Define mlk_polyvec[_mulcache] as typedef for array

This commit changes the definition of `mlk_polyvec` from a struct
wrapper `struct { mlk_poly vec[MLKEM_K] }` to a typedef for
`mlk_poly[MLKEM_K]`.

This ensures that when working with polynomial matrices
-- that is, arrays of `mlk_polyvec`s -- the polynomial
entries are consecutive in memory. This needs to be assumed
for the correctness of `gen_matrix()`.

From all we know, is a theoretical concern that without this
change, compilers would be free to introduce padding into
`mlk_polyvec`, breaking `gen_matrix()`. Yet, the behaviour of
`gen_matrix` is strictly speaking UB, so it is better to change it.

A slight nuisance is that when passing `mlk_polyvec *ptr` to a
function, we have to take care to use `(*ptr)[i]` to access the
i-th polynomial in the vector. The tempting `ptr[i]` would instead
represent the `i * MLKEM_K`-th polynomial.

Signed-off-by: Hanno Becker <[email protected]>

Author: hanno-becker

mlkem/indcpa.c

@@ -228,7 +228,7 @@ void mlk_gen_matrix(mlk_polyvec *a, const uint8_t seed[MLKEM_SYMBYTES],
      * This call writes across mlk_polyvec boundaries for K=2 and K=3.
      * This is intentional and safe.
      */
-    mlk_poly_rej_uniform_x4(&a[0].vec[0] + i, seed_ext);
+    mlk_poly_rej_uniform_x4((mlk_poly *)a + i, seed_ext);
   }
 
   /* For MLKEM_K == 3, sample the last entry individually. */
@@ -249,7 +249,7 @@ void mlk_gen_matrix(mlk_polyvec *a, const uint8_t seed[MLKEM_SYMBYTES],
       seed_ext[0][MLKEM_SYMBYTES + 1] = x;
     }
 
-    mlk_poly_rej_uniform(&a[0].vec[0] + i, seed_ext[0]);
+    mlk_poly_rej_uniform((mlk_poly *)a + i, seed_ext[0]);
     i++;
   }
 
@@ -263,7 +263,7 @@ void mlk_gen_matrix(mlk_polyvec *a, const uint8_t seed[MLKEM_SYMBYTES],
   {
     for (j = 0; j < MLKEM_K; j++)
     {
-      mlk_poly_permute_bitrev_to_custom(a[i].vec[j].coeffs);
+      mlk_poly_permute_bitrev_to_custom(a[i][j].coeffs);
     }
   }
 
@@ -298,7 +298,7 @@ __contract__(
   requires(memory_no_alias(vc, sizeof(mlk_polyvec_mulcache)))
   requires(forall(k0, 0, MLKEM_K,
     forall(k1, 0, MLKEM_K,
-      array_bound(a[k0].vec[k1].coeffs, 0, MLKEM_N, 0, MLKEM_UINT12_LIMIT))))
+      array_bound(a[k0][k1].coeffs, 0, MLKEM_N, 0, MLKEM_UINT12_LIMIT))))
   assigns(object_whole(out)))
 {
   unsigned i;
@@ -307,7 +307,7 @@ __contract__(
     assigns(i, object_whole(out))
     invariant(i <= MLKEM_K))
   {
-    mlk_polyvec_basemul_acc_montgomery_cached(&out->vec[i], &a[i], v, vc);
+    mlk_polyvec_basemul_acc_montgomery_cached(&(*out)[i], &a[i], v, vc);
   }
 }
 
@@ -348,25 +348,23 @@ void mlk_indcpa_keypair_derand(uint8_t pk[MLKEM_INDCPA_PUBLICKEYBYTES],
   mlk_gen_matrix(a, publicseed, 0 /* no transpose */);
 
