pq-code-package · mkannwischer · Mar 20, 2026 · Jan 19, 2026 · Feb 4, 2026
@@ -81,6 +81,8 @@ jobs:
           # Dependencies on {name}.{S,ml} are implicit
           - name: mldsa_poly_caddq
             needs: ["aarch64_utils.ml"]
+          - name: mldsa_poly_chknorm
+            needs: ["aarch64_utils.ml"]
     name: AArch64 HOL Light proof for ${{ matrix.proof.name }}.S
     runs-on: pqcp-arm64
     if: github.repository_owner == 'pq-code-package' && !github.event.pull_request.head.repo.fork

@@ -95,7 +95,16 @@ void mld_poly_use_hint_88_asm(int32_t *b, const int32_t *a, const int32_t *h);
 
 #define mld_poly_chknorm_asm MLD_NAMESPACE(poly_chknorm_asm)
 MLD_MUST_CHECK_RETURN_VALUE
-int mld_poly_chknorm_asm(const int32_t *a, int32_t B);
+int mld_poly_chknorm_asm(const int32_t *a, int32_t B)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_poly_chknorm.ml */
+__contract__(
+  requires(memory_no_alias(a, sizeof(int32_t) * MLDSA_N))
+  /* HOL Light precondition: abs(ival(x i)) < 2^31, i.e., a[i] != INT32_MIN */
+  requires(forall(k0, 0, MLDSA_N, a[k0] > INT32_MIN))
+  ensures(return_value == 0 || return_value == 1)
+  ensures((return_value == 0) == array_abs_bound(a, 0, MLDSA_N, B))
+);
 
 #define mld_polyz_unpack_17_asm MLD_NAMESPACE(polyz_unpack_17_asm)
 void mld_polyz_unpack_17_asm(int32_t *r, const uint8_t *buf,

@@ -95,7 +95,16 @@ void mld_poly_use_hint_88_asm(int32_t *b, const int32_t *a, const int32_t *h);
 
 #define mld_poly_chknorm_asm MLD_NAMESPACE(poly_chknorm_asm)
 MLD_MUST_CHECK_RETURN_VALUE
-int mld_poly_chknorm_asm(const int32_t *a, int32_t B);
+int mld_poly_chknorm_asm(const int32_t *a, int32_t B)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_poly_chknorm.ml */
+__contract__(
+  requires(memory_no_alias(a, sizeof(int32_t) * MLDSA_N))
+  /* HOL Light precondition: abs(ival(x i)) < 2^31, i.e., a[i] != INT32_MIN */
+  requires(forall(k0, 0, MLDSA_N, a[k0] > INT32_MIN))
+  ensures(return_value == 0 || return_value == 1)
+  ensures((return_value == 0) == array_abs_bound(a, 0, MLDSA_N, B))
+);
 
 #define mld_polyz_unpack_17_asm MLD_NAMESPACE(polyz_unpack_17_asm)
 void mld_polyz_unpack_17_asm(int32_t *r, const uint8_t *buf,

@@ -30,7 +30,7 @@ MLD_ASM_FN_SYMBOL(poly_chknorm_asm)
         // Load constants
         dup bound.4s, B
 
-        movi flags.4s, 0
+        eor flags.16b, flags.16b, flags.16b
 
         mov count, #(64/4)
 

@@ -95,7 +95,16 @@ void mld_poly_use_hint_88_asm(int32_t *b, const int32_t *a, const int32_t *h);
 
 #define mld_poly_chknorm_asm MLD_NAMESPACE(poly_chknorm_asm)
 MLD_MUST_CHECK_RETURN_VALUE
-int mld_poly_chknorm_asm(const int32_t *a, int32_t B);
+int mld_poly_chknorm_asm(const int32_t *a, int32_t B)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/aarch64/proofs/mldsa_poly_chknorm.ml */
+__contract__(
+  requires(memory_no_alias(a, sizeof(int32_t) * MLDSA_N))
+  /* HOL Light precondition: abs(ival(x i)) < 2^31, i.e., a[i] != INT32_MIN */
+  requires(forall(k0, 0, MLDSA_N, a[k0] > INT32_MIN))
+  ensures(return_value == 0 || return_value == 1)
+  ensures((return_value == 0) == array_abs_bound(a, 0, MLDSA_N, B))
+);
 
 #define mld_polyz_unpack_17_asm MLD_NAMESPACE(polyz_unpack_17_asm)
 void mld_polyz_unpack_17_asm(int32_t *r, const uint8_t *buf,

@@ -22,7 +22,7 @@ MLD_ASM_FN_SYMBOL(poly_chknorm_asm)
 
         .cfi_startproc
         dup	v20.4s, w1
-        movi	v21.4s, #0x0
+        eor	v21.16b, v21.16b, v21.16b
         mov	x2, #0x10               // =16
 
