Remove unused spec for mld_montgomery_reduce, add bounds reasoning #668
+44
−33
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hanno-becker
force-pushed
the
mld_montgomery_reduce
branch
from
944c6be to
41f877b
Compare
hanno-becker
force-pushed
the
mld_montgomery_reduce
branch
from
41f877b to
3b686e6
Compare
mkannwischer
requested changes
Nov 11, 2025
Contributor
mkannwischer
left a comment
mkannwischer
left a comment
There was a problem hiding this comment.
Thanks @hanno-becker - very welcome simplification. How about we eliminate the larger bound from the documentation altogether?
hanno-becker
force-pushed
the
mld_montgomery_reduce
branch
2 times, most recently
from
1ced8b1 to
ba6e679
Compare
mkannwischer
approved these changes
Nov 11, 2025
hanno-becker
force-pushed
the
mld_montgomery_reduce
branch
2 times, most recently
from
0683b6e to
608ae8f
Compare
jammychiou1
requested changes
Nov 11, 2025
Contributor
jammychiou1
left a comment
jammychiou1
left a comment
There was a problem hiding this comment.
Thank you @hanno-becker for your work! Very useful result for me to reference from the asm bound comments :D
Only two nits remaining now. Please see the comments.
hanno-becker
force-pushed
the
mld_montgomery_reduce
branch
2 times, most recently
from
d9a332b to
4b66648
Compare
Context: We previously had two specifications for mld_montgomery_reduce: - A 'weak' one where the output upper bound matches the input upper bound of mld_reduce32(). - A 'strong' one where the output interval is (-Q,Q), exclusively. Both contracts were combined into one in a somewhat ad-hoc way (the 'weak' version being encoded as pre- and post-conditions as usual, the 'strong' version being stated as an implication in the post-condition). The combined contract was used in the CBMC proofs of - mld_poly_pointwise_montgomery - mld_polyvecl_pointwise_acc_montgomery There are two more functions which rely on mld_montgomery_reduce, namely - mld_fqmul - mld_fqscale Observations: - The 'weak' contract of mld_montgomery_reduce is not needed: In the context of mld_poly_pointwise_montgomery and mld_polyvecl_pointwise_acc_montgomery, the strong version applies. - The 'strong' version also applies in the context of mld_fqmul and mld_fqscale. Accordingly, this commit removes the 'weak' version and re-formulates the 'strong' version in traditional pre/post condition form. The commit also removes the macro wrapper around the input bound, which I find difficult to read. It's easier to understand if the bound is explicit. The 'strong' version only applies to `mld_fqscale` because of the recent modification of the iNTT output bound from 3/4*Q to Q. Otherwise, an even stronger spec would have been needed. At present, one can even remove mld_fqscale and just call mld_fqmul directly, but this commit does not do this. The commit also takes the opportunity to add some pen-and-paper bounds reasoning for mld_montgomery_reduce. Fixes #602 Signed-off-by: Hanno Becker <beckphan@amazon.co.uk>
hanno-becker
force-pushed
the
mld_montgomery_reduce
branch
from
4b66648 to
5221bd1
Compare
jammychiou1
approved these changes
Nov 11, 2025
Contributor
jammychiou1
left a comment
jammychiou1
left a comment
There was a problem hiding this comment.
LGTM. Thank you for your hard work Hanno!
Contributor
|
Thanks Hanno! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Context:
We previously had two specifications for mld_montgomery_reduce:
Both contracts were combined into one in a somewhat ad-hoc way (the 'weak' version being encoded as pre- and post-conditions as usual, the 'strong' version being stated as an implication in the post-condition).
The combined contract was used in the CBMC proofs of
There are two more functions which rely on mld_montgomery_reduce, namely
Observations:
Accordingly, this commit removes the 'weak' version and re-formulates the 'strong' version in traditional pre/post condition form.
The commit also removes the macro wrapper around the input bound, which I find difficult to read. It's easier to understand if the bound is explicit.
The 'strong' version only applies to
mld_fqscalebecause of the recent modification of the iNTT output bound from 3/4*Q to Q. Otherwise, an even stronger spec would have been needed. At present, one can even remove mld_fqscale and just call mld_fqmul directly, but this commit does not do this.The commit also takes the opportunity to add some pen-and-paper bounds reasoning for mld_montgomery_reduce.
mld_fqmulandmld_fqscale#602