 #if MLKEM_K == 2
-  mlk_poly_getnoise_eta1_4x(skpv.vec + 0, skpv.vec + 1, e.vec + 0, e.vec + 1,
-                            noiseseed, 0, 1, 2, 3);
+  mlk_poly_getnoise_eta1_4x(&skpv[0], &skpv[1], &e[0], &e[1], noiseseed, 0, 1,
+                            2, 3);
 #elif MLKEM_K == 3
   /*
    * Only the first three output buffers are needed.
    * The laster parameter is a dummy that's overwritten later.
    */
-  mlk_poly_getnoise_eta1_4x(skpv.vec + 0, skpv.vec + 1, skpv.vec + 2,
-                            pkpv.vec + 0 /* irrelevant */, noiseseed, 0, 1, 2,
+  mlk_poly_getnoise_eta1_4x(&skpv[0], &skpv[1], &skpv[2],
+                            &pkpv[0] /* irrelevant */, noiseseed, 0, 1, 2,
                             0xFF /* irrelevant */);
   /* Same here */
-  mlk_poly_getnoise_eta1_4x(e.vec + 0, e.vec + 1, e.vec + 2,
-                            pkpv.vec + 0 /* irrelevant */, noiseseed, 3, 4, 5,
-                            0xFF /* irrelevant */);
+  mlk_poly_getnoise_eta1_4x(&e[0], &e[1], &e[2], &pkpv[0] /* irrelevant */,
+                            noiseseed, 3, 4, 5, 0xFF /* irrelevant */);
 #elif MLKEM_K == 4
-  mlk_poly_getnoise_eta1_4x(skpv.vec + 0, skpv.vec + 1, skpv.vec + 2,
-                            skpv.vec + 3, noiseseed, 0, 1, 2, 3);
-  mlk_poly_getnoise_eta1_4x(e.vec + 0, e.vec + 1, e.vec + 2, e.vec + 3,
-                            noiseseed, 4, 5, 6, 7);
+  mlk_poly_getnoise_eta1_4x(&skpv[0], &skpv[1], &skpv[2], &skpv[3], noiseseed,
+                            0, 1, 2, 3);
+  mlk_poly_getnoise_eta1_4x(&e[0], &e[1], &e[2], &e[3], noiseseed, 4, 5, 6, 7);
 #endif
 
   mlk_polyvec_ntt(&skpv);
@@ -426,24 +424,21 @@ void mlk_indcpa_enc(uint8_t c[MLKEM_INDCPA_BYTES],
   mlk_gen_matrix(at, seed, 1 /* transpose */);
 
 #if MLKEM_K == 2
-  mlk_poly_getnoise_eta1122_4x(sp.vec + 0, sp.vec + 1, ep.vec + 0, ep.vec + 1,
-                               coins, 0, 1, 2, 3);
+  mlk_poly_getnoise_eta1122_4x(&sp[0], &sp[1], &ep[0], &ep[1], coins, 0, 1, 2,
+                               3);
   mlk_poly_getnoise_eta2(&epp, coins, 4);
 #elif MLKEM_K == 3
   /*
    * In this call, only the first three output buffers are needed.
    * The last parameter is a dummy that's overwritten later.
    */
-  mlk_poly_getnoise_eta1_4x(sp.vec + 0, sp.vec + 1, sp.vec + 2, &b.vec[0],
-                            coins, 0, 1, 2, 0xFF);
+  mlk_poly_getnoise_eta1_4x(&sp[0], &sp[1], &sp[2], &b[0], coins, 0, 1, 2,
+                            0xFF);
   /* The fourth output buffer in this call _is_ used. */
-  mlk_poly_getnoise_eta2_4x(ep.vec + 0, ep.vec + 1, ep.vec + 2, &epp, coins, 3,
-                            4, 5, 6);
+  mlk_poly_getnoise_eta2_4x(&ep[0], &ep[1], &ep[2], &epp, coins, 3, 4, 5, 6);
 #elif MLKEM_K == 4
-  mlk_poly_getnoise_eta1_4x(sp.vec + 0, sp.vec + 1, sp.vec + 2, sp.vec + 3,
-                            coins, 0, 1, 2, 3);
-  mlk_poly_getnoise_eta2_4x(ep.vec + 0, ep.vec + 1, ep.vec + 2, ep.vec + 3,
-                            coins, 4, 5, 6, 7);
+  mlk_poly_getnoise_eta1_4x(&sp[0], &sp[1], &sp[2], &sp[3], coins, 0, 1, 2, 3);
+  mlk_poly_getnoise_eta2_4x(&ep[0], &ep[1], &ep[2], &ep[3], coins, 4, 5, 6, 7);
   mlk_poly_getnoise_eta2(&epp, coins, 8);
 #endif
 

mlkem/indcpa.h

@@ -37,7 +37,7 @@ __contract__(
   requires(transposed == 0 || transposed == 1)
   assigns(object_whole(a))
   ensures(forall(x, 0, MLKEM_K, forall(y, 0, MLKEM_K,
-  array_bound(a[x].vec[y].coeffs, 0, MLKEM_N, 0, MLKEM_Q))));
+  array_bound(a[x][y].coeffs, 0, MLKEM_N, 0, MLKEM_Q))));
 );
 