 Lpoly_chknorm_loop:

@@ -450,7 +450,6 @@ __contract__(
           return_value == 1)
   ensures((return_value != MLD_NATIVE_FUNC_FALLBACK) ==>
           ((return_value == 0) == array_abs_bound(a, 0, MLDSA_N, B)))
-
 );
 #endif /* MLD_USE_NATIVE_POLY_CHKNORM */
 

@@ -9,12 +9,12 @@ hol_light.overrideAttrs (old: {
     export HOLLIGHT_DIR="$1/lib/hol_light"
     export PATH="$1/lib/hol_light:$PATH"
   '';
-  version = "unstable-2026-01-17";
+  version = "unstable-2026-03-20";
   src = fetchFromGitHub {
     owner = "jrh13";
     repo = "hol-light";
-    rev = "e960dd0f636c36d48f79664c7cf11a59ba6f66a3";
-    hash = "sha256-ZgOzAYokQsgO1Ua3m50shxvU9dVSzocuFHRLdIrINmU=";
+    rev = "6df9b2115135fd3321e3975827f89e7ea03ffaa0";
+    hash = "sha256-qOKksOUq9lfMn5gWdLJqDvvD5FY68k+9wJ9KbdBg0LE=";
   };
   patches = [
     ./0005-Configure-hol-sh-for-mldsa-native.patch

@@ -4,12 +4,12 @@
 { stdenv, fetchFromGitHub, writeText, ... }:
 stdenv.mkDerivation rec {
   pname = "s2n_bignum";
-  version = "113a146ab49c19281388881b3650b63a6a67e8dc";
+  version = "3bfe68deb9fbdaf23be0a927c362a87a799adc28";
   src = fetchFromGitHub {
     owner = "awslabs";
     repo = "s2n-bignum";
     rev = "${version}";
-    hash = "sha256-Ub+Nrlo8DEmz3H5SdgcH9iLbNJnZmLvGk3dGgWar2kY=";
+    hash = "sha256-C3SdYZ/PhfTmHefz3klO3l/lbEgtA8Hq9wjDmjd+Fek=";
   };
   setupHook = writeText "setup-hook.sh" ''
     export S2N_BIGNUM_DIR="$1"

@@ -0,0 +1,58 @@
+# Copyright (c) The mldsa-native project authors
+# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+include ../Makefile_params.common
+
+HARNESS_ENTRY = harness
+HARNESS_FILE = poly_chknorm_native_aarch64_harness
+
+# This should be a unique identifier for this proof, and will appear on the
+# Litani dashboard. It can be human-readable and contain spaces if you wish.
+PROOF_UID = poly_chknorm_native_aarch64
+
+# We need to set MLD_CHECK_APIS as otherwise mldsa/src/native/api.h won't be
+# included, which contains the CBMC specifications.
+DEFINES += -DMLD_CONFIG_USE_NATIVE_BACKEND_ARITH -DMLD_CONFIG_ARITH_BACKEND_FILE="\"$(SRCDIR)/mldsa/src/native/aarch64/meta.h\"" -DMLD_CHECK_APIS
+INCLUDES +=
+
+REMOVE_FUNCTION_BODY +=
+UNWINDSET +=
+
+PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
+PROJECT_SOURCES += $(SRCDIR)/mldsa/src/poly.c
+
+CHECK_FUNCTION_CONTRACTS=mld_poly_chknorm_native
+USE_FUNCTION_CONTRACTS = mld_poly_chknorm_asm
+USE_FUNCTION_CONTRACTS += mld_sys_check_capability
+APPLY_LOOP_CONTRACTS=on
+USE_DYNAMIC_FRAMES=1
+
+# Disable any setting of EXTERNAL_SAT_SOLVER, and choose SMT backend instead
+EXTERNAL_SAT_SOLVER=
+CBMCFLAGS=--smt2
+
+FUNCTION_NAME = poly_chknorm_native_aarch64
+
+# If this proof is found to consume huge amounts of RAM, you can set the
+# EXPENSIVE variable. With new enough versions of the proof tools, this will
+# restrict the number of EXPENSIVE CBMC jobs running at once. See the
+# documentation in Makefile.common under the "Job Pools" heading for details.
+# EXPENSIVE = true
+
+# This function is large enough to need...
+CBMC_OBJECT_BITS = 8
+
+# If you require access to a file-local ("static") function or object to conduct
+# your proof, set the following (and do not include the original source file
+# ("mldsa/src/poly.c") in PROJECT_SOURCES).
+# REWRITTEN_SOURCES = $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i
+# include ../Makefile.common
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_SOURCE = $(SRCDIR)/mldsa/src/poly.c
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_FUNCTIONS = foo bar
+# $(PROOFDIR)/<__SOURCE_FILE_BASENAME__>.i_OBJECTS = baz
+# Care is required with variables on the left-hand side: REWRITTEN_SOURCES must
+# be set before including Makefile.common, but any use of variables on the
+# left-hand side requires those variables to be defined. Hence, _SOURCE,
+# _FUNCTIONS, _OBJECTS is set after including Makefile.common.
+
+include ../Makefile.common
@@ -0,0 +1,16 @@
+// Copyright (c) The mldsa-native project authors
+// SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+#include <stdint.h>
+#include "cbmc.h"
+#include "params.h"
+
+int mld_poly_chknorm_native(const int32_t a[MLDSA_N], int32_t B);
+
+void harness(void)
+{
+  const int32_t *a;
+  int32_t B;
+  int t;
+  t = mld_poly_chknorm_native(a, B);
+}
@@ -52,5 +52,6 @@ echo '1+1;;' | nc -w 5 127.0.0.1 2012
 ## What is covered?
 
