmask_nonzero_u8
ct_cmask_nonzero_u8
 
 
ct_cmov_zero
ct_cmov_zero
 
 
ct_get_optblocker_i32
ct_get_optblocker_i32
 
 
ct_get_optblocker_u32
ct_get_optblocker_u32
 
 
ct_get_optblocker_u8
ct_get_optblocker_u8
 
 
ct_memcmp
ct_memcmp
 
 
ct_sel_int16
ct_sel_int16
 
 
ct_sel_uint8
ct_sel_uint8
 
 
enc_getnoise_eta1_eta2
enc_getnoise_eta1_eta2
 
 
fqmul
fqmul
 
 
gen_matrix
gen_matrix
 
 
gen_matrix_serial
gen_matrix_serial
 
 
indcpa_dec
indcpa_dec
 
 
indcpa_enc
indcpa_enc
 
 
indcpa_keypair_derand
indcpa_keypair_derand
 
 
intt_native_aarch64
intt_native_aarch64
 
 
intt_native_x86_64
intt_native_x86_64
 
 
invntt_layer
invntt_layer
 
 
keccak_absorb_once
keccak_absorb_once
 
 
keccak_absorb_once_x4
keccak_absorb_once_x4
 
 
keccak_f1600_x1_native_aarch64
keccak_f1600_x1_native_aarch64
 
 
keccak_f1600_x1_native_aarch64_v84a
keccak_f1600_x1_native_aarch64_v84a
 
 
keccak_f1600_x4_native_aarch64_v84a
keccak_f1600_x4_native_aarch64_v84a
 
 
keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid
keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid
 
 
keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid
keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid
 