 #define mlk_indcpa_keypair_derand MLK_NAMESPACE_K(indcpa_keypair_derand)

mlkem/poly_k.c

@@ -33,7 +33,7 @@ void mlk_polyvec_compress_du(uint8_t r[MLKEM_POLYVECCOMPRESSEDBYTES_DU],
 
   for (i = 0; i < MLKEM_K; i++)
   {
-    mlk_poly_compress_du(r + i * MLKEM_POLYCOMPRESSEDBYTES_DU, &a->vec[i]);
+    mlk_poly_compress_du(r + i * MLKEM_POLYCOMPRESSEDBYTES_DU, &(*a)[i]);
   }
 }
 
@@ -45,7 +45,7 @@ void mlk_polyvec_decompress_du(mlk_polyvec *r,
   unsigned i;
   for (i = 0; i < MLKEM_K; i++)
   {
-    mlk_poly_decompress_du(&r->vec[i], a + i * MLKEM_POLYCOMPRESSEDBYTES_DU);
+    mlk_poly_decompress_du(&(*r)[i], a + i * MLKEM_POLYCOMPRESSEDBYTES_DU);
   }
 
   mlk_assert_bound_2d(r, MLKEM_K, MLKEM_N, 0, MLKEM_Q);
@@ -64,7 +64,7 @@ void mlk_polyvec_tobytes(uint8_t r[MLKEM_POLYVECBYTES], const mlk_polyvec *a)
 
   for (i = 0; i < MLKEM_K; i++)
   {
-    mlk_poly_tobytes(r + i * MLKEM_POLYBYTES, &a->vec[i]);
+    mlk_poly_tobytes(r + i * MLKEM_POLYBYTES, &(*a)[i]);
   }
 }
 
@@ -75,7 +75,7 @@ void mlk_polyvec_frombytes(mlk_polyvec *r, const uint8_t a[MLKEM_POLYVECBYTES])
   unsigned i;
   for (i = 0; i < MLKEM_K; i++)
   {
-    mlk_poly_frombytes(&r->vec[i], a + i * MLKEM_POLYBYTES);
+    mlk_poly_frombytes(&(*r)[i], a + i * MLKEM_POLYBYTES);
   }
 
   mlk_assert_bound_2d(r, MLKEM_K, MLKEM_N, 0, MLKEM_UINT12_LIMIT);
@@ -88,7 +88,7 @@ void mlk_polyvec_ntt(mlk_polyvec *r)
   unsigned i;
   for (i = 0; i < MLKEM_K; i++)
   {
-    mlk_poly_ntt(&r->vec[i]);
+    mlk_poly_ntt(&(*r)[i]);
   }
 
   mlk_assert_abs_bound_2d(r, MLKEM_K, MLKEM_N, MLK_NTT_BOUND);
@@ -105,7 +105,7 @@ void mlk_polyvec_invntt_tomont(mlk_polyvec *r)
   unsigned i;
   for (i = 0; i < MLKEM_K; i++)
   {
-    mlk_poly_invntt_tomont(&r->vec[i]);
+    mlk_poly_invntt_tomont(&(*r)[i]);
   }
 
   mlk_assert_abs_bound_2d(r, MLKEM_K, MLKEM_N, MLK_INVNTT_BOUND);
@@ -143,10 +143,10 @@ void mlk_polyvec_basemul_acc_montgomery_cached(
          t[1] <=   ((int32_t) k * 2 * MLKEM_UINT12_LIMIT * 32768) &&
          t[1] >= - ((int32_t) k * 2 * MLKEM_UINT12_LIMIT * 32768)))
     {
-      t[0] += (int32_t)a->vec[k].coeffs[2 * i + 1] * b_cache->vec[k].coeffs[i];
-      t[0] += (int32_t)a->vec[k].coeffs[2 * i] * b->vec[k].coeffs[2 * i];
-      t[1] += (int32_t)a->vec[k].coeffs[2 * i] * b->vec[k].coeffs[2 * i + 1];
-      t[1] += (int32_t)a->vec[k].coeffs[2 * i + 1] * b->vec[k].coeffs[2 * i];
+      t[0] += (int32_t)(*a)[k].coeffs[2 * i + 1] * (*b_cache)[k].coeffs[i];
+      t[0] += (int32_t)(*a)[k].coeffs[2 * i] * (*b)[k].coeffs[2 * i];
+      t[1] += (int32_t)(*a)[k].coeffs[2 * i] * (*b)[k].coeffs[2 * i + 1];
+      t[1] += (int32_t)(*a)[k].coeffs[2 * i + 1] * (*b)[k].coeffs[2 * i];
     }
     r->coeffs[2 * i + 0] = mlk_montgomery_reduce(t[0]);
     r->coeffs[2 * i + 1] = mlk_montgomery_reduce(t[1]);
@@ -190,7 +190,7 @@ void mlk_polyvec_mulcache_compute(mlk_polyvec_mulcache *x, const mlk_polyvec *a)
   unsigned i;
   for (i = 0; i < MLKEM_K; i++)
   {
-    mlk_poly_mulcache_compute(&x->vec[i], &a->vec[i]);
+    mlk_poly_mulcache_compute(&(*x)[i], &(*a)[i]);
   }
 }
 