 - AArch64 poly_caddq: [mldsa_poly_caddq.S](aarch64/mldsa/mldsa_poly_caddq.S)
+- AArch64 poly_chknorm: [mldsa_poly_chknorm.S](aarch64/mldsa/mldsa_poly_chknorm.S)
 - x86_64 forward NTT: [mldsa_ntt.S](x86_64/mldsa/mldsa_ntt.S)
 - x86_64 inverse NTT: [mldsa_intt.S](x86_64/mldsa/mldsa_intt.S)
@@ -53,7 +53,8 @@ endif
 
 SPLIT=tr ';' '\n'
 
-OBJ = mldsa/mldsa_poly_caddq.o
+OBJ = mldsa/mldsa_poly_caddq.o \
+      mldsa/mldsa_poly_chknorm.o
 
 # According to
 # https://developer.apple.com/documentation/xcode/writing-arm64-code-for-apple-platforms,

@@ -0,0 +1,54 @@
+/*
+ * Copyright (c) The mldsa-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+
+
+/*
+ * WARNING: This file is auto-derived from the mldsa-native source file
+ *   dev/aarch64_opt/src/poly_chknorm_asm.S using scripts/simpasm. Do not modify it directly.
+ */
+
+#if defined(__ELF__)
+.section .note.GNU-stack,"",@progbits
+#endif
+
+.text
+.balign 4
+#ifdef __APPLE__
+.global _PQCP_MLDSA_NATIVE_MLDSA44_poly_chknorm_asm
+_PQCP_MLDSA_NATIVE_MLDSA44_poly_chknorm_asm:
+#else
+.global PQCP_MLDSA_NATIVE_MLDSA44_poly_chknorm_asm
+PQCP_MLDSA_NATIVE_MLDSA44_poly_chknorm_asm:
+#endif
+
+        .cfi_startproc
+        dup	v20.4s, w1
+        eor	v21.16b, v21.16b, v21.16b
+        mov	x2, #0x10               // =16
+
+Lpoly_chknorm_loop:
+        ldr	q1, [x0, #0x10]
+        ldr	q2, [x0, #0x20]
+        ldr	q3, [x0, #0x30]
+        ldr	q0, [x0], #0x40
+        abs	v1.4s, v1.4s
+        cmge	v1.4s, v1.4s, v20.4s
+        orr	v21.16b, v21.16b, v1.16b
+        abs	v2.4s, v2.4s
+        cmge	v2.4s, v2.4s, v20.4s
+        orr	v21.16b, v21.16b, v2.16b
+        abs	v3.4s, v3.4s
+        cmge	v3.4s, v3.4s, v20.4s
+        orr	v21.16b, v21.16b, v3.16b
+        abs	v0.4s, v0.4s
+        cmge	v0.4s, v0.4s, v20.4s
+        orr	v21.16b, v21.16b, v0.16b
+        subs	x2, x2, #0x1
+        b.ne	Lpoly_chknorm_loop
+        umaxv	s21, v21.4s
+        fmov	w0, s21
+        and	w0, w0, #0x1
+        ret
+        .cfi_endproc
@@ -9,3 +9,7 @@ needs "arm/proofs/base.ml";;
 print_string "=== bytecode start: aarch64/mldsa/mldsa_poly_caddq.o ===\n";;
 print_literal_from_elf "aarch64/mldsa/mldsa_poly_caddq.o";;
 print_string "==== bytecode end =====================================\n\n";;
+
+print_string "=== bytecode start: aarch64/mldsa/mldsa_poly_chknorm.o ===\n";;
+print_literal_from_elf "aarch64/mldsa/mldsa_poly_chknorm.o";;
+print_string "==== bytecode end =====================================\n\n";;