 
keccak_f1600_x4_native_avx2
keccak_f1600_x4_native_avx2
 
 
keccak_squeeze_once
keccak_squeeze_once
 
 
keccak_squeezeblocks
keccak_squeezeblocks
 
 
keccak_squeezeblocks_x4
keccak_squeezeblocks_x4
 
 
keccakf1600_extract_bytes
keccakf1600_extract_bytes
 
 
keccakf1600_extract_bytes_BE
keccakf1600_extract_bytes_BE
 
 
keccakf1600_permute
keccakf1600_permute
 
 
keccakf1600_permute_c
keccakf1600_permute_c
 
 
keccakf1600_permute_native
keccakf1600_permute_native
 
 
keccakf1600_xor_bytes
keccakf1600_xor_bytes
 
 
keccakf1600_xor_bytes_BE
keccakf1600_xor_bytes_BE
 
 
keccakf1600x4_extract_bytes
keccakf1600x4_extract_bytes
 
 
keccakf1600x4_extract_bytes_c
keccakf1600x4_extract_bytes_c
 
 
keccakf1600x4_extract_bytes_native
keccakf1600x4_extract_bytes_native
 
 
keccakf1600x4_permute
keccakf1600x4_permute
 
 
keccakf1600x4_permute_native_x4
keccakf1600x4_permute_native_x4
 
 
keccakf1600x4_xor_bytes
keccakf1600x4_xor_bytes
 
 
keccakf1600x4_xor_bytes_c
keccakf1600x4_xor_bytes_c
 
 
keccakf1600x4_xor_bytes_native
keccakf1600x4_xor_bytes_native
 
 
kem_check_pk
kem_check_pk
 
 
kem_check_sk
kem_check_sk
 
 
kem_dec
kem_dec
 
 
kem_enc
kem_enc
 
 
kem_enc_derand
kem_enc_derand
 
 
kem_keypair
kem_keypair
 
 
kem_keypair_derand
kem_keypair_derand
 
 
keypair_getnoise_eta1
keypair_getnoise_eta1
 
 
lib
lib
 
 
matvec_mul
matvec_mul
 
 
montgomery_reduce
montgomery_reduce
 
 
ntt_butterfly_block
ntt_butterfly_block
 
 
ntt_layer
ntt_layer
 
 
ntt_native_aarch64
ntt_native_aarch64
 
 
ntt_native_x86_64
ntt_native_x86_64
 
 
nttunpack_native_x86_64
nttunpack_native_x86_64
 
 
poly_add
poly_add
 
 
poly_cbd_eta1
poly_cbd_eta1
 
 
poly_cbd_eta2
poly_cbd_eta2
 
 
poly_compress_d10
poly_compress_d10
 
 
poly_compress_d10_c
poly_compress_d10_c
 
 
poly_compress_d10_native
poly_compress_d10_native
 
 
poly_compress_d10_native_x86_64
poly_compress_d10_native_x86_64
 
 
poly_compress_d11
poly_compress_d11
 
 
poly_compress_d11_c
poly_compress_d11_c
 
 
poly_compress_d11_native
poly_compress_d11_native
 
 
poly_compress_d11_native_x86_64
poly_compress_d11_native_x86_64
 
 
poly_compress_d4
poly_compress_d4
 
 
poly_compress_d4_c
poly_compress_d4_c
 
 
poly_compress_d4_native
poly_compress_d4_native
 
 
poly_compress_d4_native_x86_64
poly_compress_d4_native_x86_64
 
 
poly_compress_d5
poly_compress_d5
 
 
poly_compress_d5_c
poly_compress_d5_c
 
 
poly_compress_d5_native
poly_compress_d5_native
 
 
poly_compress_d5_native_x86_64
poly_compress_d5_native_x86_64
 
 
poly_compress_du
poly_compress_du
 
 
poly_compress_dv
poly_compress_dv
 
 
poly_decompress_d10
poly_decompress_d10
 
 
poly_decompress_d10_c
poly_decompress_d10_c
 
 
poly_decompress_d10_native
poly_decompress_d10_native
 
 
poly_decompress_d10_native_x86_64
poly_decompress_d10_native_x86_64
 
 
poly_decompress_d11
poly_decompress_d11
 
 
poly_decompress_d11_c
poly_decompress_d11_c
 
 
poly_decompress_d11_native
poly_decompress_d11_native
 
 
poly_decompress_d11_native_x86_64
poly_decompress_d11_native_x86_64
 
 
poly_decompress_d4
poly_decompress_d4
 
 
poly_decompress_d4_c
poly_decompress_d4_c
 
 
poly_decompress_d4_native
poly_decompress_d4_native
 
 
poly_decompress_d4_native_x86_64
poly_decompress_d4_native_x86_64
 
 
poly_decompress_d5
poly_decompress_d5
 
 
poly_decompress_d5_c
poly_decompress_d5_c
 
 
poly_decompress_d5_native
poly_decompress_d5_native
 
 

README.md

CBMC proofs

This directory contains the infrastructure for running CBMC proofs for the absence of certain classes of undefined behaviour for parts of the C-code in mlkem-native.

Primer

Proofs are organized by functions, with the harnesses for each function in a separate directory. Specifications are directly embedded inside the mlkem-native C-source as contract and loop annotations; the CBMC harnesses are boilerplate only and don't add to the specification.

For example, these are the specification and proof of the poly_add function:

void mlk_poly_add(mlk_poly *r, const mlk_poly *b)
__contract__(
  requires(memory_no_alias(r, sizeof(mlk_poly)))
  requires(memory_no_alias(b, sizeof(mlk_poly)))
  requires(forall(k0, 0, MLKEM_N, (int32_t) r->coeffs[k0] + b->coeffs[k0] <= INT16_MAX))
  requires(forall(k1, 0, MLKEM_N, (int32_t) r->coeffs[k1] + b->coeffs[k1] >= INT16_MIN))
  ensures(forall(k, 0, MLKEM_N, r->coeffs[k] == old(*r).coeffs[k] + b->coeffs[k]))
  assigns(memory_slice(r, sizeof(mlk_poly)))
);

...

void mlk_poly_add(mlk_poly *r, const mlk_poly *b)
{
  unsigned i;
  for (i = 0; i < MLKEM_N; i++)
  __loop__(
    invariant(i <= MLKEM_N)
    invariant(forall(k0, i, MLKEM_N, r->coeffs[k0] == loop_entry(*r).coeffs[k0]))
    invariant(forall(k1, 0, i, r->coeffs[k1] == loop_entry(*r).coeffs[k1] + b->coeffs[k1])))
  {
    r->coeffs[i] = r->coeffs[i] + b->coeffs[i];
  }
}

See the Proof Guide for a walkthrough of how to use CBMC and develop new proofs.

Installation

To reproduce the CBMC proofs, you will require several tools (CBMC, z3, bitwuzla, litani, cbmc-viewer) installed. It is not uncommon for proofs to fail or have significantly worse performance when switching to different tool versions. Therefore, we highly recommend using our Nix development environment to install all the necessary tools. See CONTRIBUTING.md.

Note that nix installation is straightforward and only requires running a single command: See https://nixos.org/download/. Once Nix is installed, it takes a single command to install all the required tools at the version that have been tested to work well with the mlkem-native proofs:

nix develop --experimental-features 'nix-command flakes'

Reproducing the proofs

To run all proofs, print a summary at the end and reflect overall success/failure in the error code, use

MLKEM_K={2,3,4} run-cbmc-proofs.py --summarize

If GITHUB_STEP_SUMMARY is set, the proof summary will be appended to it.

Alternatively, you can use the tests script, see

tests cbmc --help

What is covered?

Each proved function has an eponymous sub-directory of its own. Use list_proofs.sh to see the list of functions covered.

The classes of undefined behavior covered by CBMC are documented here.