@@ -207,7 +207,7 @@ void mlk_polyvec_reduce(mlk_polyvec *r)
   unsigned i;
   for (i = 0; i < MLKEM_K; i++)
   {
-    mlk_poly_reduce(&r->vec[i]);
+    mlk_poly_reduce(&(*r)[i]);
   }
 
   mlk_assert_bound_2d(r, MLKEM_K, MLKEM_N, 0, MLKEM_Q);
@@ -222,7 +222,7 @@ void mlk_polyvec_add(mlk_polyvec *r, const mlk_polyvec *b)
   unsigned i;
   for (i = 0; i < MLKEM_K; i++)
   {
-    mlk_poly_add(&r->vec[i], &b->vec[i]);
+    mlk_poly_add(&(*r)[i], &(*b)[i]);
   }
 }
 
@@ -233,7 +233,7 @@ void mlk_polyvec_tomont(mlk_polyvec *r)
   unsigned i;
   for (i = 0; i < MLKEM_K; i++)
   {
-    mlk_poly_tomont(&r->vec[i]);
+    mlk_poly_tomont(&(*r)[i]);
   }
 
   mlk_assert_abs_bound_2d(r, MLKEM_K, MLKEM_N, MLKEM_Q);

mlkem/poly_k.h

@@ -18,15 +18,8 @@
 #define mlk_polyvec_mulcache MLK_ADD_LEVEL(mlk_polyvec_mulcache)
 /* End of level namespacing */
 
-typedef struct
-{
-  mlk_poly vec[MLKEM_K];
-} MLK_ALIGN mlk_polyvec;
-
-typedef struct
-{
-  mlk_poly_mulcache vec[MLKEM_K];
-} mlk_polyvec_mulcache;
+typedef mlk_poly mlk_polyvec[MLKEM_K];
+typedef mlk_poly_mulcache mlk_polyvec_mulcache[MLKEM_K];
 
 #define mlk_poly_compress_du MLK_NAMESPACE_K(poly_compress_du)
 /*************************************************
@@ -200,7 +193,7 @@ __contract__(
   requires(memory_no_alias(r, MLKEM_POLYVECCOMPRESSEDBYTES_DU))
   requires(memory_no_alias(a, sizeof(mlk_polyvec)))
   requires(forall(k0, 0, MLKEM_K,
-         array_bound(a->vec[k0].coeffs, 0, MLKEM_N, 0, MLKEM_Q)))
+         array_bound((*a)[k0].coeffs, 0, MLKEM_N, 0, MLKEM_Q)))
   assigns(object_whole(r))
 );
 
@@ -230,7 +223,7 @@ __contract__(
   requires(memory_no_alias(r, sizeof(mlk_polyvec)))
   assigns(object_whole(r))
   ensures(forall(k0, 0, MLKEM_K,
-         array_bound(r->vec[k0].coeffs, 0, MLKEM_N, 0, MLKEM_Q)))
+         array_bound((*r)[k0].coeffs, 0, MLKEM_N, 0, MLKEM_Q)))
 );
 
 #define mlk_polyvec_tobytes MLK_NAMESPACE_K(polyvec_tobytes)
@@ -256,7 +249,7 @@ __contract__(
   requires(memory_no_alias(a, sizeof(mlk_polyvec)))
   requires(memory_no_alias(r, MLKEM_POLYVECBYTES))
   requires(forall(k0, 0, MLKEM_K,
-         array_bound(a->vec[k0].coeffs, 0, MLKEM_N, 0, MLKEM_Q)))
+         array_bound((*a)[k0].coeffs, 0, MLKEM_N, 0, MLKEM_Q)))
   assigns(object_whole(r))
 );
 
