Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow hax extraction for ML-DSA #558

Merged
merged 13 commits into from
Sep 10, 2024
Merged

Allow hax extraction for ML-DSA #558

merged 13 commits into from
Sep 10, 2024

Conversation

jschneider-bensch
Copy link
Collaborator

@jschneider-bensch jschneider-bensch commented Sep 3, 2024
edited
Loading

This PR will make it possible to extract ML-DSA to F*.

  • Cast match scrutinees to known-size types as a workaround for F*: pattern matching is disallowed on usizes, isizes (+u128/i128/f32/f64) hax#464
  • Replace loop/continue/break-style rejection sampling with a bounded loop. As @xvzcf had already pointed out, the probability of the bounded rejection sampling to not succeed within 576 attempts is smaller than 2^128. Nonetheless, I've introduced a SigningError type to indicate this, so we don't panic, even in this most unlikely case.
  • RefMut issues in encoding::signature: Solved this by accessing signature[offset + ...] directly instead of using let hint_serialized = &mut signature[offset..].
  • FunctionalizeLoops issue in encoding::signature: The error message was a bit opaque, in that the issue was early returns in this function. I've replaced them with some (rather inelegant, I'm afraid) flag and that's used to manually breaks out of the loops and signals an error should be returned at the end.
  • Add minimalistic extraction to CI: This just runs cargo hax into fstar

@jschneider-bensch jschneider-bensch linked an issue Sep 3, 2024 that may be closed by this pull request
ML-DSA: Refactor code to so that Hax can process it. #341
Closed
@jschneider-bensch jschneider-bensch marked this pull request as ready for review September 5, 2024 14:16
franziskuskiefer
franziskuskiefer approved these changes Sep 10, 2024
View reviewed changes
Copy link
Member

@franziskuskiefer franziskuskiefer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. Two nits, then we can get this in.

libcrux-ml-dsa/examples/sign_65.rs Outdated Show resolved Hide resolved
libcrux-ml-dsa/src/ml_dsa_generic.rs Outdated Show resolved Hide resolved
@franziskuskiefer
Copy link
Member

Oh and I created a conflict with #524 that need to get resolved.

@jschneider-bensch
Copy link
Collaborator Author

jschneider-bensch commented Sep 10, 2024
edited
Loading

After merging and resolving, more of the AVX2 implementation seems to be going through hax, probably because the multiplexing works 👍
To fix the extraction I had to update the intrinsics interfaces for hax and cast match scrutinees in more places.

@franziskuskiefer franziskuskiefer added this pull request to the merge queue Sep 10, 2024
Merged via the queue into main with commit 17566f6 Sep 10, 2024
49 checks passed
@franziskuskiefer franziskuskiefer deleted the jonas/ml-dsa-hax-fixes branch September 10, 2024 14:43
This was referenced Sep 11, 2024
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@franziskuskiefer franziskuskiefer franziskuskiefer approved these changes

@karthikbhargavan karthikbhargavan Awaiting requested review from karthikbhargavan

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ML-DSA: Refactor code to so that Hax can process it.
2 participants
@jschneider-bensch @franziskuskiefer