@@ -285,7 +278,7 @@ __contract__(
   requires(memory_no_alias(a, MLKEM_POLYVECBYTES))
   assigns(object_whole(r))
   ensures(forall(k0, 0, MLKEM_K,
-        array_bound(r->vec[k0].coeffs, 0, MLKEM_N, 0, MLKEM_UINT12_LIMIT)))
+        array_bound((*r)[k0].coeffs, 0, MLKEM_N, 0, MLKEM_UINT12_LIMIT)))
 );
 
 #define mlk_polyvec_ntt MLK_NAMESPACE_K(polyvec_ntt)
@@ -312,10 +305,10 @@ void mlk_polyvec_ntt(mlk_polyvec *r)
 __contract__(
   requires(memory_no_alias(r, sizeof(mlk_polyvec)))
   requires(forall(j, 0, MLKEM_K,
-  array_abs_bound(r->vec[j].coeffs, 0, MLKEM_N, MLKEM_Q)))
+  array_abs_bound((*r)[j].coeffs, 0, MLKEM_N, MLKEM_Q)))
   assigns(object_whole(r))
   ensures(forall(j, 0, MLKEM_K,
-  array_abs_bound(r->vec[j].coeffs, 0, MLKEM_N, MLK_NTT_BOUND)))
+  array_abs_bound((*r)[j].coeffs, 0, MLKEM_N, MLK_NTT_BOUND)))
 );
 
 #define mlk_polyvec_invntt_tomont MLK_NAMESPACE_K(polyvec_invntt_tomont)
@@ -344,7 +337,7 @@ __contract__(
   requires(memory_no_alias(r, sizeof(mlk_polyvec)))
   assigns(object_whole(r))
   ensures(forall(j, 0, MLKEM_K,
-  array_abs_bound(r->vec[j].coeffs, 0, MLKEM_N, MLK_INVNTT_BOUND)))
+  array_abs_bound((*r)[j].coeffs, 0, MLKEM_N, MLK_INVNTT_BOUND)))
 );
 
 #define mlk_polyvec_basemul_acc_montgomery_cached \
@@ -383,7 +376,7 @@ __contract__(
   requires(memory_no_alias(b, sizeof(mlk_polyvec)))
   requires(memory_no_alias(b_cache, sizeof(mlk_polyvec_mulcache)))
   requires(forall(k1, 0, MLKEM_K,
-     array_bound(a->vec[k1].coeffs, 0, MLKEM_N, 0, MLKEM_UINT12_LIMIT)))
+     array_bound((*a)[k1].coeffs, 0, MLKEM_N, 0, MLKEM_UINT12_LIMIT)))
   assigns(object_whole(r))
 );
 
@@ -453,7 +446,7 @@ __contract__(
   requires(memory_no_alias(r, sizeof(mlk_polyvec)))
   assigns(object_whole(r))
   ensures(forall(k0, 0, MLKEM_K,
-    array_bound(r->vec[k0].coeffs, 0, MLKEM_N, 0, MLKEM_Q)))
+    array_bound((*r)[k0].coeffs, 0, MLKEM_N, 0, MLKEM_Q)))
 );
 
 #define mlk_polyvec_add MLK_NAMESPACE_K(polyvec_add)
@@ -486,10 +479,10 @@ __contract__(
   requires(memory_no_alias(b, sizeof(mlk_polyvec)))
   requires(forall(j0, 0, MLKEM_K,
           forall(k0, 0, MLKEM_N,
-            (int32_t)r->vec[j0].coeffs[k0] + b->vec[j0].coeffs[k0] <= INT16_MAX)))
+            (int32_t)(*r)[j0].coeffs[k0] + (*b)[j0].coeffs[k0] <= INT16_MAX)))
   requires(forall(j1, 0, MLKEM_K,
           forall(k1, 0, MLKEM_N,
-            (int32_t)r->vec[j1].coeffs[k1] + b->vec[j1].coeffs[k1] >= INT16_MIN)))
+            (int32_t)(*r)[j1].coeffs[k1] + (*b)[j1].coeffs[k1] >= INT16_MIN)))
   assigns(object_whole(r))
 );
 
@@ -515,7 +508,7 @@ __contract__(
   assigns(memory_slice(r, sizeof(mlk_polyvec)))
   assigns(object_whole(r))
   ensures(forall(j, 0, MLKEM_K,
-    array_abs_bound(r->vec[j].coeffs, 0, MLKEM_N, MLKEM_Q)))
+    array_abs_bound((*r)[j].coeffs, 0, MLKEM_N, MLKEM_Q)))
 );
 
 #define mlk_poly_getnoise_eta1_4x MLK_NAMESPACE_K(poly_getnoise_eta1_4x)